How i can permanently ban someone by their ip from the server? [SOLVED]

Questions about the LÖVE API, installing LÖVE and other support related questions go here.
Forum rules
Before you make a thread asking for help, read this.
User avatar
Darlex
Party member
Posts: 118
Joined: Sun Sep 24, 2017 10:02 am
Location: absolutely not Chile
Contact:

How i can permanently ban someone by their ip from the server? [SOLVED]

Post by Darlex » Sun Mar 10, 2019 5:09 am

I'm making a massive online game but when i was designing the flow chart i noticed that everybody can explode another user's password via hacking the game and using some sort of loop algorithm, so i think: "Why if i put a limit of password entries? and block temporarily the user via saving his IP in a blacklist-like table?", well, the problem is... How i can get the user's IP (or some unique id)?
Im using sock.lua

I'm stupid, there is a function called Client:getAddress() :)
Last edited by Darlex on Sun Mar 10, 2019 3:26 pm, edited 3 times in total.
culdud uwu

pedrosgali
Party member
Posts: 107
Joined: Wed Oct 15, 2014 5:00 pm
Location: Yorkshire, England

Re: How i can permanently ban someone by their ip from the server?

Post by pedrosgali » Sun Mar 10, 2019 10:25 am

If they connect to your server then surely you get their IP to be able to send them data back. What networking protocol are you using?

Code: Select all

if not wearTheseGlasses() then
  chewing_on_trashcan = true
end

Hippyman
Prole
Posts: 2
Joined: Fri Mar 01, 2019 3:30 am

Re: How i can permanently ban someone by their ip from the server?

Post by Hippyman » Sun Mar 10, 2019 2:04 pm

Dude... I'm just going to be real with you here. If you're asking this question, you're not making a mmo.

User avatar
Darlex
Party member
Posts: 118
Joined: Sun Sep 24, 2017 10:02 am
Location: absolutely not Chile
Contact:

Re: How i can permanently ban someone by their ip from the server?

Post by Darlex » Sun Mar 10, 2019 3:04 pm

pedrosgali wrote:
Sun Mar 10, 2019 10:25 am
If they connect to your server then surely you get their IP to be able to send them data back. What networking protocol are you using?
Sorry, im a noob on this server-client things :/
Im using a library named sock.lua
culdud uwu

User avatar
Darlex
Party member
Posts: 118
Joined: Sun Sep 24, 2017 10:02 am
Location: absolutely not Chile
Contact:

Re: How i can permanently ban someone by their ip from the server?

Post by Darlex » Sun Mar 10, 2019 3:06 pm

Hippyman wrote:
Sun Mar 10, 2019 2:04 pm
Dude... I'm just going to be real with you here. If you're asking this question, you're not making a mmo.
Sorry but i was trying my best to explain every detail :/
culdud uwu

User avatar
ingsoc451
Citizen
Posts: 96
Joined: Sat Feb 06, 2016 9:42 pm
Location: Oceania

Re: How i can permanently ban someone by their ip from the server? [SOLVED]

Post by ingsoc451 » Sun Mar 10, 2019 6:21 pm

Permabans should be made on OS level or even router level
eom

User avatar
zorg
Party member
Posts: 2733
Joined: Thu Dec 13, 2012 2:55 pm
Location: Absurdistan, Hungary
Contact:

Re: How i can permanently ban someone by their ip from the server? [SOLVED]

Post by zorg » Sun Mar 10, 2019 7:09 pm

Even if this has been marked as solved, let me just say this;
It's not a bad idea to have your client implement some minimal brute-force prevention, but IP-bans can be relatively easily circumvented (and can cause more issues than not in cases).

So what you could do, is to generate an UUID on the server if a client connects and can't give you one, send it to the client, the client saving it into the user's save directory, and if someone's being malicious, then ban their UUID.

That can also be circumvented relatively easily, but comine that with needing the UUID, the username/password('s hash) and weakly, even the IP (and/or MAC address of the network card, which can also be problematic...) to have a combined entry on the server, and now the probability of ban evasion goes down.

tl;dr hard problem to execute flawlessly, but there are many ways still that can work.
Me and my stuff :3True Neutral Aspirant. Why, yes, i do indeed enjoy sarcastically correcting others when they make the most blatant of spelling mistakes. No bullying or trolling the innocent tho.

grump
Party member
Posts: 587
Joined: Sat Jul 22, 2017 7:43 pm

Re: How i can permanently ban someone by their ip from the server? [SOLVED]

Post by grump » Sun Mar 10, 2019 7:29 pm

Also, since you seem to be worried about someone brute-forcing login passwords (at least that's my interpretation of "some kind of loop algorithm"): do not confirm/deny login requests right away. When the server receives a login request, let it sit idle and sleep for a little while before it sends its response. Like 1 to 3 seconds. This makes any attempt at brute-forcing passwords completely futile.

I have to agree with Hippyman though. Making a "massive online game" requires a lot of expertise and manpower, not to mention infrastructure, since "massive" implies the need for much more than a single server running Lua code on your home PC.

User avatar
ivan
Party member
Posts: 1531
Joined: Fri Mar 07, 2008 1:39 pm
Contact:

Re: How i can permanently ban someone by their ip from the server? [SOLVED]

Post by ivan » Mon Mar 11, 2019 12:51 pm

grump wrote:
Sun Mar 10, 2019 7:29 pm
When the server receives a login request, let it sit idle and sleep for a little while before it sends its response. Like 1 to 3 seconds. This makes any attempt at brute-forcing passwords completely futile.
Even if the response is delayed, somebody could still queue a lot of requests therefore the system would be vulnerable to brute force attacks.
A better approach is to store a timestamp of the "last login attempt" and ignore requests when the last login attempt was less than 5 seconds ago. So it's good to know the last login attempt per account.
This is just one part of the problem, a malicious script could try to login with different accounts at the same time, so you absolutely need to store the client's IP and ignore repeated requests coming from the same IP.
A good and secure login system is a big and difficult project and it's very easy to get it wrong. You really should use something established like oAuth if you can help it.

User avatar
Darlex
Party member
Posts: 118
Joined: Sun Sep 24, 2017 10:02 am
Location: absolutely not Chile
Contact:

Re: How i can permanently ban someone by their ip from the server? [SOLVED]

Post by Darlex » Wed Mar 13, 2019 2:29 am

zorg wrote:
Sun Mar 10, 2019 7:09 pm
Even if this has been marked as solved, let me just say this;
It's not a bad idea to have your client implement some minimal brute-force prevention, but IP-bans can be relatively easily circumvented (and can cause more issues than not in cases).

So what you could do, is to generate an UUID on the server if a client connects and can't give you one, send it to the client, the client saving it into the user's save directory, and if someone's being malicious, then ban their UUID.

That can also be circumvented relatively easily, but comine that with needing the UUID, the username/password('s hash) and weakly, even the IP (and/or MAC address of the network card, which can also be problematic...) to have a combined entry on the server, and now the probability of ban evasion goes down.

tl;dr hard problem to execute flawlessly, but there are many ways still that can work.
The entire purpose of banning via IP was trying to not save data in the client. People is really intelligent and love "exe" compression is weak so everyone with a minimum love/lua/coding knowledge can just bypass everything and destroy the servers making unhappy players. Unhappy players go to another games and that is how you lose players and the game goes out of "trendings". Sorry if i'm too analytic and soulless but is true :/
culdud uwu

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 4 guests