Page MenuHomePhabricator
Create Task
Maniphest T354928

Allow logging and possibility to enact mitigations for actions for IPs with negative IP reputation data
Closed, ResolvedPublic
Actions

Description

Context

Now that iPoid-Service is running, we can make use of its data in account creation requests and other actions taken on wiki. This is useful for providing additional context into an action; it also provides for the possibility of implementing mitigations based on various signals, rather than relying on individual IPs or IP ranges for actions.

Proposal

This task proposes that an extension implements a pre authentication provider to check for the presence of an IP address used in account creation against ipoid's database.

The extension should allow for configuring which risk types (e.g. callback proxy) and tunnel types (e.g. proxy or vpn) to check account creation for.

In the short term, we'll use CentralAuth both for lack of a better place for this integration for now. Longer term, this functionality should go into MediaWiki-extensions-IPReputation

Consequences

  1. There is a central location for event logging, statsd, and logstash logs for IP reputation data associated with an action
  2. There is configuration that allows for implementing mitigations per action for IP addresses matching configured risk criteria

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
PreAuthenticationProvider: Allow blocking account creation based on IP reputationmediawiki/extensions/CentralAuthmaster+681 -2
PreAuthenticationProvider: Allow blocking account creation based on IP reputationmediawiki/extensions/CentralAuthwmf/1.42.0-wmf.15+681 -2
PreAuthenticationProvider: Deny account creation based on ipoid datamediawiki/extensions/CentralAuthwmf/1.42.0-wmf.14+693 -2
Log IpReputation channel as debugoperations/mediawiki-configmaster+1 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

kostajh created this task.Jan 12 2024, 8:16 AM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptJan 12 2024, 8:16 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot added a comment.Jan 12 2024, 8:16 AM

Change 989728 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/CentralAuth@master] WIP PreAuth: Deny account creation based on ipoid data

https://gerrit.wikimedia.org/r/989728

gerritbot added a project: Patch-For-Review.Jan 12 2024, 8:16 AM
kostajh added a comment.EditedJan 12 2024, 9:14 AM

Related tasks: T354832: Create a special throttling class for "rogue proxies" IPs, {T341908}

kostajh added a project: Trust and Safety Product Team.Jan 12 2024, 9:14 AM
Tgr mentioned this in T316303: Check global rights during autocreation.Jan 12 2024, 7:32 PM
gerritbot added a comment.Jan 14 2024, 2:37 PM

Change 990396 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/mediawiki-config@master] Log IpReputation channel as debug

https://gerrit.wikimedia.org/r/990396

gerritbot added a comment.Jan 14 2024, 3:19 PM

Change 990396 merged by jenkins-bot:

[operations/mediawiki-config@master] Log IpReputation channel as debug

https://gerrit.wikimedia.org/r/990396

Stashbot added a comment.Jan 14 2024, 3:20 PM

Mentioned in SAL (#wikimedia-operations) [2024-01-14T15:20:53Z] <taavi@deploy2002> Started scap: Backport for [[gerrit:990396|Log IpReputation channel as debug (T354928)]]

Stashbot added a comment.Jan 14 2024, 3:35 PM

Mentioned in SAL (#wikimedia-operations) [2024-01-14T15:35:12Z] <taavi@deploy2002> taavi: Backport for [[gerrit:990396|Log IpReputation channel as debug (T354928)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Stashbot added a comment.Jan 14 2024, 3:47 PM

Mentioned in SAL (#wikimedia-operations) [2024-01-14T15:47:42Z] <taavi@deploy2002> Finished scap: Backport for [[gerrit:990396|Log IpReputation channel as debug (T354928)]] (duration: 26m 49s)

Vermont subscribed.Jan 15 2024, 2:09 AM
larissagaulia moved this task from Inbox, needs triage to Waiting on the MediaWiki-Platform-Team board.Jan 15 2024, 2:45 PM
jnuche added subscribers: taavi, jnuche.Jan 16 2024, 8:33 AM

Patch 02-T354928.patch is currently failing to apply and caused the train presync to fail last night:

[FAILED] /srv/patches/1.42.0-wmf.14/extensions/CentralAuth/02-T354928.patch

We're gonna need a rebased version to unblock the train. @taavi I think you're the right person to ping here?

jnuche added a parent task: T354432: 1.42.0-wmf.14 deployment blockers.Jan 16 2024, 8:35 AM
kostajh added a comment.EditedJan 16 2024, 8:42 AM
In T354928#9461183, @jnuche wrote:

Patch 02-T354928.patch is currently failing to apply and caused the train presync to fail last night:

[FAILED] /srv/patches/1.42.0-wmf.14/extensions/CentralAuth/02-T354928.patch

We're gonna need a rebased version to unblock the train. @taavi I think you're the right person to ping here?

