How i can permanently ban someone by their ip from the server? [SOLVED]

Questions about the LÖVE API, installing LÖVE and other support related questions go here.
Forum rules
Before you make a thread asking for help, read this.
Darlex
Party member
Posts: 128
Joined: Sun Sep 24, 2017 10:02 am
Location: Chile
Contact:

How i can permanently ban someone by their ip from the server? [SOLVED]

Post by Darlex »

I'm making a massive online game but when i was designing the flow chart i noticed that everybody can explode another user's password via hacking the game and using some sort of loop algorithm, so i think: "Why if i put a limit of password entries? and block temporarily the user via saving his IP in a blacklist-like table?", well, the problem is... How i can get the user's IP (or some unique id)?
Im using sock.lua

I'm stupid, there is a function called Client:getAddress() :)
Last edited by Darlex on Sun Mar 10, 2019 3:26 pm, edited 3 times in total.
Hi! I wish you have an amazing day!
pedrosgali
Party member
Posts: 107
Joined: Wed Oct 15, 2014 5:00 pm
Location: Yorkshire, England

Re: How i can permanently ban someone by their ip from the server?

Post by pedrosgali »

If they connect to your server then surely you get their IP to be able to send them data back. What networking protocol are you using?

Code: Select all

if not wearTheseGlasses() then
  chewing_on_trashcan = true
end
Hippyman
Prole
Posts: 2
Joined: Fri Mar 01, 2019 3:30 am

Re: How i can permanently ban someone by their ip from the server?

Post by Hippyman »

Dude... I'm just going to be real with you here. If you're asking this question, you're not making a mmo.
Darlex
Party member
Posts: 128
Joined: Sun Sep 24, 2017 10:02 am
Location: Chile
Contact:

Re: How i can permanently ban someone by their ip from the server?

Post by Darlex »

pedrosgali wrote: Sun Mar 10, 2019 10:25 am If they connect to your server then surely you get their IP to be able to send them data back. What networking protocol are you using?
Sorry, im a noob on this server-client things :/
Im using a library named sock.lua
Hi! I wish you have an amazing day!
Darlex
Party member
Posts: 128
Joined: Sun Sep 24, 2017 10:02 am
Location: Chile
Contact:

Re: How i can permanently ban someone by their ip from the server?

Post by Darlex »

Hippyman wrote: Sun Mar 10, 2019 2:04 pm Dude... I'm just going to be real with you here. If you're asking this question, you're not making a mmo.
Sorry but i was trying my best to explain every detail :/
Hi! I wish you have an amazing day!
monolifed
Party member
Posts: 188
Joined: Sat Feb 06, 2016 9:42 pm

Re: How i can permanently ban someone by their ip from the server? [SOLVED]

Post by monolifed »

Permabans should be made on OS level or even router level
User avatar
zorg
Party member
Posts: 3436
Joined: Thu Dec 13, 2012 2:55 pm
Location: Absurdistan, Hungary
Contact:

Re: How i can permanently ban someone by their ip from the server? [SOLVED]

Post by zorg »

Even if this has been marked as solved, let me just say this;
It's not a bad idea to have your client implement some minimal brute-force prevention, but IP-bans can be relatively easily circumvented (and can cause more issues than not in cases).

So what you could do, is to generate an UUID on the server if a client connects and can't give you one, send it to the client, the client saving it into the user's save directory, and if someone's being malicious, then ban their UUID.

That can also be circumvented relatively easily, but comine that with needing the UUID, the username/password('s hash) and weakly, even the IP (and/or MAC address of the network card, which can also be problematic...) to have a combined entry on the server, and now the probability of ban evasion goes down.

tl;dr hard problem to execute flawlessly, but there are many ways still that can work.
Me and my stuff :3True Neutral Aspirant. Why, yes, i do indeed enjoy sarcastically correcting others when they make the most blatant of spelling mistakes. No bullying or trolling the innocent tho.
grump
Party member
Posts: 947
Joined: Sat Jul 22, 2017 7:43 pm

Re: How i can permanently ban someone by their ip from the server? [SOLVED]

Post by grump »

Also, since you seem to be worried about someone brute-forcing login passwords (at least that's my interpretation of "some kind of loop algorithm"): do not confirm/deny login requests right away. When the server receives a login request, let it sit idle and sleep for a little while before it sends its response. Like 1 to 3 seconds. This makes any attempt at brute-forcing passwords completely futile.

I have to agree with Hippyman though. Making a "massive online game" requires a lot of expertise and manpower, not to mention infrastructure, since "massive" implies the need for much more than a single server running Lua code on your home PC.
User avatar
ivan
Party member
Posts: 1911
Joined: Fri Mar 07, 2008 1:39 pm
Contact:

Re: How i can permanently ban someone by their ip from the server? [SOLVED]

Post by ivan »

grump wrote: Sun Mar 10, 2019 7:29 pmWhen the server receives a login request, let it sit idle and sleep for a little while before it sends its response. Like 1 to 3 seconds. This makes any attempt at brute-forcing passwords completely futile.
Even if the response is delayed, somebody could still queue a lot of requests therefore the system would be vulnerable to brute force attacks.
A better approach is to store a timestamp of the "last login attempt" and ignore requests when the last login attempt was less than 5 seconds ago. So it's good to know the last login attempt per account.
This is just one part of the problem, a malicious script could try to login with different accounts at the same time, so you absolutely need to store the client's IP and ignore repeated requests coming from the same IP.
A good and secure login system is a big and difficult project and it's very easy to get it wrong. You really should use something established like oAuth if you can help it.
Darlex
Party member
Posts: 128
Joined: Sun Sep 24, 2017 10:02 am
Location: Chile
Contact:

Re: How i can permanently ban someone by their ip from the server? [SOLVED]

Post by Darlex »

zorg wrote: Sun Mar 10, 2019 7:09 pm Even if this has been marked as solved, let me just say this;
It's not a bad idea to have your client implement some minimal brute-force prevention, but IP-bans can be relatively easily circumvented (and can cause more issues than not in cases).

So what you could do, is to generate an UUID on the server if a client connects and can't give you one, send it to the client, the client saving it into the user's save directory, and if someone's being malicious, then ban their UUID.

That can also be circumvented relatively easily, but comine that with needing the UUID, the username/password('s hash) and weakly, even the IP (and/or MAC address of the network card, which can also be problematic...) to have a combined entry on the server, and now the probability of ban evasion goes down.

tl;dr hard problem to execute flawlessly, but there are many ways still that can work.
The entire purpose of banning via IP was trying to not save data in the client. People is really intelligent and love "exe" compression is weak so everyone with a minimum love/lua/coding knowledge can just bypass everything and destroy the servers making unhappy players. Unhappy players go to another games and that is how you lose players and the game goes out of "trendings". Sorry if i'm too analytic and soulless but is true :/
Hi! I wish you have an amazing day!
Post Reply

Who is online

Users browsing this forum: Google [Bot], Semrush [Bot] and 49 guests