Make forum registered user access only

[harveygasson]

Thank you tiedinbluetights for highlighting this thread to me. I can't even begin to pretend I understand the more technical elements of what's going on but, if it's potentially finding a solution through registered user accounts could a possibility be that you have to register an account but those registrations themselves have to be approved by admin. That way even if someone attempted to create thousands of bot accounts they wouldn't be approved. No idea if that is feasible or not.

If the solution is potentially moving to another server or upgrading a tier, and that comes with a cost, I'm sure many of us would be happy to chip in. I know I'd be willing to give £100+ to keep this board going and maybe we just need to try and pool resources together.

Either way, thank you for the admin and ownership trying to find solutions to this problem. It would be such a shame to see this place and community go the way of so many others.

[tiedinbluetights]

... It would be such a shame to see this place and community go the way of so many others.

I wholeheartedly agree. My suggestion of making the site registered access only came mostly out of frustration of having to wait hours or days for the bot attacks to decrease in intensity a bit. But, that would make the site disappear off the search engine results. It is already happening to some extent: searching for "tie-up stories" on Google used to bring up the index page plus dozens of others related to the site. Now, you mostly get a direct link to the fictional stories for adults, indicating that the bots are mostly scraping those stories. I have a really cheesy story there that has gotten literally 1000 of views a day, something that has never happened to me before on this site, given that there is no way my stories are that interesting to view.

If we wish to keep the site visible to non-registered users, searchable via Google, and accessible 24/7 to registered users, we may indeed need to go to Cloudflare or similar service, but that's up to the site owner to decide. If the site ends up costing much, much more to maintain, due to higher server tiers and defences, we will need to make the decision if a few of us are still willing to pay voluntarily higher and higher amounts, to allow the rest of us (including a**-holes behind bots) to freely access the site, or if we should all pay each our fair share to access the site. I, for one, while willing to pay a reasonable amount per year as an individual, am getting sick and tired of having to pay for free-loaders, especially bot operating free-loaders (my apologies for skating on political thin ice).

[Bigballgag1]

... It would be such a shame to see this place and community go the way of so many others.

I wholeheartedly agree. My suggestion of making the site registered access only came mostly out of frustration of having to wait hours or days for the bot attacks to decrease in intensity a bit. But, that would make the site disappear off the search engine results. It is already happening to some extent: searching for "tie-up stories" on Google used to bring up the index page plus dozens of others related to the site. Now, you mostly get a direct link to the fictional stories for adults, indicating that the bots are mostly scraping those stories. I have a really cheesy story there that has gotten literally 1000 of views a day, something that has never happened to me before on this site, given that there is no way my stories are that interesting to view.

If we wish to keep the site visible to non-registered users, searchable via Google, and accessible 24/7 to registered users, we may indeed need to go to Cloudflare or similar service, but that's up to the site owner to decide. If the site ends up costing much, much more to maintain, due to higher server tiers and defences, we will need to make the decision if a few of us are still willing to pay voluntarily higher and higher amounts, to allow the rest of us (including a**-holes behind bots) to freely access the site, or if we should all pay each our fair share to access the site. I, for one, while willing to pay a reasonable amount per year as an individual, am getting sick and tired of having to pay for free-loaders, especially bot operating free-loaders (my apologies for skating on political thin ice).

I understand the point you are trying to make. However not everybody is in a position to contribute financially. If you were to change this site to a subscription based one or put it behind a paywall, I actually think you would kill it quite quickly. Who is going to pay to write a story? Especially when places like deviantart and other sites are free?

One of the many positives of this place is that it is open and accessible to all. The fact you can contribute is great, however in my opinion it makes you no better than anyone else. The last couple of lines of this post I find quite irritating actually, a kick in the teeth to many of the story writers on here and those that contribute to the content available on this site but are unable or unwilling to contribute financially. Perhaps i am reading this the wrong way, apologies if so.

As others have mentioned, i am grateful to the admins and those that keep the site up and running especially on a volunteer basis. I also understand how the error messages are annoying. However i think sometimes some perspective is needed.

The old site (I believe), locked down the adult story sections. If this is what the bots are looking for, perhaps it makes sense to lock these sections down to accounts only and have new user requests needing approval before activation. No idea if this is possible or feasible, just a suggestion.