@jnuche PS33 https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/989728/ seems to not have any conflicts? I propose we merge that patch and backport it.

jnuche added a comment.Jan 16 2024, 8:53 AM

@kostajh sounds good to me. I'll rerun the presync, can you create the patch for 1.42.0-wmf.14 in the meantime? I'll backport it once the preysnc has completed.

gerritbot added a comment.Jan 16 2024, 9:40 AM

Change 990752 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/CentralAuth@wmf/1.42.0-wmf.14] PreAuthenticationProvider: Deny account creation based on ipoid data

https://gerrit.wikimedia.org/r/990752

gerritbot added a comment.Jan 16 2024, 11:10 AM

Change 990752 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@wmf/1.42.0-wmf.14] PreAuthenticationProvider: Deny account creation based on ipoid data

https://gerrit.wikimedia.org/r/990752

Stashbot added a comment.Jan 16 2024, 11:16 AM

Mentioned in SAL (#wikimedia-operations) [2024-01-16T11:16:03Z] <jnuche@deploy2002> Started scap: Backport for [[gerrit:990752|PreAuthenticationProvider: Deny account creation based on ipoid data (T354928)]]

Stashbot added a comment.Jan 16 2024, 11:36 AM

Mentioned in SAL (#wikimedia-operations) [2024-01-16T11:36:03Z] <jnuche@deploy2002> jnuche and kharlan: Backport for [[gerrit:990752|PreAuthenticationProvider: Deny account creation based on ipoid data (T354928)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Stashbot added a comment.Jan 16 2024, 11:45 AM

Mentioned in SAL (#wikimedia-operations) [2024-01-16T11:45:35Z] <jnuche@deploy2002> Finished scap: Backport for [[gerrit:990752|PreAuthenticationProvider: Deny account creation based on ipoid data (T354928)]] (duration: 29m 32s)

ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.14; 2024-01-16).Jan 16 2024, 12:00 PM
Novem_Linguae subscribed.Jan 16 2024, 1:52 PM
kostajh moved this task from Backlog to External on the iPoid-Service board.Jan 17 2024, 11:22 AM
Tgr added a project: User-notice.Jan 19 2024, 3:45 AM
Tgr subscribed.

Needs a heads-up to admins when it is merged (not sure if Tech News is the best venue for that, but it's the simplest) because some users might use the appeal mechanisms for IP blocks, and since the message and mechanism is vaguely similar to that, admins will get very confused if they are unaware that we are doing automated pseudo-IP-blocks now.

kostajh removed a parent task: T354432: 1.42.0-wmf.14 deployment blockers.Jan 19 2024, 8:54 AM
Quiddity moved this task from To Triage to Not ready to announce on the User-notice board.Jan 19 2024, 8:34 PM
Tgr moved this task from Waiting to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.Jan 23 2024, 4:34 AM
Tgr added a comment.Jan 23 2024, 4:45 AM
In T354928#9471615, @Tgr wrote:

Needs a heads-up to admins when it is merged (not sure if Tech News is the best venue for that, but it's the simplest) because some users might use the appeal mechanisms for IP blocks, and since the message and mechanism is vaguely similar to that, admins will get very confused if they are unaware that we are doing automated pseudo-IP-blocks now.

My bad, this is actually not enabled yet, so doesn't need a notice right now. But at some point we do need to explain what the new error message means.

kostajh added a comment.Jan 23 2024, 6:50 AM
In T354928#9479618, @Tgr wrote:
In T354928#9471615, @Tgr wrote:

Needs a heads-up to admins when it is merged (not sure if Tech News is the best venue for that, but it's the simplest) because some users might use the appeal mechanisms for IP blocks, and since the message and mechanism is vaguely similar to that, admins will get very confused if they are unaware that we are doing automated pseudo-IP-blocks now.

My bad, this is actually not enabled yet, so doesn't need a notice right now. But at some point we do need to explain what the new error message means.

