IP Address log

Important

Drupal logs IP addresses in several places. It's important to disable them all if you wish to preserve the anonymity of your users.

Scrub IP after Drupal logs it

This is the least secure option, but does allow IP addresses to be used and stored temporarily (for example, for use in identifying and blocking spam): http://drupal.org/project/ip_anon

Replacing IP as Drupal gets it

Place

$_SERVER["REMOTE_ADDR"] = time();

at the top of includes/bootstrap.inc. This should overwrite the variable for the rest of the drupal code and should save you patching other files. I've recommended using time instead of "0.3.2.1" because, as EpsasNova noted, there are some issues if all users have the same ip. The two issues I've found are with the poll module and with the flood protection code. The poll code uses the the ip address as an id for anonymous users who are voting. If the same ip address is used, the poll code thinks that this anonymous user has already voted and gives them an error message. By using time, it means that anonymous users can vote over and over again - which might not be good. The flood code is to prevent a single ip address from performing certain events more than a certain threshhold number of times per hour. Similar problem. Using time essentially renders this code useless, but as far as I can see, it is only used by the contact module.

This was all done with drupal version 4.6.3. Other extra modules might also be affected. Using a session id instead of time might be a better alternative??

In Worcester, we use this code to anonymize the IP addresses:

$_SERVER['REMOTE_ADDR'] = sprintf("10.%d.%d.%d", rand(0,255), rand(0,255), rand(0,255));

It has the advantage of generating legal IP addresses. The IP address are also in the block 10.x.x.x which is reserved for private networks, so they will never be a user's public IP address.

Individual replacement

This method looks for all uses of the IP address found in $_SERVER['REMOTE_ADDR'] variable. It means patching, and maintaing on upgrade patches, to several parts of the code. If not logged to disk (even swap) this maybe useful for anti-abuse measures?

A good way to start the search for possible "IP Address Leaks" is by using Unix `grep` to find every place Drupal references the $_SERVER['REMOTE_ADDR'] variable.

$ cd /var/www/drupalsite
$ grep -r REMOTE_ADDR . 

On our installation, REMOTE_ADDR is used in:

includes/bootstrap.inc
includes/session.inc
includes/common.inc
modules/poll.module
modules/statistics.module
modules/comment.module

In each of these files, the client's REMOTE_ADDR is inserted into the database. The same process can be used to "scrub" all of these files... for example, session.inc's sess_read() function can be edited as such:

function sess_read($key) {
  global $user;

  $result = db_query_range("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = '%s' AND u.status < 3", $key, 0, 1);

  if (!db_num_rows($result)) {
    # uncomment this line to enable IP logging
    #db_query("INSERT INTO {sessions} (sid, uid, hostname, timestamp) VALUES ('%s', 0, '%s', %d)", $key, $_SERVER["REMOTE_ADDR"], time());

    # comment this line to enable IP logging
    db_query("INSERT INTO {sessions} (sid, uid, hostname, timestamp) VALUES ('%s', 0, '%s', %d)", $key, '0.3.2.1', time());
    $result = db_query("SELECT u.* FROM {users} u WHERE u.uid = 0");
  }

Note that some functionality may be compromised by this process; from Drupal's perspective, every user shares the same IP address. In particular, the contact module implements a flood control mechanism which uses User/IP combination to key activities to individual users.

Replacing before Drupal gets the IP

The most thorough way of removing the IP is patching apache to remove it before it even comes in.

PHP based stuff can be pretty leaky as anonymity goes. Apache logs, especially error logs, can be a problem too. The error log always has the IP. Using logger will solve the logging problem but not the PHP one.

Details of patching, a debian package to remove ips and logger can be found on the excellent http://dev.riseup.net/privacy/apache/ page

Cookies

Drupal uses cookies. A not logged in user, who posts a comment with the std. comment module, gets a cookie with his username, email address and website

There is a patch for that: https://linksunten.indymedia.org/de/node/33114#comment-14059 AtImcDrupal has a Module to disable the functionality

-- EpsasNova - 01 Jul 2005 -- BxJx - 20 Oct 2005 -- WikiKes - 26 Nov 2006 -- MarkB - 31 Mar 2008 - Added link to ip_anon module. -- McP - 13 Feb 2011