[tiedinbluetights]

If we wish to keep the site visible to non-registered users, searchable via Google, and accessible 24/7 to registered users, we may indeed need to go to Cloudflare or similar service, but that's up to the site owner to decide. If the site ends up costing much, much more to maintain, due to higher server tiers and defences, we will need to make the decision if a few of us are still willing to pay voluntarily higher and higher amounts, to allow the rest of us (including a**-holes behind bots) to freely access the site, or if we should all pay each our fair share to access the site. I, for one, while willing to pay a reasonable amount per year as an individual, am getting sick and tired of having to pay for free-loaders, especially bot operating free-loaders (my apologies for skating on political thin ice).

I understand the point you are trying to make. However not everybody is in a position to contribute financially. If you were to change this site to a subscription based one or put it behind a paywall, I actually think you would kill it quite quickly. Who is going to pay to write a story? Especially when places like deviantart and other sites are free?

One of the many positives of this place is that it is open and accessible to all. The fact you can contribute is great, however in my opinion it makes you no better than anyone else. The last couple of lines of this post I find quite irritating actually, a kick in the teeth to many of the story writers on here and those that contribute to the content available on this site but are unable or unwilling to contribute financially. Perhaps i am reading this the wrong way, apologies if so.

Those are very valid points, and I apologize if I insulted valued contributors; that was not my intention at all.

As others have mentioned, i am grateful to the admins and those that keep the site up and running especially on a volunteer basis. I also understand how the error messages are annoying. However i think sometimes some perspective is needed.

I echo that sentiment, and have said so in the past on this and other treads, asking for patience (even as I am clearly running out of myself). I have a great deal of respect for the admins and mods, as well as for the site owner especially who all work voluntarily, for no pay whatsoever, paying out of their own personal pockets, on keeping this forum up and running. I'm, however, going to remain saddened that so few of us (29) have volunteered (it was anonymous) to keep the site going for 2024.

The old site (I believe), locked down the adult story sections. If this is what the bots are looking for, perhaps it makes sense to lock these sections down to accounts only and have new user requests needing approval before activation. No idea if this is possible or feasible, just a suggestion.

Whatever the solution, admins come up with, the bot attacks are here to stay, so I hope that suggestion is indeed feasible.

Good luck fellow humans.

[Fandango]

Please note that I am in no way, shape, or form a coder. I do not know what half of the words that I am about to post mean. But this is a solution that I found posted online in regards to what appears to be the site's issue:



There's no problem with the database, the problem is in how you handle database connections from your software.

The way your script is set up is that every connection to your web server also opens a connection towards MySQL. That's not the scenario you want.

Raising the limit won't fix the issue, it will just delay yet another error. What you should do is use persistent connections.

One of the reasons why using php-fpm instead of server API's such as mod_php is preferred is because a set number of PHP processes is booted and a pool of connections to services is created.

The flow would be the following:

use php-fpm. Apache and nginx can use FCGI interface to speak to php-fpm processes
raise a relatively low amount of child processes for php-fpm. This shouldn't be overly large, default config usually works out, I'll make a guess that you don't run a hexacore system so 4-6 child processes should be fine
use persistent MySQL connections
What does this do? Your server accepts the request and sends it to php-fpm, which processes it when it becomes free. Each process uses 1 connection to MySQL. This means you can never hit some sort of hard limit like you have.

If your server is busy, the server should queue up the requests until PHP is capable of handling them. Be it Apache or nginx that you use, this approach will work well.

If your site is busy, it's likely that web server is working faster to accept connections and serve static content that PHP is to process dynamic content. In this case you have an option of adding another physical machine (or more) that runs php-fpm. Instructing your web server to round-robin between machines that serve PHP is trivial, for both of mentioned web servers.

Bottom line is that you want to utilize your resources in an optimal way. Opening and closing MySQL connections on every request isn't optimal. Pooling connections is.

Just a thought, if anybody with control knows what that means, agrees, and is capable of adjusting it accordingly.

[chadmc90]

Please note that I am in no way, shape, or form a coder. I do not know what half of the words that I am about to post mean. But this is a solution that I found posted online in regards to what appears to be the site's issue:



There's no problem with the database, the problem is in how you handle database connections from your software.