I'll plan to do that when porting the code to MediaWiki-extensions-IPReputation

kostajh mentioned this in T355641: Add route for appeals in error message.Jan 23 2024, 6:52 AM
gerritbot added a comment.Jan 23 2024, 6:58 AM

Change 992123 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/CentralAuth@wmf/1.42.0-wmf.15] PreAuthenticationProvider: Allow blocking account creation based on IP reputation

https://gerrit.wikimedia.org/r/992123

gerritbot added a comment.Jan 23 2024, 7:02 AM

Change 989728 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] PreAuthenticationProvider: Allow blocking account creation based on IP reputation

https://gerrit.wikimedia.org/r/989728

ReleaseTaggerBot edited projects, added MW-1.42-notes (1.42.0-wmf.16; 2024-01-30); removed MW-1.42-notes (1.42.0-wmf.14; 2024-01-16).Jan 23 2024, 11:00 AM
gerritbot added a comment.Jan 25 2024, 8:15 AM

Change 992123 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@wmf/1.42.0-wmf.15] PreAuthenticationProvider: Allow blocking account creation based on IP reputation

https://gerrit.wikimedia.org/r/992123

Stashbot added a comment.Jan 25 2024, 8:16 AM

Mentioned in SAL (#wikimedia-operations) [2024-01-25T08:16:12Z] <stran@deploy2002> Started scap: Backport for [[gerrit:992123|PreAuthenticationProvider: Allow blocking account creation based on IP reputation (T354928)]]

Maintenance_bot removed a project: Patch-For-Review.Jan 25 2024, 8:30 AM
Stashbot added a comment.Jan 25 2024, 8:44 AM

Mentioned in SAL (#wikimedia-operations) [2024-01-25T08:44:58Z] <stran@deploy2002> stran and kharlan: Backport for [[gerrit:992123|PreAuthenticationProvider: Allow blocking account creation based on IP reputation (T354928)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

ReleaseTaggerBot edited projects, added MW-1.42-notes (1.42.0-wmf.15; 2024-01-23); removed MW-1.42-notes (1.42.0-wmf.16; 2024-01-30).Jan 25 2024, 9:00 AM
Stashbot added a comment.Jan 25 2024, 9:12 AM

Mentioned in SAL (#wikimedia-operations) [2024-01-25T09:12:02Z] <stran@deploy2002> Started scap: Backport for [[gerrit:992123|PreAuthenticationProvider: Allow blocking account creation based on IP reputation (T354928)]]

Stashbot added a comment.Jan 25 2024, 9:14 AM

Mentioned in SAL (#wikimedia-operations) [2024-01-25T09:14:16Z] <stran@deploy2002> kharlan and stran: Backport for [[gerrit:992123|PreAuthenticationProvider: Allow blocking account creation based on IP reputation (T354928)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Stashbot added a comment.Jan 25 2024, 9:29 AM

Mentioned in SAL (#wikimedia-operations) [2024-01-25T09:29:26Z] <stran@deploy2002> Finished scap: Backport for [[gerrit:992123|PreAuthenticationProvider: Allow blocking account creation based on IP reputation (T354928)]] (duration: 17m 24s)

DAlangi_WMF moved this task from In progress (DO NOT USE) to Radar on the MediaWiki-Platform-Team board.Feb 5 2024, 4:02 PM
DAlangi_WMF edited projects, added MediaWiki-Platform-Team (Radar); removed MediaWiki-Platform-Team.
kostajh renamed this task from Allow denial of account creation for IPs known to ipoid to Allow logging and possibility to enact mitigations for actions for IPs with negative IP reputation data.Mar 12 2024, 11:11 AM
kostajh claimed this task.
kostajh edited projects, added MediaWiki-extensions-IPReputation, User-kostajh; removed User-notice, iPoid-Service, MediaWiki-extensions-CentralAuth.
kostajh updated the task description. (Show Details)
kostajh closed this task as Resolved.Jul 25 2024, 12:16 PM

Marking this as resolved, as the actual remaining work is tracked in T359922: Migrate CentralAuthIpReputationPreAuthenticationProvider to Extension:IPReputation and T360067: Deploy Extension:IPReputation

Dreamy_Jazz closed subtask T359922: Migrate CentralAuthIpReputationPreAuthenticationProvider to Extension:IPReputation as Resolved.Jan 10 2025, 10:32 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits