Finding the IP of malicious users

Description

I run a public installation of Rocket chat which has been spammed with malicious links for weeks now, this is causing my honest users to leave and stop using the chat.

This is of course a major problem and what’s worse is that I can’t find their IP’s to ban them permanently. I’m sure they use a number of IP addresses but it’s the only option I have left as they simply log in with a new anonymous user account within a second if I “ban” them from the chat now.

Does anyone have any pointers how I can find the IP addresses of these users? I’ve looked through the nginx access logs but it’s difficult to map the requests the users make to the malicious users.

Any help would be much appreciated as I feel this could ruin my service completely if not handled.

Server Setup Information

• Version of Rocket.Chat Server: 0.74.3
• Operating System: Ubuntu
• Deployment Method: Docker-compose
• Proxy: Nginx

IP-based blocking is a never-ending cat and mouse game. Ultimately, you would have to block on a content basis. But have a look if something like ipset-blacklist can help you. This blocks a lot of useless IPs and IP ranges depending on your configuration.

Yes I agree that in the end the blocks should be made on a content basis, Rocket chat doesn’t have such features yet though and I don’t have the time to create it myself at the moment.

Thank you for the link I will look into that closer, a question that remains though is how I go about obtaining the IP addresses to block, the nginx logs aren’t very user specific as far as I’ve seen, does anyone have any suggestions?

If Rocketchat could have a Device Based block it would be better as IP is easy to get around?
Like Mac Address or something.