The way your script is set up is that every connection to your web server also opens a connection towards MySQL. That's not the scenario you want.

Raising the limit won't fix the issue, it will just delay yet another error. What you should do is use persistent connections.

One of the reasons why using php-fpm instead of server API's such as mod_php is preferred is because a set number of PHP processes is booted and a pool of connections to services is created.

The flow would be the following:

use php-fpm. Apache and nginx can use FCGI interface to speak to php-fpm processes
raise a relatively low amount of child processes for php-fpm. This shouldn't be overly large, default config usually works out, I'll make a guess that you don't run a hexacore system so 4-6 child processes should be fine
use persistent MySQL connections
What does this do? Your server accepts the request and sends it to php-fpm, which processes it when it becomes free. Each process uses 1 connection to MySQL. This means you can never hit some sort of hard limit like you have.

If your server is busy, the server should queue up the requests until PHP is capable of handling them. Be it Apache or nginx that you use, this approach will work well.

If your site is busy, it's likely that web server is working faster to accept connections and serve static content that PHP is to process dynamic content. In this case you have an option of adding another physical machine (or more) that runs php-fpm. Instructing your web server to round-robin between machines that serve PHP is trivial, for both of mentioned web servers.

Bottom line is that you want to utilize your resources in an optimal way. Opening and closing MySQL connections on every request isn't optimal. Pooling connections is.

Just a thought, if anybody with control knows what that means, agrees, and is capable of adjusting it accordingly.

The issue at its core is 2 things:
1. The bots and suspicious IP addresses that are navigating the forum too quickly for the server host to keep up with.
2. The limits the host is putting on the forum.

Over the weekend I looked at the server logs and IP addresses and banned multiple ranges of IP addresses that seem suspicious. There were some ranges that were obvious bots as the browser type clearly indicated that they were bots. I gave it a few days, but still noticed that the forum was still slow and the connection error message was still persisting. I then looked again and noticed that there was a suspicious range of IPs from guests that were marked as legit users but we're still scanning the pages like bots. I just now blocked them and noticed a significant improvement in forum speed. I will continue to monitor to see if the forum continues to run into problems.

[Xtc]

Thanks @chadmc90
Here's hoping.

Any sign of a response to the pm's?

[AlexUSA3]

On the old site, we used to do monthly blanket deletions of all accounts that hadn't more than one post. We chose one because many bots are sophisticated enough to make a convincing introductory post. I don't know if that would work here, but I mention it as something done in the past for security reasons.

[tiedinbluetights]

Thanks @chadmc90 ! My apologies to the community for having lost patience in one of my earlier comments on this thread.

[Nainur]

seems better now, hoping it lasts! Thanks for the effort @chadmc90 !!!

[OrdinaryWorld]

On the old site, we used to do monthly blanket deletions of all accounts that hadn't more than one post. We chose one because many bots are sophisticated enough to make a convincing introductory post. I don't know if that would work here, but I mention it as something done in the past for security reasons.

My concern with this is that lurkers who create an account should still be allowed to exist imo. For example you can't see (all) images unless you have an account to view the story.

[bondagefreak]

For example you can't see (all) images unless you have an account to view the story.

You can, my friend That only used to be a thing when images were forum-hosted attachments. You had to have an account to see them.
You don't anymore, as the images on the board are all hosted externally (like on Flickr or Photobucket).

The only thing lurkers can do that guests can is vote on polls.

[chadmc90]

On the old site, we used to do monthly blanket deletions of all accounts that hadn't more than one post. We chose one because many bots are sophisticated enough to make a convincing introductory post. I don't know if that would work here, but I mention it as something done in the past for security reasons.

I mean I guess I could do that but I don't see the value in it. Accounts themselves don't take up much data in server storage, especially since we no longer host images. We've barely touched half our max capacity. Also, I fail to see how inactive users pose a security risk.

At the end of the day, the problems that the board experienced had nothing to do with old accounts. It was the rampage of bots that was constantly crawling the board and wasting our bandwidth and connection limit.

[blackbound]

Also, I fail to see how inactive users pose a security risk.

Theoretically someone could highjack them, especially if they have insecure passwords.