[QUOTE=1live;20718295]Yes but it's not so much about the complexity of methods, Black and white -listing is one of the simpliest things ever. It's more about the methods used, If you stay out of the mainstream of used methods you create enough confusion to waste the time of the people trying to gain access to your things.
Remember: Anything can be hacked but if there is no standard which relate to, Things become extremely hard. Because you cannot hack anything in real time without relating it to something. It's simply too fubar. You know it could be anything, And that's whats this is all about. If you don't follow the main stream with these things you can avoid a lot of trouble.
[/QUOTE]
Avoiding trouble by doing stuff yourself. Ah damn, that contradicts with itself quite a lot at least in my opinion. The most trouble I can get is by writing my own stuff and then maintaining it. And the majority of gmod servers would still be more or less vulnerable since not every server has their own dedicated personal lua coder.
[QUOTE=1live;20718295]
Can't. I don't have a webserver in my use at the moment. And i don't like the idea of installing an apache server software on my personal computer.
[/QUOTE]
I'll just use netcat, hold on a second. Never mind, read the rest of your post.
[QUOTE=1live;20718295]
But i did try http.get on youtube.com which forwards using the code 301, But it returns with this:
[code]
Size: 296
Contents: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.youtube.com/">here</a>.</p>
<hr>
<address>Apache Server at www.youtube.com Port 80</address>
</body></html>
[/code]
In otherwords it doesn't follow.
[/QUOTE]
Yeah that's what I forgot. I was seriously raged a month ago when I tried to do something with the http.Get since I had/have to make my own follower, which will also be fun due to the fact that I can't read the header.
[QUOTE=1live;20718295]
[B]... [/B]Well that was kind of unresponsible act from you, We all know that if garry gets to know about something he always patches it even if the pros would over come the cons(its not like you can read anything else than standard files with the http.get).[/QUOTE] One exploit at a time.. And I bet someone would have reported it sooner or later.
I already have a fix for bacon bot. Quite simple! Until Avaster tells his bitch Com Walk, Yeah fuck you Com Walk. Do something.
[QUOTE=Terabit;20719158]I already have a fix for bacon bot. Quite simple! Until Avaster tells his bitch Com Walk, Yeah fuck you Com Walk. Do something.[/QUOTE]
Not exactly hard to make a detection script for BaconBot.
[QUOTE=Terabit;20719158]I already have a fix for bacon bot. Quite simple! Until Avaster tells his bitch Com Walk, Yeah fuck you Com Walk. Do something.[/QUOTE]
db_steamid_ip.txt
(I found BaconBot somewhere, I won't say where because a fuckton of people are gonna have it and run around yelling "OMG I HAV BB LOL PL0X!")
Oh and to annoy people, just make a simple script to freeze them, make a huge Derma HTML panel that goes to [url]http://youareanidiot.org[/url] watch as they scream.
Nah, let them play as usual but make it so that their attacks don't deal any (or just reduced) damage. :smile:
[QUOTE=Helix Alioth;20725408]db_steamid_ip.txt
(I found BaconBot somewhere, I won't say where because a fuckton of people are gonna have it and run around yelling "OMG I HAV BB LOL PL0X!")
Oh and to annoy people, just make a simple script to freeze them, make a huge Derma HTML panel that goes to [url]http://youareanidiot.org[/url] watch as they scream.[/QUOTE]
[lua]local oldFileExistsEx = file.ExistsEx
file.ExistsEx = function(file)
if logfileread:GetBool() then
print("file.ExistsEx", file)
end
for k,v in pairs(block) do
if string.find(string.lower(file), v) then
return false
end
end
return oldFileExistsEx(file)
end
local oldFileExists = file.Exists
file.Exists = function(file)
if logfileread:GetBool() then
print("file.Exists", file)
end
for k,v in pairs(block) do
if string.find(string.lower(file), v) then
return false
end
end
return oldFileExists(file)
end[/lua]
BaconBot overrides checks for that file.
[editline]09:06PM[/editline]
[QUOTE=Crazy Quebec;20726432]Nah, let them play as usual but make it so that their attacks don't deal any (or just reduced) damage. :smile:[/QUOTE]
I let them play, then it's russian roulette whether or not I ban them later.
