---
title: Ban enforcement
---

# Ban enforcement

A ban is only as good as your ability to keep the person out when they come back with a new email, a new IP, or a fresh account.

## Step 1: Set up login and signup protection

Before anything else here, set up [Signup protection](/docs/v3/fundamentals/signup-protection) and [Login protection](/docs/v3/fundamentals/login-protection). They're the basis this builds on, and without them the policies below can be bypassed. With those in place, the rest of this guide covers the policies that enforce a ban and catch the evasion attempts.

## Step 2: Add the policies

To ban someone, add their identifier to a [list](/docs/v3/concepts/lists) in your [policies dashboard](https://app.rupt.dev/policies), by hand or with the `add_to_list` action. Lists don't expire on their own, so the ban sticks until you remove it, and Rupt checks the list on every evaluation for you. Then add policies that deny anyone on a block list, run at high priority so a banned identifier is stopped before any other rule:

| Policy                      | Trigger                     | Conditions                            | Verdict |
| --------------------------- | --------------------------- | ------------------------------------- | ------ |
| Block banned users          | `login`, `signup`, `access` | `in_list` your user block list        | Deny   |
| Block banned devices        | `login`, `signup`, `access` | `in_list` your fingerprint block list | Deny   |
| Block banned IPs (optional) | `login`, `signup`, `access` | `in_list` your IP block list          | Deny   |

When you ban a user, add their **device fingerprint** to the fingerprint list too. Otherwise they just open a new account on the same device and start over; banning the fingerprint closes that door. Deny outright, or use the `suspend` action if you'd rather mark the account suspended.

The IP list is optional and risky: IPs are shared (offices, schools, carrier NAT), so banning one can lock out innocent people behind it. Use it only for an IP you're sure belongs to a single bad actor.

## Related

- [Lists](/docs/v3/concepts/lists)
- [Verdicts](/docs/v3/concepts/verdicts)
- [Multi-accounting prevention](/docs/v3/guides/multi-accounting-prevention)