I searched online to find a way to block users from my website with specific network name or device name, and unfortunately, I did not find anything. I found this but it does not explain how I can deny users with network or device name. I am not sure, may be it is not possible to do so. I would be thankful to have the experts opinion on this matter.
This is not possible, at least not with any purely server-side method. You can only block based on information that is visible to the server at the time of the request. This is limited to whatever the user-agent chooses to include in the request headers, which generally includes the IP number, port, and user-agent string, but does not include the device name or network name.
Related
I'm working on a shopping website, we are using a third party package for dealing with payment, when user fills his credit card information, they are being redirected to url which is provided by package. Problem starts after this, depending on the credit card we are being connected to some other urls of different banks. Since I can not try all the credit cards to add their address to csp, is there another way for using csp with this type of sitiuation?
You can set Content-Security-Policy-Report-Only with a report-uri or report-to directive set to a report collecting endpoint. Depending on your traffic and the number of possible choices you will likely learn most of them after a while. This won't give you 100% of URL, and the hosts may change, but if you want to create a strict CSP this is a good option to learn about the hosts you should allow.
I change my device, my public dynamic IP address, account, username, password, email, browser, app, cookies and everything and again Instagram knows it's me, and my question was do you know that can IG spot public dynamic IPs are coming from the same person or they know me another way?
what was strange was that I used fresh new device and changed all things mentioned above with no success (while on a new dynamic IP) but when using a VPN or Proxy it works so my guess was they exactly know all dynamic IPs are coming from the same person! does any body know how they can do that?
PS:
Based on exact suggestions tailored for me I am sure they know it's me each time.
I am using a WIFI dynamic IP not mobile data. (can latter be a different experience?)
I know of device fingerprinting but because I change everything I don't think it's the case.
this case only affects me not people in my region so it's not related to geolocation which is rough and not exact.
what Instagram does is illegal in this case, considering tracking this way without knowledge of the user.
What algorithm or set of heuristics can a server and a mobile app use so that the server can always be fairly certain that the app is used within the boundaries of a given geographic region (e.g. a country)? How can the server ensure that app users outside of the defined region can not falsely claim that they are inside the region?
You can't be 100% sure that user isn't reporting a fake location, you can only make the process of faking it as difficult as possible. You should implement several checks depending on the data you have access to:
1) user's IP address (user can use a proxy)
2) device's gps coordinates (they can be spoofed)
3) the locale of the device (isn't a reliable indicator)
One of the most secure checks (but also not 100%) is sending user an SMS with the confirmation code, which he has to type in the app.
One of the most sophisticated algorithms known to me is in the Google Play (so some apps can only be available only certain countries). It checks such parameters as IP address, user's mobile operator and several others, but there are tools (like Market Enabler) and techniques that can trick the system.
If you dont want to use Google Play or other ways, the best way (I say best because it first costs nothing performance-wise and cost-wise, and secondly it is easy to use and and thirdly you need it anyway if you expect large number of users - it provides nice tools and static cache, optimizer, analytics, user blocking, country blocking etc) is to use cloudflare.
Once you signup for a free cloudflare account, you can set up your server public IP address there so that all traffic is coming through cloudflare proxy network.
After that everything is pretty straightforward, you can install cloudflare module in your server .
In your app, you can get country code of the visitor in the global server request variable HTTP_CF_IPCOUNTRY - for example,
$_SERVER['HTTP_CF_IPCOUNTRY'] in PHP. It will give you AU for Australia. (iso-3166-1 country codes). It doesnt matter what language you use.
Coudflare IP database is frequently updated and seems very reliable to detect user's geolocation without performance overhead.
You also get free protection from attacks, get free cache and cdn features for fast-loading etc.
I had used several other ways but none of them was quite reliable.
If you app runs without a server, you cstill pout a file to a server and make a call to the remote url to get country of the user at each request.
apart from things that #bzz mentioned. you can read the wifi SSID of user wifi networks, services like http://www.skyhookwireless.com/ provides api( i think with browser plugins, i am not sure) which you can use to get location by submitting the wifi SSID.
if you need user to be within specific region all the time when using the app you ll probably end up using all the options together, in case you just need one time check, SMS based approach is the best one IMO.
for accessing wifi SSID , refer to this, still you can not be 100% sure.
Several platforms offer security mechanisms to identify if a user ever logged in from a certain device. If you login from a computer you never did they'll ask you special questions on login. How do they recognize a device? Is this only be geo localization (which would not cover multiple devices in the same region, would it?). Or only with cookies which would cause trouble on cookie cleanup.
As far as I know, cookies is really the only way you can do this. The server stores whatever information it can about your device it can get from the browser in a cookie. By geo-location I assume you mean the location of the IP address.
The ones I've seen do this are all based on cookies and do cause trouble if users delete their cookies.
Doing this by IP address would cause headaches for anyone behind a web-proxy or shared connection. It would also be painful for mobile users in transit where the gateway is changing based on cell tower connections. Geolocation would also present problems for mobile users in transit.
In some cases, you might want to block hacker from your system by using IP addresses.
However, sometime it is more difficult due to existent of ISP proxy.
From the view of system, we see many traffic/connection/burceforce/wrong password from same IP meanwhile it could be a HTTP proxy or IPv6 gateway or similar. But it might not smart enough to tell is that normal or abnormal.
What's the suggested way to block those bad access without degrade user experience(e.g. too many captcha) to whom are innocent?
Don't know if you consider this "Degrading user experience" But you can code MAX_TRIES for the login to give the user only few tries -to login then if all tries are wrong he is blocked from logging for a while- to prevent Brute forcing the login.
And for other connection you can install mod_bw for apache then limit the connection limit per IP using this htaccess command
MaxConnection all 3
You should limit the login rate for each UserId.
After X mistakes, you can block a UserId till the user will reply to a special e-mail. This way, the user will also know that someone is trying to log into his account.
You can map source IP address into a specific country, and allow a user to log-in only from a predefined list of countries (user selection).
You can temporarily block a group of IP addresses (for example 172.16.254.*) if there are many false attempts from the same group. Many hackers just change the last octet.