Sucuri Web Firewall: Why Blocking IPs instead of CAPTCHA?

Write suggestions and new ideas in here
More ideas here http://community.linuxmint.com/idea/welcome
Forum rules
  • Only post ideas here that are specifically about the Linux Mint distribution or its websites.
  • So that developers and users from any distribution can discuss ideas in one place, post ideas about improving software to the collaboration website for that software instead.
Post Reply
User avatar
ecntzwoq
Level 1
Level 1
Posts: 7
Joined: Thu Jan 25, 2018 11:46 pm

Sucuri Web Firewall: Why Blocking IPs instead of CAPTCHA?

Post by ecntzwoq » Wed Jan 31, 2018 12:29 am

EDIT2: After extensive research and discussion with the site admins, I discovered that what I had originally proposed--whitelisting all GET requests but CAPTCHA-ing suspicious POST requests--is not possible at a reasonable price level or really necessary. The closest "solution" I discovered was Cloudflare's Pro Plan Web App Firewall ($20/month) which would whitelist all Tor traffic, disregarding GET/POST. The site admins considered it but decided to stick with the current Sucuri setup.

EDIT: After thinking about it, I really don't see why there is any reason at all to deny access to the Linux Mint forums/community based on IP address (whether from Tor or otherwise). Requiring that IPs perceived as malicious prove that they are not automated through a quality, commercial-grade CAPTCHA like that provided by Cloudflare would immediately kill any spam/brute-forcing/etc. And Cloudflare's DDoS detection and mitigation technology would furthermore prevent the need to ban IPs (I just use Cloudflare because I'm more familiar with it than Sucuri). Does Sucuri not possess these capabilities, and if so, why continue to use it over its competitors? I know I'm very new to the forum, and I hope I don't come off as naive about spam or "alarmist," but this seems like a relatively significant issue that could affect the health of the LM community. I've changed the title of my post to reflect this edit. Thanks.

Hello friends,

I posted an idea suggestion on the LM community site and was told to post it to the forums instead: https://community.linuxmint.com/idea/view/6658

Basically, it seems like IPs that Sucuri firewall deems "malicious" are allowed GET requests on the Linux Mint site, but any POST requests are disabled.

Sucuri firewall deems a lot (but not all - currently) of Tor exit node IPs "malicious". My question: is it possible on Sucuri firewall to set a custom rule that would allow all Tor exit node IPs to make POST requests, provided they answer a CAPTCHA? This would stop spam dead in its tracks while ensuring that Tor users can participate in the LM community.

I know that Cloudflare has this capability, and even if it's not explicitly built-in to Sucuri firewall, I don't think it would be too difficult to implement (and I would love to help).

Thanks - here are some images that show what is going on.

Browsing on the LM forums works.
tor-screenshot1-min.png
Can get onto login page.
tor-screenshot2-min.png
Once I try to login, Sucuri firewall blocks my request. I can take 10+ tries of building new Tor circuits before I find an IP not blocked by Sucuri. I worry that one day Sucuri may block the vast majority of Tor exit IPs, thereby excluding Tor users from participating in the LM community.
tor-screenshot3-min.png


Last bumped by ecntzwoq on Wed Jan 31, 2018 12:29 am.

Post Reply

Return to “Suggestions & New Ideas”