[QUOTE=Vivallion;20717764]I also think that changing your steamid is bannable by valve..[/QUOTE]
Are you retarded?
On topic:
The 1live guy seems to know what hes talking about, but theres so many other ways to keep someone banned other than steam id's I'm still not quite sure why everyone's freaking out. Well actually I can understand why people using public admin mods are worried, you guys are pretty muched fucked.
But for people who have their own private mods, or people who know how to edit their current mods you can get past all this easily.
Write a directory to the data folder called SERENITY_CONFIG and then write a file with the player's Steam ID inside it, maybe add some other pseudo-important folders, then whenever they rejoin just check if the Steam ID matches the file and if not, ban them.
(If you're wondering why I said to make a bunch of fancy dir's inside the player's data folder, its so the imbeciles using Serenity dont actually look in there, because they'll be assuming its just complicated code.
[QUOTE=Kopimi;20734659]Write a directory to the data folder called SERENITY_CONFIG and then write a file with the player's Steam ID inside it, maybe add some other pseudo-important folders, then whenever they rejoin just check if the Steam ID matches the file and if not, ban them.[/QUOTE]
And a malicious server writes a bad steam id to the file, or the user just deletes the file?
[QUOTE=AzuiSleet;20734708]And a malicious server writes a bad steam id to the file, or the user just deletes the file?[/QUOTE]
IDK I'm thinking off of the top of my head, ofc they would be able to delete the file, but playing on the chance that they didnt, it'd be successful.
Either way, its an impressive program but altogether ineffective when some thought is put into a solution.
The only way is a password for admins when they attempt to use admin powers.
[QUOTE=Trivkz;20687253]The best thing I can see ATM is to make life hell for them if they join a server. Like a admin command so they can rick rolled them, and they cant move, gets muted, and all that kind of stuff.. Just fuck it up so they don't do it again.[/QUOTE]
render.AddBeam exploit would work nicely.
[QUOTE=|FlapJack|;20738889]The only way is a password for admins when they attempt to use admin powers.[/QUOTE]
Yeah that's obviously as fool-proof as any other passworded system. That's the biggest threath but it still leaves us with the general issue of the dead coming back to life, or the banned unbanning themselves.
[QUOTE=Crazy Quebec;20742229]Yeah that's obviously as fool-proof as any other passworded system. That's the biggest threath but it still leaves us with the general issue of the dead coming back to life, or the banned unbanning themselves.[/QUOTE]
IP bans come in here. (Kill the zombie by shooting it in the head)
Any file related block is useless. You can't rely on any clientside information becides their IP address.
[editline]02:56PM[/editline]
You can't spoof your IP address for anything other than net flooding
[QUOTE=Gbps;20746174]Any file related block is useless. You can't rely on any clientside information becides their IP address.
[editline]02:56PM[/editline]
You can't spoof your IP address for anything other than net flooding[/QUOTE]
You can easily with documentation available for free online spoof your ip using a driver.
You could call your isp and they would change your ip address.
The isp could have a pool of ip adresses, from where a new ip will be picked out when a customer connects. (This is very very common)
If you ban someone, when they disconnect the ip is put back in the pool and someone else gets it.
What [b]IF[/b] a legal player, maybe yourself gets assigned that address, sure the chance is near to impossible.
But the IP is just simply not reliable after the connection has been closed.
[QUOTE=Gbps;20746174]You can't spoof your IP address for anything other than net flooding[/QUOTE]
[url=http://bans.jokerice.co.uk/index.php?p=banlist&searchText=flapadar&Submit=]Isn't that Chrisaster's IP on my second ban?[/url]
[QUOTE=aualin;20746739]You can easily with documentation available for free online spoof your ip using a driver.
You could call your isp and they would change your ip address.
The isp could have a pool of ip adresses, from where a new ip will be picked out when a customer connects. (This is very very common)
If you ban someone, when they disconnect the ip is put back in the pool and someone else gets it.
What [b]IF[/b] a legal player, maybe yourself gets assigned that address, sure the chance is near to impossible.
