By blindsheep on

Is there a way to do this? I don't want to disable the watchdog module, just stop it from collecting the ip addresses.

Thanks,

Shawn

Comments

morbus iff’s picture

morbus iff
they/them
commented

No, there's no current way to do this. Doing so is merely obscurity anyways - the IPs will still be logged in the webserver's log files. Could I ask why you'd like this?

http://disobey.com/
http://gamegrene.com/

http://www.disobey.com/

joho’s picture

joho commented

It would be very nice if this was possible. The reason for an admin wanting to do this (disable IP-logging) is really not an issue here, or did I miss something here? I mean, it should be possible to disable just about any type of "feature"; even if the default setting is enabled.

__
~/joho.se; @ the end of a smile, there's a laugh and a 1/2

Steven’s picture

Steven commented

Not necessarily. If it does not make sense to disable an option, then it should not be there or it will only complicate the UI unnecessarily.

If you can provide a compelling reason why, we might consider it. But just saying "it should do this" is not good enough.

--
If you have a problem, please search before posting a question.

Morpheus’s picture

Morpheus commented

Disabling IPs is a way of dealing with political repression. If your website is oriented around "subversive" ideas and attracts a lot of dissidents it's a good idea to consider turning off IPs. If the cops seize your server, they'll have a nice list of dissidents' IPs which could potentially jeapordize a lot of people. Even if they don't seize the servers, they could force the admin to give up the IPs of particular dissidents. If you don't log IPs it provides an extra layer of security against this kind of repression.

ramdak5000@www.drupal.org’s picture

ramdak5000@www.drupal.org commented

Disabling IPs is a way of dealing with political repression.

Exactly!

I posted this question to Civicspace (http://civicspacelabs.org/home/node/10389#comment-2514) since we have the same problem. While the replies were interesting and helpful, there doesn't seem to be a solution in sight yet.

Our web site is for a global campaign and while we have gone to extraordinary lengths to register for domain name privacy protection service, all some one would need to do is to hack into our CS install and get the IP addresses that have been logged. Since we use a broadband connection, it will take only hours or days before the authorities track us down. I know that one can use proxies, but that is just one additional layer that can be ultimately cracked.

I don't know about Drupal, but I believe that at least CS should come with such security features out of the box.

tostinni’s picture

tostinni commented

But, I'm not really sure that Ip are so usefull. In fact (in France, but I think in other country it's the same), you need a court order to ask ISP to reveal the address of the IP owner, so it's quite dificult to obtain such information.

Btw if you really want to disable it, you should have a look into bootstrap.inc line 599 (in Drupal 4.6 RC).
Just replace :

  db_query("INSERT INTO {watchdog} (uid, type, message, severity, link, location, hostname, timestamp) VALUES (%d, '%s', '%s', %d, '%s', '%s', '%s', %d)", $user->uid, $type, $message, $severity, $link, request_uri(), $_SERVER['REMOTE_ADDR'], time());

by

  db_query("INSERT INTO {watchdog} (uid, type, message, severity, link, location, timestamp) VALUES (%d, '%s', '%s', %d, '%s', '%s', '%s', %d)", $user->uid, $type, $message, $severity, $link, request_uri(), time());

Now, Drupal will not register anymore IP addresses.

But now you should consider Apache's logs, your router etc... And I don't know how to do it.

blindsheep’s picture

blindsheep commented

Tostinni,

Thank you for the response, I was able to do what you suggested, but rather than removing '$_SERVER['REMOTE_ADDR'] which creates a syntax error, I simply had to replace it with any bogus string such as '0.0.0.0' which it writes everytime.

I'm aware that unix/linux logging also has to be turned off in order to have the desired effect.

Again, thanks for answering my question in a quick and straight forward manner.

tostinni’s picture

tostinni commented

I was able to do what you suggested, but rather than removing '$_SERVER['REMOTE_ADDR'] which creates a syntax error

Did you also remove , hostname at the begining of the query ?

Great if it helps you, now if you got some tips for removing the others logs, advise us, it maybe usefull. For apache, have a look in httpd.conf search for LogFormat. For others, well keep looking ;)

adam.skinner’s picture

adam.skinner commented

alter table watchdog modify hostname varchar(128) null;

Will let the code that Tostinni provided work.

morbus iff’s picture

morbus iff
they/them
commented

Uhhh. There are a LOT more places to disable IPs than just in Drupal. When folks ask for your logs, they're generally asking for the standard /var/log/, not the logs carried by a custom CMS that they know nothing about. Disabling IP logging in Drupal without disabling it everywhere else is nothing but a paper roof when it's raining ("a paper roof when it's raining"? what the hell?!)

http://disobey.com/
http://gamegrene.com/

http://www.disobey.com/

jalbrant’s picture

jalbrant commented

Yep!

However, there are a few things you can try. Try turning off access logging in your apache installation's conf file or have a cron job that deletes the access log every few minutes. Then modify the watchdog source to not log the ip address.

-- jalbrant.com --

johnhanley’s picture

johnhanley commented

Authorities can get the IPs from your hosting service, which probably maintains their own set of logs.

mykeyspace’s picture

mykeyspace commented

You have a valid point there about protecting political activists, but turning off ip-logging in the drupal install is not the answer to your problem. As mentioned in various comments on this post: the apache logs contain the information anyway. And ISP's keep logs about which ip queries which server.

If protecting activist is of your concern then please educate them how to protect themselves in general. Write a tutorial on how to install and use tor and teach them how to use anonymous proxy servers. That way the ip that turns up in these logs would be the ip of the end node of the tor network or that of the proxy server and not their own ip...

While you're at it, learn them about pgp or gnupg and gaim-otr or scatterchat.

As for the drupal part, you might want to try to install an SSL certificate on the sever so people can communicate with your website using ssl. I don't know if this is easy to do nor how to do it, but you could try and ask for help on how to do that: open source people are generally very friendly ;)

Michael Cox
Studiekring Vrij Onderzoek

cypherpunk’s picture

cypherpunk commented

Drupal logs IP addresses in several places. It's important to disable them all if you wish to preserve the anonymity of your users.

A good way to start the search for possible "IP Address Leaks" is by using Unix `grep` to find every place Drupal references the $_SERVER['REMOTE_ADDR'] variable.

$ cd /var/www/drupalsite
$ grep -r REMOTE_ADDR .

On our installation, REMOTE_ADDR is used in:

includes/bootstrap.inc
includes/session.inc
includes/common.inc
modules/poll.module
modules/statistics.module
modules/comment.module

In each of these files, the client's REMOTE_ADDR is inserted into the database. The same process can be used to "scrub" all of these files... for example, session.inc's sess_read() function can be edited as such:

function sess_read($key) {
  global $user;

  $result = db_query_range("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = '%s' AND u.status < 3", $key, 0, 1);

  if (!db_num_rows($result)) {
    # uncomment this line to enable IP logging
    #db_query("INSERT INTO {sessions} (sid, uid, hostname, timestamp) VALUES ('%s', 0, '%s', %d)", $key, $_SERVER["REMOTE_ADDR"], time());

    # comment this line to enable IP logging
    db_query("INSERT INTO {sessions} (sid, uid, hostname, timestamp) VALUES ('%s', 0, '%s', %d)", $key, '0.3.2.1', time());
    $result = db_query("SELECT u.* FROM {users} u WHERE u.uid = 0");
  }

Note that some functionality may be compromised by this process; from Drupal's perspective, every user shares the same IP address. In particular, the contact module implements a flood control mechanism which uses User/IP combination to key activities to individual users.

djnz’s picture

djnz commented

Why not just hack settings.php:

$_SERVER['REMOTE_ADDR']='0.0.0.0';

--------------------- WEBg8 ---------------------

mlncn’s picture

mlncn commented

For Indymedia and other public-participation sites that want to have no chance of abetting the prosecution or arrest of a user for speech, I think this option is very worth getting in core.

The alternative is to make a custom module that wipes these clean but given all the places IPs seem to be being logged, at minimum we need an awareness of this issue among core and contrib developers to help track them down. Better would be to build in the no-IP-logging option.

Thoughts for next steps?

~ben

Agaric Design Collective :: http://AgaricDesign.com/ :: Open Source Web Development

benjamin, Agaric

mlncn’s picture

mlncn commented

Issue posted here (against 6.x).

~ben

People Who Give a Damn :: http://pwgd.org/ :: Building the infrastructure of a network for everyone
Agaric Design Collective :: http://AgaricDesign.com/ :: Open Source Web Development

benjamin, Agaric

mfb’s picture

mfb
they or he
commented

It's trivial to stop apache from logging IP addresses -- just leave the remote host (%h) out of the log file format definition, e.g. LogFormat "%l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

Personally, what I have been doing is periodically scrubbing the drupal database of IP addresses. But, some may find a log configuration option to be preferable.

mlncn’s picture

mlncn commented

Drupal gets the IP addresses quite apart from the Apache log, no?

In any case I hear from the Indymedia Worcester group that Akismet, for one, gets flaky without IP addresses, so for a site that has to allow anonymous content but cannot allow IP logging of its users (the classic Indymedia setup), the settings.php hack to set all IP addresses to naught is not a practical solution.

Constant scrubbing looks like the best approach to help protect users from intrusion of their privacy.

Really, though, it should be an option to simply tell Drupal core, at least, not to log IP addresses in the first place.

~ben

People Who Give a Damn :: http://pwgd.org/ :: Building the infrastructure of a network for everyone
Agaric Design Collective :: http://AgaricDesign.com/ :: Open Source Web Development

benjamin, Agaric

mfb’s picture

mfb
they or he
commented

I found time to clean it up and post it: http://drupal.org/project/ip_anon

I haven't actually put it in use so please report any bugs/feature requests.

il-p2p’s picture

il-p2p commented

hi ,

For apache 2 there is a module for apache If i remember good it's called mod_remove-ip ; then IPs can't be logged anymore by drupal ;) more information can be found : http://dev.riseup.net/privacy/apache/ , & here http://docs.indymedia.org/view/Sysadmin/ApacheLogsWithoutIPs ,

If you want to just annonymize drupal then you can find some solutions here http://docs.indymedia.org/view/Global/AnonymizingDrupal however I found the suggestment given by imc (to replace ip addresses by time more useful as spam filters can work without blocking all the users ;) ) ...

l8a’s picture

l8a commented

as mentioned before - just removing the ip, or setting every ip access to the same ip - isn' t a good idea for spam control etc.

thats why you should HASH the ip.

or you generate a unique ip for every visitor; save that ip in his/her session cookie; and use that ip.

tree887’s picture

tree887 commented

Hi,
It seems like this post was created several years ago. Are there any more up to date easier solutions for both Drupal and the server?

Thanks

johnhanley’s picture

johnhanley commented

I'm not sure if either of the following ideas have already been suggested.

You could alter the query with hook_db_rewrite_sql() (Drupal 6) or hook_query_alter() (Drupal 7) to remove the hostname column.

You could also periodically delete via cron all hostname column entries from the watchdog table.