[CONTACT: Blocked Network]

[camwebb]

restricted IP: 69.161.16.16

[Jegelewicz]

@camwebb I think I released it - let me know if it works now.

[camwebb]

Thanks @Jegelewicz, but no, still blocked. This is an IP for the major telco in Alaska - ACS (alaskacommunications.com).

Related: I very frequently spend several minutes finding a way to reach Arctos - so many IPs I use are blocked. And then I need to find and delete the CFID cookie if I have previously tried from a blocked IP. Is the security risk really worth the significant inconvenience users experience trying to access Arctos? Has the IP Blocking policy been revisited recently?

[Jegelewicz]

Well, I think I have exhausted my options - It looks like it is active to me, but I am kinda guessing at what to do. @mkoo is there anyone else who knows what to do?

[mkoo]

I unblocked all IPs in 69.161- (in Arctos management) so should be ok-- please let us know. You can usually unblock yourself too although there may a little delay. I can pop this over to D and CJ to allow this subnet since it's not displaying bad behaviour and you guys use it regularly

[camwebb]

@mkoo Thanks! Works now.

You can usually unblock yourself too although there may a little delay.

I don't have the required Arctos permissions, I'm afraid.

Is there any likelihood that the IP Blacklist policy might ever be reconsidered and liberalized? It certainly makes Arctos less friendly to use.

[dustymc]

Moving this here; it could definitely use further discussion.

I don't have the required Arctos permissions,

You shouldn't need them. You - anyone - can fill out a form and release yourself, unless you've found yourself on a had-blocked network, which is comparatively rare.

find and delete the CFID cookie

It would be fabulous if you could elaborate on that. That should not be the case, I'll try to fix it if I can. (I've blocked myself probably thousands of times - mostly intentionally! - and never experienced this.)

IP Blacklist policy might ever be reconsidered and liberalized?

It could definitely be changed, but that can't result in Arctos being less secure unless it's accompanied by significant resources to compensate (and those could take several forms). We see thousands of occasionally-targeted malicious requests almost every day, and Arctos mostly weathers them because the block policies have been designed to do just that.

Given our actual resources, my preference would be to require login for all Arctos access. That's not entirely unusual these days, and would serve about the same purpose as the "associated traffic" blocks that most users see. IDK if that would be a more-friendly approach than the current or not.

[camwebb]

Thanks @dustymc for opening this discussion.

"find and delete the CFID cookie" ... It would be fabulous if you could elaborate on that. That should not be the case, I'll try to fix it if I can.

100% repeatable (for me). (Firefox on Linux)

1. Try to access via blocked IP (all IPs on my VPN are blocked) -> get the "Your IP (...) or organization has been blocked" page.
2. Switch to allowed IP (e.g., switch off VPN); check visible IP.
3. Retry Arctos. The same warning page with the old IP still appears.
4. Delete cfid cookie.
5. Retry: Arctos search page appears.

Then I usually log in, and switch VPN back on, and the blocked IP is then not blocked (I assume because of the new cfid cookie). But when the login times out, I have to repeat the above.

[camwebb]

You - anyone - can fill out a form and release yourself,

I had assumed that the form you (and @mkoo above) refer to is: https://arctos.database.museum/Admin/blocklist.cfm. I get an "Unauthorized" for that form. I can't find anything in the handbook, searching on 'blocked IP'.

[dustymc]

Thanks and AHA! @camwebb, I'll see what I can do about that (without opening us up to a DDOS attack). I had not anticipated swapping IPs without establishing a new session (or at least not non-malicious versions of that!).

had assumed that the form you (and @mkoo above) refer to is: https://arctos.database.museum/Admin/blocklist.cfm.

Nope, any form.

https://arctos-test.tacc.utexas.edu/blockme.php should look like...

and filling that out (or clicking the link on test) should lead to....

Grab some coffee (because I don't have the resources to not cache while surviving even normal daily attacks), come back and you should have access.

(And the typo is fixed for next release.)

[camwebb]

Hmmm. I don't see that form. I only get:

Your IP (...) or organization has been blocked. You may wish to check your computer for malicious software and alert your IP or organization. Further intrusion attempts may result in more restrictive blocks. Access from this network has been restricted. You may open an Issue on our GitHub to request access.

We cannot consider requests which do not include your IP address, "..."

Looking at the page source, the HTML dies after the last paragraph - no closing div, body, html. I checked with curl and the same, so it's not a browser issue. And the same at https://arctos-test.tacc.utexas.edu/blockme.php or at https://arctos.database.museum/. Strange.