I have been hit with a huge amount of traffic recently from proxy visitors and countries that are not within the target demographics from the site (flat out visitors from these countries cannot use the service).
Rather than simply blocking the visitors, I want to not render the Google Analytics and other analytics code for these visitors. This seems to be a happy medium vs just whacking everything coming in, but I'm not sure of the best way to detect proxy visitors. What is the preferred method for detecting proxy visitors and visitors that fit within certain geographical IP boundaries?
Just run this function to detect if proxy is used, and if so, you can use whatever analytics code you want or block the user.
function proxy_detected()
{
if (
$_SERVER['HTTP_X_FORWARDED_FOR']
|| $_SERVER['HTTP_X_FORWARDED']
|| $_SERVER['HTTP_FORWARDED_FOR']
|| $_SERVER['HTTP_CLIENT_IP']
|| $_SERVER['HTTP_VIA']
|| in_array($_SERVER['REMOTE_PORT'], array(8080,80,6588,8000,3128,553,554))
|| #fsockopen($_SERVER['REMOTE_ADDR'], 80, $errno, $errstr, 30))
{
return true;
} else {
return false;
}
}
echo ( proxy_detected() ) ? "Proxy detected" : "No proxy detected";
Related
I need to change currency based on user location. This is my code
<?php
$ipaddress = $_SERVER['REMOTE_ADDR'];
$location = unserialize( file_get_contents('http://www.geoplugin.net/php.gp?ip=' . $_SERVER['REMOTE_ADDR']) );
if($location["geoplugin_countryCode"] === "US")
{
// block to set us currency
}
else{
// user can choose their own currency from array (excluding us)
}
?>
I uploaded it on a server, and to check if the functionality works correctly or not and I used different vpn chrome extension. The problem is all the time else part is alone gets executed even when I choose us as vpn server. I don't know What is causing this problem.
Most probably the issue is that you use $_SERVER['REMOTE_ADDR'].
If you are using a proxy, you should use $_SERVER['HTTP_X_FORWARDED_FOR']
On my site I have the ability for users to send a message to me. It's stored just in a mysql database.
The url is something like: www.mysite.com/contact?id=4ijr3943jwswER4we (some random hash on the end as the id)
I have/had the ability that if I go to this url and view the message, then an input box shows and it allows only me to reply to the message directly from that page. It does this by checking if the IP that the user is connecting from is my ip.
I've found that my IP is dynamic and thus whenever my ip gets reassigned, I'm no longer able to see this input form (since I'm now connecting from a different IP).
Is there a way (apart from setting a static IP on my machine) to achieve this same goal? Obviously checking the IP isn't going to be a long term solution, and I've read that you can't grab a users MAC address either.
If it matters, here's the code I've got for checking the IP:
function getClientIP() {
$ipaddress = '';
if (isset($_SERVER['HTTP_CLIENT_IP'])) {
$ipaddress = $_SERVER['HTTP_CLIENT_IP'];
}
else if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ipaddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
else if(isset($_SERVER['HTTP_X_FORWARDED'])) {
$ipaddress = $_SERVER['HTTP_X_FORWARDED'];
}
else if(isset($_SERVER['HTTP_FORWARDED_FOR'])) {
$ipaddress = $_SERVER['HTTP_FORWARDED_FOR'];
}
else if(isset($_SERVER['HTTP_FORWARDED'])) {
$ipaddress = $_SERVER['HTTP_FORWARDED'];
}
else if(isset($_SERVER['REMOTE_ADDR'])) {
$ipaddress = $_SERVER['REMOTE_ADDR'];
}
else {
$ipaddress = 'UNKNOWN';
}
return $ipaddress;
}
And it is checked by:
if((getClientIP() == "::1" || getClientIP() == "<my ip>") {
// show an input box and submit button
}
Thanks!
Ignoring the blatant disregard security and the fact that I would fire someone for doing this but you could have a &admin=$value in the url. Something like this.
function is_admin() {
$password = filter_input(INPUT_GET, "password", FILTER_SANITIZE_EMAIL);
if ($password == "abc123") {
return TRUE;
} else {
return FALSE;
}
}
so you can replace getClientIP() with is_admin()
if(is_admin()) {
// show an input box and submit button
}
and then call it like this.
http://www.example.com/contact?id=4ijr3943jwswER4we&admin=abc123
again, this is a horribly insecure solution and you should be using a PKI with ssh port forwarding a VPN connection but this works but I'm a sucker for an easy 10 point answer.
You might try using a free dynamic DNS service. Set up a domain, such as "MINE.COM", and use that instead of your IP. When your IP changes, the dynamic DNS service is supposed to adjust, so that MINE.COM is changed to point to the new IP. Your site can check the client for MINE.COM instead of the IP.
Be warned there is a lag time involved. It could be minutes or hours before "MINE.COM" reflects the updated IP. Plus, most "free" services involve advertising which might render your setup unusable.
Bottom line, without a static IP, you're pretty much hosed. A static IP is certainly possible, but usually costs more, as generally only larger concerns like schools, governments or businesses want or need one.
