Ban enforcement
A ban is only as good as your ability to keep the person out when they come back with a new email, a new IP, or a fresh account.
Step 1: Set up login and signup protection
Before anything else here, set up Signup protection and Login protection. They're the basis this builds on, and without them the policies below can be bypassed. With those in place, the rest of this guide covers the policies that enforce a ban and catch the evasion attempts.
Step 2: Add the policies
To ban someone, add their identifier to a list in your policies dashboard, by hand or with the add_to_list action. Lists don't expire on their own, so the ban sticks until you remove it, and Rupt checks the list on every evaluation for you. Then add policies that deny anyone on a block list, run at high priority so a banned identifier is stopped before any other rule:
| Policy | Trigger | Conditions | Verdict |
|---|---|---|---|
| Block banned users | login, signup, access | in_list your user block list | Deny |
| Block banned devices | login, signup, access | in_list your fingerprint block list | Deny |
| Block banned IPs (optional) | login, signup, access | in_list your IP block list | Deny |
When you ban a user, add their device fingerprint to the fingerprint list too. Otherwise they just open a new account on the same device and start over; banning the fingerprint closes that door. Deny outright, or use the suspend action if you'd rather mark the account suspended.
The IP list is optional and risky: IPs are shared (offices, schools, carrier NAT), so banning one can lock out innocent people behind it. Use it only for an IP you're sure belongs to a single bad actor.
Related
- Need help? Contact support.
- Want to see Rupt in action? Request a demo.
- Questions? Talk to sales.
- Check out our changelog.
- Check our status page.
- LLM? Read llms.txt.