Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Client IP-based channel bans as per IRC. (SYN-62) #1216

Open
matrixbot opened this issue Sep 23, 2014 · 10 comments
Open

Client IP-based channel bans as per IRC. (SYN-62) #1216

matrixbot opened this issue Sep 23, 2014 · 10 comments
Labels
A-Moderation Tools for moderating HSes: event redaction, media removal, purge admin API, reports from users, ... O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Minor Blocks non-critical functionality, workarounds exist. T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements. z-feature (Deprecated Label)

Comments

@matrixbot
Copy link
Member

matrixbot commented Sep 23, 2014
edited by squahtx
Loading

It could be nice (but not vital) to say "please do not let any clients connect to this room from this IP mask". We'd obviously have to trust all participating HSes to uphold this, which makes it fairly useless - although if we don't trust a given HS, we should think about kicking it out of the gang somehow anyway.

(Imported from https://matrix.org/jira/browse/SYN-62)

(Reported by @ara4n)
@matrixbot
Copy link
Member Author

Jira watchers: @ara4n

@matrixbot
Copy link
Member Author

matrixbot commented Sep 23, 2014
edited
Loading

Links exported from Jira:

is blocked by SPEC-82

@matrixbot matrixbot added the z-feature (Deprecated Label) label Nov 7, 2016
@matrixbot matrixbot changed the title IP-based channel bans as per IRC. (SYN-62) IP-based channel bans as per IRC. (https://github.com/matrix-org/synapse/issues/1216) Nov 7, 2016
@matrixbot matrixbot changed the title IP-based channel bans as per IRC. (https://github.com/matrix-org/synapse/issues/1216) IP-based channel bans as per IRC. (SYN-62) Nov 7, 2016
@richvdh
Copy link
Member

richvdh commented Aug 22, 2018

This kinda got implemented by server_acls, though via server names rather than IP masks.

@richvdh richvdh closed this as completed Aug 22, 2018
@ara4n
Copy link
Member

ara4n commented Aug 22, 2018

well, not really - i opened this explicitly for the ability to specify a blacklist of client IPs, to stop known malicious IP addresses from being able to connect to a room (assuming all servers are wellbehaved), as is required to ban clients from botnet IPs or known bad netmasks.

@ara4n ara4n reopened this Aug 22, 2018
@jevolk
Copy link

jevolk commented Aug 22, 2018

It would be best to be compatible with the IRC ban expressions which use CIDR masks and globular matching, for both hostnames and IP's.

@richvdh
Copy link
Member

richvdh commented Aug 23, 2018

well, not really - i opened this explicitly for the ability to specify a blacklist of client IPs, to stop known malicious IP addresses from being able to connect to a room (assuming all servers are wellbehaved), as is required to ban clients from botnet IPs or known bad netmasks.

Hum. Why did we descope IP addresses from server_acls, then?

@richvdh
Copy link
Member

richvdh commented Aug 23, 2018

Hum. Why did we descope IP addresses from server_acls, then?

Sorry, I was failing to parse the word 'client'. This issue is about banning clients rather than servers.

@e-lisa
Copy link

e-lisa commented Sep 12, 2020
edited
Loading

Hi, our server is under constant attack. I have commented on related issues to try to get some movement on this very basic functionality. I have overlooked this ticket because it is 6 years old... But I was told this is the "master ticket" for this issue.

Related functionality:
#7731

@ara4n ara4n mentioned this issue Sep 12, 2020
Open
@e-lisa e-lisa mentioned this issue Sep 12, 2020
Open
@e-lisa
Copy link

e-lisa commented Sep 13, 2020

well, not really - i opened this explicitly for the ability to specify a blacklist of client IPs, to stop known malicious IP addresses from being able to connect to a room (assuming all servers are wellbehaved), as is required to ban clients from botnet IPs or known bad netmasks.

Additionally, there should be an option for a server-wide ban. To DISCONNECT a user from the server, and prevent reconnection.

Banning a user from a room when they are abusing an entire server is not a fix. This is even more important homeserver is not federated.

It is deeply troubling that Synapse lacks this basic functionality to prevent abusive users from maintaining a persistence presence on a server.

@e-lisa e-lisa mentioned this issue Sep 19, 2020
Closed
@e-lisa
Copy link

e-lisa commented Sep 19, 2020

@ara4n @erikjohnston This seems to be getting a lot of attention recently.

Are their plans on on a path to get this merged?

Are merge/pull requests welcome?

@clokep clokep added the A-Moderation Tools for moderating HSes: event redaction, media removal, purge admin API, reports from users, ... label Sep 24, 2020
@squahtx squahtx added S-Minor Blocks non-critical functionality, workarounds exist. T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements. O-Uncommon Most users are unlikely to come across this or unexpected workflow labels Aug 24, 2022
@squahtx squahtx changed the title IP-based channel bans as per IRC. (SYN-62) Client IP-based channel bans as per IRC. (SYN-62) Aug 24, 2022
@matrixbot matrixbot mentioned this issue Dec 21, 2023
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
A-Moderation Tools for moderating HSes: event redaction, media removal, purge admin API, reports from users, ... O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Minor Blocks non-critical functionality, workarounds exist. T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements. z-feature (Deprecated Label)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@clokep @ara4n @richvdh @jevolk @squahtx @matrixbot @e-lisa