Mediawiki/Anonymous IP Hash: Difference between revisions

From Bibliotheca Anonoma
No edit summary
No edit summary
Line 5: Line 5:


1. Add the following to your LocalSettings.php:
1. Add the following to your LocalSettings.php:
MD5 Edition:
<pre>
// you can leave anon talk pages on, but you'll
// likely end up with useless crud after IDs expire
$wgDisableAnonTalk = true;
function AnonUsername($IP) {
        //$key = $IP.'PUT RANDOM TEXT HERE';
        // We use this function to further anonymize, but it makes it a little harder to ban robots: dmY = new ID per day, WY = per week.
        $key = $IP.'PUT RANDOM TEXT HERE'.gmdate('dmY');
        return 'ID:'.substr(crypt(md5($key), 'id'), 2, 8);
}
</pre>
Bcrypt Edition:


<pre>
<pre>
Line 30: Line 14:
         // Alternatively, you can use this function to further anonymize, but it makes it harder to ban robots: dmY = new ID per day, WY = per week.
         // Alternatively, you can use this function to further anonymize, but it makes it harder to ban robots: dmY = new ID per day, WY = per week.
         //$key = $IP.'PUT RANDOM TEXT HERE'.gmdate('dmY');
         //$key = $IP.'PUT RANDOM TEXT HERE'.gmdate('dmY');
         return 'ID:'.substr(crypt(md5($key), 'id'), 2, 8);
         return 'ID:'.substr(password_hash($key, PASSWORD_DEFAULT), 'id'), 8, 8); // uses bcrypt level 10
}
}
</pre>
</pre>
Line 36: Line 20:
The ID is a truncated hash, which, although it increases the risk of collisions, that may be a benefit rather than a liability when it comes to IPs. http://www.perlmonks.org/?node_id=111524
The ID is a truncated hash, which, although it increases the risk of collisions, that may be a benefit rather than a liability when it comes to IPs. http://www.perlmonks.org/?node_id=111524


{{Warning|Consider using something better than md5, such as sha1 for same performance, or bcrypt for reduced brute force. Beware that hashing is [https://www.phillips321.co.uk/2012/04/04/cracking-an-md5-of-an-ip-address/ not a completely safe way to protect IPs], but if you use a good salt and bcrypt it can stop attackers for a few years.}}
{{Warning|Beware that hashing is [https://www.phillips321.co.uk/2012/04/04/cracking-an-md5-of-an-ip-address/ not a completely safe way to protect IPs], but if you use a good salt and bcrypt it can stop attackers for a few years.}}


{{Note|Obviously you'd change the "PUT RANDOM TEXT HERE" to some random text: this functions as the salt and reduces the risk of brute force attacks. Just bang on the keyboard for a bit, or if you want to be truly random, get an RNG or just roll some dice.}}
{{Note|Obviously you'd change the "PUT RANDOM TEXT HERE" to some random text: this functions as the salt and reduces the risk of brute force attacks. Just bang on the keyboard for a bit, or if you want to be truly random, get an RNG or just roll some dice.}}

Revision as of 19:52, 9 December 2016

Here's the gist of my anon ID hack to MediaWiki. I can't really package it as an extension or anything because it involves hacking things that apparently aren't supposed to be hacked, but it's not hard to do. - Halcy


1. Add the following to your LocalSettings.php:

// you can leave anon talk pages on, but you'll
// likely end up with useless crud after IDs expire
$wgDisableAnonTalk = true;
function AnonUsername($IP) {
        $key = $IP.'PUT RANDOM TEXT HERE';
        // Alternatively, you can use this function to further anonymize, but it makes it harder to ban robots: dmY = new ID per day, WY = per week.
        //$key = $IP.'PUT RANDOM TEXT HERE'.gmdate('dmY');
        return 'ID:'.substr(password_hash($key, PASSWORD_DEFAULT), 'id'), 8, 8); // uses bcrypt level 10
}

The ID is a truncated hash, which, although it increases the risk of collisions, that may be a benefit rather than a liability when it comes to IPs. http://www.perlmonks.org/?node_id=111524

Warning: Beware that hashing is not a completely safe way to protect IPs, but if you use a good salt and bcrypt it can stop attackers for a few years.
Note: Obviously you'd change the "PUT RANDOM TEXT HERE" to some random text: this functions as the salt and reduces the risk of brute force attacks. Just bang on the keyboard for a bit, or if you want to be truly random, get an RNG or just roll some dice.

2. In includes/user/User.php, (Mediawiki 1.27.1: getName() Line 2109) find the line that says:

   $this->mName = IP::sanitizeIP( $this->getRequest()->getIP() );

and change it to:

   $this->mName = AnonUsername( $this->getRequest()->getIP() );

3. In includes/user/User.php, (Mediawiki 1.27.1: getBlockedStatus() Line 1600) find the line that says:

   : IP::sanitizeIP( $wgUser->getRequest()->getIP() );

and change it to:

   : AnonUsername( $this->getRequest()->getIP() );

You will need to repeat this mod whenever you update MediaWiki, since obviously an update replaces the system files. And of course the lines may vary, but have generally been similar.

aa tags

On a slightly related note, I hacked an extension together for <aa> tags.

  • Music:DQN-kun / >>6 is not a panda

http://storlek.livejournal.com/47939.html?thread=47171