But the IP is just simply not reliable after the connection has been closed.[/QUOTE]
It's meant to ban someone after he got banned by steam-id so he can't immediately reconnect (what serenity is made for mainly). The spoofer then has to restart his internet connection and guess how much people would do this...
And to "legal player gets ip of banned": Remove the IP ban after lets say 2 weeks. Anyway, the chance for someone else getting this IP approaches zero. How much people at the same ISP play GMod at the same server with a previously banned IP of the ISP's IP-Pool.
[QUOTE=aVoN;20749422]It's meant to ban someone after he got banned by steam-id so he can't immediately reconnect (what serenity is made for mainly). The spoofer then has to restart his internet connection and guess how much people would do this...
And to "legal player gets ip of banned": Remove the IP ban after lets say 2 weeks. Anyway, the chance for someone else getting this IP approaches zero. How much people at the same ISP play GMod at the same server with a previously banned IP of the ISP's IP-Pool.[/QUOTE]
It was mostly to point out the unreliability of the ip, after the connection has ended.
Thus proving that anything the client provides you can be spoofed, you could spoof an admin's current ip and get him ip banned while he is not online for example. The only thing reliable at all times up to this point has been steamid's, thus the ultimate solution is for valve to do something about it. But for now we will have to rely on passwords, clientside files, etc. for identifying banned players which will filter out the mayority of naughty players with serenity.
Though it takes one determined and knowledgable player to fuck you hard, that holds especially true now with serenity.
You're thinking like you're in a comic book. The average pay-to-change-steamid player DOES NOT know how to spoof an IP (Which isn't as possible as you think), they DO NOT know how to change their mac address, they DO NOT not know anything more than a program that feeds them steamids. Saying "oh noes, it is possible to bypass so we shouldn't even try" is pretty pathetic.
[QUOTE=Gbps;20752716]You're thinking like you're in a comic book. The average pay-to-change-steamid player DOES NOT know how to spoof an IP (Which isn't as possible as you think), they DO NOT know how to change their mac address, they DO NOT not know anything more than a program that feeds them steamids. Saying "oh noes, it is possible to bypass so we shouldn't even try" is pretty pathetic.[/QUOTE]
This is probably the most correct post in this entire thread. Seriously, write a file to them and ban their IP for a couple days. Give them render.AddBeam crashes if they keep doing it. Put on a password requirement for your admins to ban anyone. Sure, it's not foolproof by any means, but seriously, who the hell is going to keep restarting gmod only to get in for a few seconds for you to reban them? It's not like Serenity is as prolific as it may seem in this thread. It may be uncounterable. It probably is. But that doesn't mean you can't make the user's lives miserable.
Oh, and on the 0.0001% chance that some guy manages to get a recycled IP that's already been banned, or you get a 1337 hax0r who spoofs his IP, just unban him or get him to change his IP with a phonecall.
In my humble opinion I think you guys should give up! Avaster says Serenity isn't beatable!
[QUOTE=VoiDeD;20753245]In my humble opinion I think you guys should give up! Avaster says Serenity isn't beatable![/QUOTE]
Oh voidy, you so crazy.
[QUOTE=aualin;20750038]It was mostly to point out the unreliability of the ip, after the connection has ended.[/quote]
Yes, this can happen. Then the banned person can join again after he resetted his connection but he can't immediately after he got banned. So he always has to reset his connection which takes TIME and actually that is, what thos griefers don't wanna do. They simply want to rejoin FAST right after the kick so they can continue griefing - Not running down to the router in the cellar to restart it, running up again and rejoining.
[QUOTE=aualin;20750038]Thus proving that anything the client provides you can be spoofed, you could spoof an admin's current ip and get him ip banned while he is not online for example.[/quote]
This has a design-failure - How do you find out the IP of an admin. His IP changes too, remember?
Also: You can of course spoof your IP, but this will end to the server sending the data to the spoofed IP instead to your own one. So you can't actually join the server.
[QUOTE=aualin;20750038]The only thing reliable at all times up to this point has been steamid's, thus the ultimate solution is for valve to do something about it. But for now we will have to rely on passwords, clientside files, etc. for identifying banned players which will filter out the mayority of naughty players with serenity.
