Jump to content

Proxy Prevention


Cobra23

Recommended Posts

Hi,

I'm trying to understand any how I can block all users trying to view my website through proxies. With the following code, what I have done is a quick version through php (with headers and ports) and not the firewall which isn't exactly the best way but still stops a lot of them.

<?php
$user_ip = $_SERVER['REMOTE_ADDR'];
$headers = array('CLIENT_IP','FORWARDED','FORWARDED_FOR','FORWARDED_FOR_IP','VIA','X_FORWARDED','X_FORWARDED_FOR','HTTP_CLIENT_IP','HTTP_FORWARDED','HTTP_FORWARDED_FOR','HTTP_FORWARDED_FOR_IP','HTTP_PROXY_CONNECTION','HTTP_VIA','HTTP_X_FORWARDED','HTTP_X_FORWARDED_FOR');
foreach ($headers as $header) {
	if (isset($_SERVER[$header])) {
		header("Location: /proxy-not-allowed/");
		die;
	}
}
$queryIP = "SELECT `user_ip_address` FROM `my_table` WHERE `user_ip_address` = :user_ip_address AND `user_blocked` = :user_blocked LIMIT 1";
$queryIP1 = $pdo->prepare($queryIP);
$queryIP1->execute(array(':user_ip_address' => $user_ip, ':user_blocked' => 'No'));
$queryIP2 = $queryIP1->rowCount();
if ($queryIP2 === 0) {
	$ports = array(80, 81, 553, 554, 1080, 3128, 4480, 6588, 8000, 8080);
	foreach ($ports as $port) {
		$connection = @fsockopen($user_ip, $port, $errno, $errstr, 0.1);
		if (is_resource($connection)) {
			header("Location: /proxy-not-allowed/");
			die;
		}
	}
}
?>

The headers script blocks any proxy sending those headers while the ports script blocks those using any assigned ports I add. I have tested this which seems to be good, though it won't block all proxies due to the assigned one I have. Is this the best way to go about blocking scripts if I don't have access to the firewall?

What I am trying to do is allow users to view my HTTPS website normally and block all proxies. Even if I have some users blocked, I do not want them to be cheeky and use a proxy or even register on my website through a proxy. I was thinking of just using the 443 port as my website is https (is that wise?). Any advice would be great.

 

Link to comment
Share on other sites

You can't block all proxies. It's not possible. So you're going to have to make a compromise at some point. The "best" you can do is check HTTP headers and a IP address blacklist service that will never quite be accurate or up to date.

Connecting back to the user's IP is a bad idea. It's a great way to piss off firewalls. It is also completely useless as the place the user is browsing from may very well have a legitimate service running on those ports that has nothing to do with being a proxy. Plus most firewalls will drop packets they don't like, and since 0.1s is too short for many connections you'd have to increase that and tie up server resources the whole time. The whole idea is just not good.

Link to comment
Share on other sites

I understand that I can't block them all. What i'm trying to do is block those that are most common if not most of them. I'm avoiding the blacklist services with api's for the moment.

Isn't the following code a better solution to getting the port from the user and quicker without continually doing a scan:

<?php
$_SERVER['REMOTE_PORT']
?>

Which in turn can be placed as:

<?php
$ports = array(80, 81, 553, 554, 1080, 3128, 4480, 6588, 8000, 8080);
$port = $_SERVER['REMOTE_PORT'];
if (in_array($port, $ports)) {
  header("Location: /proxy-not-allowed/");
  die;
}
?>

As for the services, even if its developers with wamp, lamp etc, gamers and so on using different ports. I'm not interested in these users as customers.

Link to comment
Share on other sites

I did a good bit of research on that. The remote port was the wrong solution with this case.

The more ports one adds to the list the longer it will take to finish. I have 0.1s set which is the same as 100ms, this means that it takes 100ms per port. If it takes the RTT (round-trip time) 0.3ms seconds per port and 44ms for TCP sync to all ports (65,536 of them) with a total of 44.3ms,  then the 100ms set in my connection is well over that time per port which surely should be enough time. Am I going in the wrong direction in my thinking of this?

Link to comment
Share on other sites

Yes: you cannot check the user's port against a list of known ports. Because that is not how TCP works. Their connection to your server is not going to be on one of them - it will be something probably five digits long and essentially random.

Do not try to connect back to the user. Period.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.