I suggest you investigate using an alternate method, such as a login form, passwords, sessions, cookies, etc. E.g., login as your admin account, establish a cookie on your device, then the next time you visit the site, it can authenticate your device's cookie.
I am building my first website. It is an Online Real Estate Agency. Users can create themselves a profile and then insert an ad and upload pictures.
I was told that I should detect multiple logging attempts to protect against Brute Force attacks. Well, with the following code I detect the IP's :
if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
{ $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];} else
{ $ip=$_SERVER['REMOTE_ADDR'];}
The system counts missed logging attempts within a certain delay and holds a ban list in a DB.
It works great ... at least when a I test it myself !
Then as I was told 'Beware of piracy through false IP's ', I get the impression my protection system mentionned above is made uneffective.
There are :
1) sofwares available to pirats that encompass a Proxy which can hide their real IP
2) proxies on the web that can also hide real IP's.
What 's the difference between 1) and 2) ?
I would like to know how proxies can be used and what they are able to do in term of illicit practices
Can sombody change at will it's Ip ?
Can somebody in China or in Russia 'simulate' a Western Europe or US ip ?
Can I do more than what I've done to detect any suspicious activity ?
Thanks a lot.
Anyone can change ip, proxy, vpn....
I use this function to detect REAL IP address if it's valid:
function getrealip() {
if (getenv('HTTP_CLIENT_IP') && long2ip(ip2long(getenv('HTTP_CLIENT_IP')))==getenv('HTTP_CLIENT_IP') && validip(getenv('HTTP_CLIENT_IP')))
return getenv('HTTP_CLIENT_IP');
if (getenv('HTTP_X_FORWARDED_FOR') && long2ip(ip2long(getenv('HTTP_X_FORWARDED_FOR')))==getenv('HTTP_X_FORWARDED_FOR') && validip(getenv('HTTP_X_FORWARDED_FOR')))
return getenv('HTTP_X_FORWARDED_FOR');
if (getenv('HTTP_X_FORWARDED') && long2ip(ip2long(getenv('HTTP_X_FORWARDED')))==getenv('HTTP_X_FORWARDED') && validip(getenv('HTTP_X_FORWARDED')))
return getenv('HTTP_X_FORWARDED');
if (getenv('HTTP_FORWARDED_FOR') && long2ip(ip2long(getenv('HTTP_FORWARDED_FOR')))==getenv('HTTP_FORWARDED_FOR') && validip(getenv('HTTP_FORWARDED_FOR')))
return getenv('HTTP_FORWARDED_FOR');
if (getenv('HTTP_FORWARDED') && long2ip(ip2long(getenv('HTTP_FORWARDED')))==getenv('HTTP_FORWARDED') && validip(getenv('HTTP_FORWARDED')))
return getenv('HTTP_FORWARDED');
$ip = htmlspecialchars($_SERVER['REMOTE_ADDR']);
/* Added support for IPv6 connections. otherwise ip returns null */
if (strpos($ip, '::') === 0) {
$ip = substr($ip, strrpos($ip, ':')+1);
}
return long2ip(ip2long($ip));
}
More info for X-Forwarded
Proxy is a server that can mask your ip. It will send your request as if it was its and then send you back response that got.
Can sombody change at will it's Ip ?
No, they can't just change their ip to whatever they like to. But they can mask it.
Can somebody in China or in Russia 'simulate' a Western Europe or US ip ?
Yes
Can I do more than what I've done to detect any suspicious activity ?
If you detect that some user name is logging in with wrong password too many times using brute force techniques, you could slow down him by using sleep function. This technique you wouldn't cut off users that are using the proxy without bad intends and you will slow the brute force hacking.
if($wrongAttempts > 5) sleep(3000);
if($password == $_GET[pass])
{
// ...
}
You could also start including captcha images to raise security or block the account for some time.
As Dagon says, IP address is a pretty weak way of identifying users, and hackers will almost certainly not use their own IP address, but rather a stolen machine, or a botnet; on the other hand, many corporate users may appear to all come from the same IP address, and you could easily end up blocking every user from that building/company if someone forgets their password.
The first defense against a brute force attack is to have a strong password policy; commonly, this is assumed to be at least 7 characters, with at least one number and one punctuation mark. This often annoys users, and makes them hate your site.
The next defense - if you think you're really at risk - is CAPTCHA; this makes users hate you even more.
The bottom line is: if you are building your first website, I'd look at an off-the-shelf framework, rather than inventing everything yourself. Consider PEAR:auth.
I have a simple script which determines the user's IP address:
function GetIp(){
if (!empty($_SERVER['HTTP_CLIENT_IP']))
//check ip from share internet
{
$ip=$_SERVER['HTTP_CLIENT_IP'];
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
//to check ip is pass from proxy
{
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}
else
{
$ip=$_SERVER['REMOTE_ADDR'];
}
return $ip;
}
Now on the Net somewhere I saw someone using this script:
if (isset($_SERVER['HTTP_CLIENT_IP']) && $_SERVER['HTTP_CLIENT_IP'] != '')
$Ip = $_SERVER['HTTP_CLIENT_IP'];
elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && $_SERVER['HTTP_X_FORWARDED_FOR'] != '')
$Ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
elseif (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] != '')
$Ip = $_SERVER['REMOTE_ADDR'];
I was wondering if my implementation is broken.. Do I need to check if the value of $_SERVER['HTTP_CLIENT_IP'], $_SERVER['HTTP_X_FORWARDED_FOR'], or $_SERVER['REMOTE_ADDR'] is empty? Or is it actually unnecessary to do so?
