Exercise 21 Block Offensive Usernames

Suppose you want to block all usernames that contain the text bad word.

1. Create a new rule by selecting access control> account rules> add rule (admin/access/rules/add).

2. Select Deny and Username, and then enter the mask %bad word%, as shown in Figure 2-3.

Home » administer access control permissions roles | account rules list add rule check rules

Access type: Rule type:

O Allow Username

%: Matches any number of characters, even zero characters, _: Matches exactly one character.

Figure 2-3. Blocking a username

3. Click the Add Rule button. Your rule is now in effect.

4. To test it and make sure it behaves as you expected, go to the Check Rules subtab (admin/access/ rules/check). Here, you can enter any username in the Username field, and then click the Check Username button see if the name would be allowed or denied. For this example, try usernames like real bad word, bad words, and not a bad word. They should all be denied. Then try badword and ad word. They should be allowed.

Perhaps you have a user who creates multiple versions of himself with different e-mail addresses from the same domain—[email protected], [email protected], [email protected], and so on. You don't want to kick the user off the site, but you do want to limit him to one account. To do this, you make a rule that denies all e-mail accounts from domain.com, as shown in Figure 2-4. At this point, all of the e-mail addresses from domain.com are blocked. Now you add another rule allowing one particular address, [email protected]. The result, which you can confirm using the Check Rules subtab, is that only [email protected] is allowed to create a user account and other ump denying rules.

Home » administer access control permissions roles account rules [_ list add rule check rules

Access type: Rule type:

%: Matches any number of characters, even zero characters, _: Matches exactly one character.

Figure 2-4. Blocking users from a particular domain

Tip Hosts, or IP addresses, identify the computer from which a visitor has accessed your site. If an attacker is using a computer to launch an attack on your server, you can help protect yourself by banning the IP address of the attacking computer. While it is possible to do this from the Rules tab of the Access Control screen, there is an easier way. The Statistics module, described in Chapter 3, keeps a record of who accesses your site and their IP addresses. Using the Top Visitors log (admin/logs/visitors), it is possible to identify possible cases of abuse and ban IP addresses directly with the click of a link. Of course, if you know that thugs in some dark and distant country are after you, and you know their IP address, you should block it preemptively, but this is rarely the case.

0 0

Post a comment