Though it takes one determined and knowledgable player to fuck you hard, that holds especially true now with serenity.[/QUOTE]
Here I totally agree to you.
[editline]11:49AM[/editline]
[QUOTE=VoiDeD;20753245]In my humble opinion I think you guys should give up! Avaster says Serenity isn't beatable![/QUOTE]
I always have to laugh when you speak like this where actually everyone knows you were involved working on the exploit and serenity :)
All I can say about serenity is, it's bad that it gets sold and there is no source code for it. Because for the other case (free, source code), VALVE would catch up the problem. Now they just sit on their fat asses and think [i]oh, well an exploit to our steamids. Luckily, he sells the program so not that much people have it - Not woth to fix - Especially because it means [u]work[/u] since there is no sourcecode for it[/i]
Also: SteamID spoofing is stoppable. There were several methods in this thread now.
[QUOTE=Gbps;20752716]You're thinking like you're in a comic book. The average pay-to-change-steamid player DOES NOT know how to spoof an IP (Which isn't as possible as you think), they DO NOT know how to change their mac address, they DO NOT not know anything more than a program that feeds them steamids. Saying "oh noes, it is possible to bypass so we shouldn't even try" is pretty pathetic.[/QUOTE]
I was simply proving you wrong, that the ip address is very unreliable. To underestimate your opponent is the worst mistake you can do.
I even said that all we got for now is to do what has been suggested in this thread, but ip banning them is not the best solution we have thought up, but the best is a combination of them all.
[QUOTE=aVoN;20758276]Yes, this can happen. Then the banned person can join again after he resetted his connection but he can't immediately after he got banned. So he always has to reset his connection which takes TIME and actually that is, what thos griefers don't wanna do. They simply want to rejoin FAST right after the kick so they can continue griefing - Not running down to the router in the cellar to restart it, running up again and rejoining.
[/QUOTE]
Or you could access the web interface most (all?) routers have, and request a new a dhcp lease, which hopefully gives you a new ip. I got fiber with a very low latency so that may have something to do with it, but requesting a new dhcp lease takes under a second for me. Still this is probaly the easiest, and fastest way we can ban a serenity tard.
[QUOTE=aVoN;20758276]
This has a design-failure - How do you find out the IP of an admin. His IP changes too, remember?
Also: You can of course spoof your IP, but this will end to the server sending the data to the spoofed IP instead to your own one. So you can't actually join the server.
[/QUOTE]
Sorry, but it looks like i was very confused when i wrote that post. Looks like i was dreaming about 802.11 :v:
Have been reading a lot about that subject lately, mixed it all togheter.
-Snip-
Just do so if the steamid is not logged in as the same ip as earlier, you get a window where you have to type a code that you have specified earlier.
Well that's an idea big servers might want to use, I like it! Having to enter your password once per connection is hardly a hassle.
Hmm but nah nvm, that would only work well if everyone on steam had a password on your server, which they don't.
One thing would be to create some login system.
If you don't have an account, create one and log the steamid.
Next time you join you have to login and when you login it checks your steamid on that account and loads your data.
[QUOTE=VoiDeD;20753245]In my humble opinion I think you guys should give up! Avaster says Serenity isn't beatable![/QUOTE]
False, From what I heard the client has to be off the server and he has to also get a pool of steam-ids. Meaning 1 a dumb retard has to go to some retard website and 2 You have to be in main menu(off the server) to able to start serenity.
Also
[code]
Name:√oidy
IP:98.227.90.80:27005
Real SteamID:STEAM_0:0:4491990
Fake SteamID:STEAM_0:1:17203663
Date:02/21/10 01:12:15
[/code]
[QUOTE=Rated Heart;20761874]One thing would be to create some login system.
If you don't have an account, create one and log the steamid.
Next time you join you have to login and when you login it checks your steamid on that account and loads your data.[/QUOTE]
Nah like I said they can simply come back with a steamID that isn't registered yet.
@Terabit What does that have to do with anything?
Sorry, you need to Log In to post a reply to this thread.