If the reason why you want to find out the client's IP address is really important, screw all this stuff.
Any one of these header values can be freely spoofed.
REMOTE_ADDR is the only really reliable information, as it is transmitted to you by your web server that is handling the request. It can be theoretically falsified as well, but that is much, much harder than spoofing a header value, and an entirely different class of attack.
There are exceptions in very, very specific hosting environments behind reverse proxies. In those cases the person administering that proxy will be able to tell what header value you need to test for.
From Kohanas' Request class:
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])
AND isset($_SERVER['REMOTE_ADDR'])
AND in_array($_SERVER['REMOTE_ADDR'], Request::$trusted_proxies))
{
// Use the forwarded IP address, typically set when the
// client is using a proxy server.
// Format: "X-Forwarded-For: client1, proxy1, proxy2"
$client_ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
Request::$client_ip = array_shift($client_ips);
unset($client_ips);
}
elseif (isset($_SERVER['HTTP_CLIENT_IP'])
AND isset($_SERVER['REMOTE_ADDR'])
AND in_array($_SERVER['REMOTE_ADDR'], Request::$trusted_proxies))
{
// Use the forwarded IP address, typically set when the
// client is using a proxy server.
$client_ips = explode(',', $_SERVER['HTTP_CLIENT_IP']);
Request::$client_ip = array_shift($client_ips);
unset($client_ips);
}
elseif (isset($_SERVER['REMOTE_ADDR']))
{
// The remote IP address
Request::$client_ip = $_SERVER['REMOTE_ADDR'];
}
This is pretty much as good as it gets. Please note the Request::$trusted_proxies array and that your $ip var is Request::$client_ip in this case.
Do not check any HTTP_* headers for the client IP unless you specifically know your application is configured behind a reverse proxy. Trusting the values of these headers unconditionally will allow users to spoof their IP address.
The only $_SERVER field containing a reliable value is REMOTE_ADDR.
The two things are practically identical.. In the script you found, the author is just doing a check if the element in the array is set before checking that it is non-empty.
In regards to using the empty()-function instead of the comparison, check http://php.net/empty. Since you are dealing with a variable that is set by the environment and not a user input it doesn't matter which of the two options you choose. So your script should be perfectly fine
Welcome,
I'm writing application what will allow me to try detect what type of HTTP proxy user have installed.
Script calling remote server adding parameter http://xxxx.php?my_ip=real_IP
Here is my application:
<?php
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
*/
$real_ip=$_GET['my_ip'];
$ip1=$_SERVER['HTTP_X_FORWARDED_FOR'];
$ip2=$_SERVER['HTTP_X_FORWARDED'];
$ip3=$_SERVER['HTTP_FORWARDED_FOR'];
$ip4=$_SERVER['HTTP_CLIENT_IP'];
$ip5=$_SERVER['HTTP_VIA'];
$ip6=$_SERVER['REMOTE_ADDR'];
$ip_array[1]=$ip1;
$ip_array[2]=$ip2;
$ip_array[3]=$ip3;
$ip_array[4]=$ip4;
$ip_array[5]=$ip5;
if($ip6==$real_ip)
{
echo "You are not using proxy.";
}
else
{
if(in_array($real_ip, $ip_array))
{
echo "You are using transparent proxy with one releave your ip.";
}
else
{
if( $_SERVER['HTTP_X_FORWARDED_FOR']
|| $_SERVER['HTTP_X_FORWARDED']
|| $_SERVER['HTTP_FORWARDED_FOR']
|| $_SERVER['HTTP_CLIENT_IP']
|| $_SERVER['HTTP_VIA'])
{
echo "You are using anonymous proxy with one protect Your IP but inform www servers about using proxy";
}
else
{
echo "You are using elite proxy, with one hide your IP and don't inform www servers about using proxy";
}
}
}
$table=<<<table
<p>Ip HTTP_X_FORWARDED_FOR FOR : $ip1</p>
<p>Ip HTTP_X_FORWARDED : $ip2</p>
<p>Ip HTTP_FORWARDED_FOR FOR : $ip3</p>
<p>Ip HTTP_CLIENT_IP FOR : $ip4</p>
<p>Ip HTTP_VIA FOR : $ip5</p>
<p>Ip remote addr : $ip6</p>
table;
echo $table;
?>
I run some tests and application looks working very well.
If you have any tips please tell me.
I mean i would like know am i dont miss something important.
Regards
Another way in which some major players (Paypal, eBay, sites that have high security etc) find proxies is by looking up your IP's hostname with gethostbyaddr() which can reveal a source that is likely to be a proxy E.g. server.squid.com (Very obvious example to show you what I mean!)