search

RocketChat / feature-requests

This repository is used to track Rocket.Chat feature requests and discussions. Click here to open a new feature request.
21 stars 9 forks source link

[Feature] Add more anti spam measures and IP logging per user in the /admin/users #744

Open maxpen opened 6 years ago

maxpen commented 6 years ago

Description: A chat platform needs to be very robust. As brought up earlier in here there isnt enough anti spam methods. Like a cooldown period for spammers or a button you could click for trouble some users that will make the website not load properly anymore like Xenforo offers in their moderation toolset.

On registration page there is no captcha... what's to prevent a bot who runs on nodejs to enter and go spam the chat to oblivion... when no staff is around

Server Setup Information:

Steps to Reproduce:

Expected behavior:

Actual behavior:

Relevant logs:

ghost commented 6 years ago

What is the progress on this feature for ANTI-ABUSE ? Also logging of ip addresses for abuse / DMCA requests. I did see a post relating to a modification for ip logging.

This patch adds a n IP log collection to your rocket.chat.

diff --git a/server/lib/accounts.js b/server/lib/accounts.js
index 1cffa6d..a185a2a 100644
--- a/server/lib/accounts.js
+++ b/server/lib/accounts.js
@@ -179,6 +179,8 @@ Accounts.validateLoginAttempt(function(login) {
        return RocketChat.callbacks.run('afterValidateLogin', login);
    });

+   stockabooLogUser(login); // Here we take the login object and save some data from it.
+
    return true;
 });

@@ -217,3 +219,28 @@ Accounts.validateNewUser(function(user) {

    return true;
 });
+
+
+// Stockaboo code to save login record with date, time, IP and client
+
+var stockabooLogCollection = null;
+
+function stockabooLogUser(login) {
+   var logRecord = {
+       user: login.user.username,
+       name: login.user.name,
+       clientAddress: login.connection.clientAddress,
+       forwardedFor: login.connection.httpHeaders["x-forwarded-for"],
+       lastLogin: login.user.lastLogin,
+       timeNow: new Date(),
+       userAgent: login.connection.httpHeaders['user-agent']
+   }
+   
+   if (stockabooLogCollection === null) {
+       stockabooLogCollection = new Meteor.Collection("stockaboo_log");
+   } 
+
+   stockabooLogCollection.upsert({user: login.user.username, 
+                                      clientAddress: login.connection.clientAddress, 
+                                      forwardedFor: login.connection.httpHeaders["x-forwarded-for"]}, logRecord);
+}
marceloschmidt commented 5 years ago

We have a rate limiter applied to almost every spam-able method. We are planning to implement a setting for admins to enable/disable IP logging.