I'm making a massive online game but when i was designing the flow chart i noticed that everybody can explode another user's password via hacking the game and using some sort of loop algorithm, so i think: "Why if i put a limit of password entries? and block temporarily the user via saving his IP in a blacklist-like table?", well, the problem is... How i can get the user's IP (or some unique id)?
Im using sock.lua
I'm stupid, there is a function called Client:getAddress()
How i can permanently ban someone by their ip from the server? [SOLVED]
Forum rules
Before you make a thread asking for help, read this.
Before you make a thread asking for help, read this.
How i can permanently ban someone by their ip from the server? [SOLVED]
Last edited by Darlex on Sun Mar 10, 2019 3:26 pm, edited 3 times in total.
Hi! I wish you have an amazing day!
-
- Party member
- Posts: 107
- Joined: Wed Oct 15, 2014 5:00 pm
- Location: Yorkshire, England
Re: How i can permanently ban someone by their ip from the server?
If they connect to your server then surely you get their IP to be able to send them data back. What networking protocol are you using?
Code: Select all
if not wearTheseGlasses() then
chewing_on_trashcan = true
end
Re: How i can permanently ban someone by their ip from the server?
Dude... I'm just going to be real with you here. If you're asking this question, you're not making a mmo.
Re: How i can permanently ban someone by their ip from the server?
Sorry, im a noob on this server-client things :/pedrosgali wrote: ↑Sun Mar 10, 2019 10:25 am If they connect to your server then surely you get their IP to be able to send them data back. What networking protocol are you using?
Im using a library named sock.lua
Hi! I wish you have an amazing day!
Re: How i can permanently ban someone by their ip from the server?
Sorry but i was trying my best to explain every detail :/
Hi! I wish you have an amazing day!
Re: How i can permanently ban someone by their ip from the server? [SOLVED]
Permabans should be made on OS level or even router level
- zorg
- Party member
- Posts: 3468
- Joined: Thu Dec 13, 2012 2:55 pm
- Location: Absurdistan, Hungary
- Contact:
Re: How i can permanently ban someone by their ip from the server? [SOLVED]
Even if this has been marked as solved, let me just say this;
It's not a bad idea to have your client implement some minimal brute-force prevention, but IP-bans can be relatively easily circumvented (and can cause more issues than not in cases).
So what you could do, is to generate an UUID on the server if a client connects and can't give you one, send it to the client, the client saving it into the user's save directory, and if someone's being malicious, then ban their UUID.
That can also be circumvented relatively easily, but comine that with needing the UUID, the username/password('s hash) and weakly, even the IP (and/or MAC address of the network card, which can also be problematic...) to have a combined entry on the server, and now the probability of ban evasion goes down.
tl;dr hard problem to execute flawlessly, but there are many ways still that can work.
It's not a bad idea to have your client implement some minimal brute-force prevention, but IP-bans can be relatively easily circumvented (and can cause more issues than not in cases).
So what you could do, is to generate an UUID on the server if a client connects and can't give you one, send it to the client, the client saving it into the user's save directory, and if someone's being malicious, then ban their UUID.
That can also be circumvented relatively easily, but comine that with needing the UUID, the username/password('s hash) and weakly, even the IP (and/or MAC address of the network card, which can also be problematic...) to have a combined entry on the server, and now the probability of ban evasion goes down.
tl;dr hard problem to execute flawlessly, but there are many ways still that can work.
Me and my stuff True Neutral Aspirant. Why, yes, i do indeed enjoy sarcastically correcting others when they make the most blatant of spelling mistakes. No bullying or trolling the innocent tho.
Re: How i can permanently ban someone by their ip from the server? [SOLVED]
Also, since you seem to be worried about someone brute-forcing login passwords (at least that's my interpretation of "some kind of loop algorithm"): do not confirm/deny login requests right away. When the server receives a login request, let it sit idle and sleep for a little while before it sends its response. Like 1 to 3 seconds. This makes any attempt at brute-forcing passwords completely futile.
I have to agree with Hippyman though. Making a "massive online game" requires a lot of expertise and manpower, not to mention infrastructure, since "massive" implies the need for much more than a single server running Lua code on your home PC.
I have to agree with Hippyman though. Making a "massive online game" requires a lot of expertise and manpower, not to mention infrastructure, since "massive" implies the need for much more than a single server running Lua code on your home PC.
Re: How i can permanently ban someone by their ip from the server? [SOLVED]
Even if the response is delayed, somebody could still queue a lot of requests therefore the system would be vulnerable to brute force attacks.
A better approach is to store a timestamp of the "last login attempt" and ignore requests when the last login attempt was less than 5 seconds ago. So it's good to know the last login attempt per account.
This is just one part of the problem, a malicious script could try to login with different accounts at the same time, so you absolutely need to store the client's IP and ignore repeated requests coming from the same IP.
A good and secure login system is a big and difficult project and it's very easy to get it wrong. You really should use something established like oAuth if you can help it.
Re: How i can permanently ban someone by their ip from the server? [SOLVED]
The entire purpose of banning via IP was trying to not save data in the client. People is really intelligent and love "exe" compression is weak so everyone with a minimum love/lua/coding knowledge can just bypass everything and destroy the servers making unhappy players. Unhappy players go to another games and that is how you lose players and the game goes out of "trendings". Sorry if i'm too analytic and soulless but is true :/zorg wrote: ↑Sun Mar 10, 2019 7:09 pm Even if this has been marked as solved, let me just say this;
It's not a bad idea to have your client implement some minimal brute-force prevention, but IP-bans can be relatively easily circumvented (and can cause more issues than not in cases).
So what you could do, is to generate an UUID on the server if a client connects and can't give you one, send it to the client, the client saving it into the user's save directory, and if someone's being malicious, then ban their UUID.
That can also be circumvented relatively easily, but comine that with needing the UUID, the username/password('s hash) and weakly, even the IP (and/or MAC address of the network card, which can also be problematic...) to have a combined entry on the server, and now the probability of ban evasion goes down.
tl;dr hard problem to execute flawlessly, but there are many ways still that can work.
Hi! I wish you have an amazing day!
Who is online
Users browsing this forum: Bing [Bot] and 2 guests