Page 1 of 2

How i can permanently ban someone by their ip from the server? [SOLVED]

Posted: Sun Mar 10, 2019 5:09 am
by Darlex
I'm making a massive online game but when i was designing the flow chart i noticed that everybody can explode another user's password via hacking the game and using some sort of loop algorithm, so i think: "Why if i put a limit of password entries? and block temporarily the user via saving his IP in a blacklist-like table?", well, the problem is... How i can get the user's IP (or some unique id)?
Im using sock.lua

I'm stupid, there is a function called Client:getAddress() :)

Re: How i can permanently ban someone by their ip from the server?

Posted: Sun Mar 10, 2019 10:25 am
by pedrosgali
If they connect to your server then surely you get their IP to be able to send them data back. What networking protocol are you using?

Re: How i can permanently ban someone by their ip from the server?

Posted: Sun Mar 10, 2019 2:04 pm
by Hippyman
Dude... I'm just going to be real with you here. If you're asking this question, you're not making a mmo.

Re: How i can permanently ban someone by their ip from the server?

Posted: Sun Mar 10, 2019 3:04 pm
by Darlex
pedrosgali wrote:
Sun Mar 10, 2019 10:25 am
If they connect to your server then surely you get their IP to be able to send them data back. What networking protocol are you using?
Sorry, im a noob on this server-client things :/
Im using a library named sock.lua

Re: How i can permanently ban someone by their ip from the server?

Posted: Sun Mar 10, 2019 3:06 pm
by Darlex
Hippyman wrote:
Sun Mar 10, 2019 2:04 pm
Dude... I'm just going to be real with you here. If you're asking this question, you're not making a mmo.
Sorry but i was trying my best to explain every detail :/

Re: How i can permanently ban someone by their ip from the server? [SOLVED]

Posted: Sun Mar 10, 2019 6:21 pm
by ingsoc451
Permabans should be made on OS level or even router level

Re: How i can permanently ban someone by their ip from the server? [SOLVED]

Posted: Sun Mar 10, 2019 7:09 pm
by zorg
Even if this has been marked as solved, let me just say this;
It's not a bad idea to have your client implement some minimal brute-force prevention, but IP-bans can be relatively easily circumvented (and can cause more issues than not in cases).

So what you could do, is to generate an UUID on the server if a client connects and can't give you one, send it to the client, the client saving it into the user's save directory, and if someone's being malicious, then ban their UUID.

That can also be circumvented relatively easily, but comine that with needing the UUID, the username/password('s hash) and weakly, even the IP (and/or MAC address of the network card, which can also be problematic...) to have a combined entry on the server, and now the probability of ban evasion goes down.

tl;dr hard problem to execute flawlessly, but there are many ways still that can work.

Re: How i can permanently ban someone by their ip from the server? [SOLVED]

Posted: Sun Mar 10, 2019 7:29 pm
by grump
Also, since you seem to be worried about someone brute-forcing login passwords (at least that's my interpretation of "some kind of loop algorithm"): do not confirm/deny login requests right away. When the server receives a login request, let it sit idle and sleep for a little while before it sends its response. Like 1 to 3 seconds. This makes any attempt at brute-forcing passwords completely futile.

I have to agree with Hippyman though. Making a "massive online game" requires a lot of expertise and manpower, not to mention infrastructure, since "massive" implies the need for much more than a single server running Lua code on your home PC.

Re: How i can permanently ban someone by their ip from the server? [SOLVED]

Posted: Mon Mar 11, 2019 12:51 pm
by ivan
grump wrote:
Sun Mar 10, 2019 7:29 pm
When the server receives a login request, let it sit idle and sleep for a little while before it sends its response. Like 1 to 3 seconds. This makes any attempt at brute-forcing passwords completely futile.
Even if the response is delayed, somebody could still queue a lot of requests therefore the system would be vulnerable to brute force attacks.
A better approach is to store a timestamp of the "last login attempt" and ignore requests when the last login attempt was less than 5 seconds ago. So it's good to know the last login attempt per account.
This is just one part of the problem, a malicious script could try to login with different accounts at the same time, so you absolutely need to store the client's IP and ignore repeated requests coming from the same IP.
A good and secure login system is a big and difficult project and it's very easy to get it wrong. You really should use something established like oAuth if you can help it.

Re: How i can permanently ban someone by their ip from the server? [SOLVED]

Posted: Wed Mar 13, 2019 2:29 am
by Darlex
zorg wrote:
Sun Mar 10, 2019 7:09 pm
Even if this has been marked as solved, let me just say this;
It's not a bad idea to have your client implement some minimal brute-force prevention, but IP-bans can be relatively easily circumvented (and can cause more issues than not in cases).

So what you could do, is to generate an UUID on the server if a client connects and can't give you one, send it to the client, the client saving it into the user's save directory, and if someone's being malicious, then ban their UUID.

That can also be circumvented relatively easily, but comine that with needing the UUID, the username/password('s hash) and weakly, even the IP (and/or MAC address of the network card, which can also be problematic...) to have a combined entry on the server, and now the probability of ban evasion goes down.

tl;dr hard problem to execute flawlessly, but there are many ways still that can work.
The entire purpose of banning via IP was trying to not save data in the client. People is really intelligent and love "exe" compression is weak so everyone with a minimum love/lua/coding knowledge can just bypass everything and destroy the servers making unhappy players. Unhappy players go to another games and that is how you lose players and the game goes out of "trendings". Sorry if i'm too analytic and soulless but is true :/