I'm not an SQL guru or anything, but would it be possible to have a public/read-only sql table that could be used for retrieving the information? It seems better than using http.Get.
[QUOTE=wizardsbane;34467478]Just throwing in: avoid IP banning. It's easy to bypass with a VPN. This can also hurt innocent users if the banned person has a dynamic IP. As is well known, we're running out of IPv4 addresses, so the chance that an innocent player will get a recycled IP address that was banned due to a hacker is increasing.[/QUOTE]
People don't have to use it. There are still 4 billion addresses in circulation; so the chances of getting caught as an alt mistakenly is tiny - that's what you have unban requests for. Alt bans aren't meant to 100% prevent people coming back; more to discourage those who think about it.
[QUOTE=BlackAwps;34467507]I'm not an SQL guru or anything, but would it be possible to have a public/read-only sql table that could be used for retrieving the information? It seems better than using http.Get.[/QUOTE]
Much harder to set up and poses a slightly bigger security risk.
[QUOTE=Bawbag;34467519]Much harder to set up and poses a slightly bigger security risk.[/QUOTE]
From what I know it's not. You just have a public user with access to only fetch specific information then a user for the backend that's able to do everything. Unless I am overlooking something, it seems like it could be something worth looking into.
Is the api going to be a binary module?
[QUOTE=BlackAwps;34467566]From what I know it's not. You just have a public user with access to only fetch specific information then a user for the backend that's able to do everything. Unless I am overlooking something, it seems like it could be something worth looking into.[/QUOTE]
Security wise it is always a better idea to reject remote connections at all times for a database. Which will be done.
[QUOTE=marvincmarvin;34467580]Is the api going to be a binary module?[/QUOTE]
100% lua
[QUOTE=BlackAwps;34467507]I'm not an SQL guru or anything, but would it be possible to have a public/read-only sql table that could be used for retrieving the information? It seems better than using http.Get.[/QUOTE]
That's not too safe.
What they can do is create a mirror of the actual SQL database that is read-only to be used for the API. The actual database stays outside of the DMZ and is only touched in a secure way. You should really never, ever, ever expose a SQL database except through queries that you can control.
[QUOTE=wizardsbane;34467602]That's not too safe.
What they can do is create a mirror of the actual SQL database that is read-only to be used for the API. The actual database stays outside of the DMZ and is only touched in a secure way. You should really never, ever, ever expose a SQL database except through queries that you can control.[/QUOTE]
I see, was just an idea.
[QUOTE=Bawbag;34467581]Security wise it is always a better idea to reject remote connections at all times for a database. Which will be done.[/QUOTE]
If anything, use a socket connection to give raw data, like how the master server list works. Honestly, anything is better than using http.Get. Especially if you are parsing more than a few hundred bans.
[QUOTE=BlackAwps;34467605]If anything, use a socket connection to give raw data, like how the master server list works. Honestly, anything is better than using http.Get. Especially if you are parsing more than a few hundred bans.[/QUOTE]
And you really expect people to trust me with a dll? There is little-to-no overhead of loading a few megabytes of text.
Plus, the 'raw sockets' idea would get messy. Authenticating which server is sending the data; picking which server to take data from, etc.
[QUOTE=Ruzza;34467266]How does this sound.
The API system works when a player joins "your server" which has the addon installed, it will contact the website and provide the SteamID and the IPAddress of the player to the server to check/save records of them connecting with a different SteamID with the same IP or vise versa. Then you will get a response back saying that this player is also an ALT / Shared Home Connection with a different SteamID which has already connected to that same server. This can help tracking players which are using the same IPAddress with another SteamID.
This can all be done with Lua alone, however with it being API and connecting to website, other servers can take the advantage of preventing players with alts joining their server and minging / cheating / exploiting.
Tell me what you think.[/QUOTE]
On a semi-related note, what is the best way to go about interaction between lua and web scripts? The only thing I can really think of would be using SQL? Sorry if it's obvious, I've had limited experience with web interaction through lua.
It's better to a certain point, tmysql only supports 1 database connection and writing a mysqloo version will just cause hassle to people who already use addons which use tmysql. It just conflicts with everyones needs. Obviously the IP/SteamID logging will be logged via API and the API will be terminated if it is being abused, I need to make VALID requests so people don't just type in [url]http://thisthat.com?api=this&steamid=that&ip=this&reason=that[/url].
Another pain in my ass would be that, http.Get does not bound the IP to the same SRCDS server calling it, if you have a dedicated with multiple ips like any GSP then, it will go shit wire.
[QUOTE=Bawbag;34467614]And you really expect people to trust me with a dll? There is little-to-no overhead of loading a few megabytes of text.
Plus, the 'raw sockets' idea would get messy. Authenticating which server is sending the data; picking which server to take data from, etc.[/QUOTE]
I support the module idea, but I would agree that people would be overly-cautious (with good reason) about it. Would be a definite plus.
What is your plan for the security protocol for the lists being sent, group passwords being set, etc?
[QUOTE=wizardsbane;34467721]I support the module idea, but I would agree that people would be overly-cautious (with good reason) about it. Would be a definite plus.
What is your plan for the security protocol for the lists being sent, group passwords being set, etc?[/QUOTE]
Private key authentication. The quality of the lists will only really be as trustworthy as your trust in the owner of that private key.
[QUOTE=Ruzza;34467708]It's better to a certain point, tmysql only supports 1 database connection and writing a mysqloo version will just cause hassle to people who already use addons which use tmysql. It just conflicts with everyones needs. Obviously the IP/SteamID logging will be logged via API and the API will be terminated if it is being abused, I need to make VALID requests so people don't just type in [url]http://thisthat.com?api=this&steamid=that&ip=this&reason=that[/url].
Another pain in my ass would be that, http.Get does not bound the IP to the same SRCDS server calling it, if you have a dedicated with multiple ips like any GSP then, it will go shit wire.[/QUOTE]
I'm sure Bawbag is capable enough to write a capable and intelligent API that doesn't require complete deactivation when abuse is detected.
[editline]30th January 2012[/editline]
[QUOTE=Bawbag;34467737]Private key authentication. The quality of the lists will only really be as trustworthy as your trust in the owner of that private key.[/QUOTE]
Heh, the PGP system? Nice thinking. I forget, does PGP utilize unique sessions? Utilizing a session for a web-service is definitely suggested.
[QUOTE=wizardsbane;34467745]Heh, the PGP system? Nice thinking. I forget, does PGP utilize unique sessions? Utilizing a session for a web-service is definitely suggested.[/QUOTE]
Similar. We won't bother encrypting shit though. Sessions would be nice, but they aren't really necessary (It's only 16 bytes more to authenticate with every request)
My idea:
When a user connects, the server displays a message similiar to
[QUOTE]Player X connected
Player X's reputation is below threshold! (4 Bans on participating servers)[/QUOTE]
The web frontend could look like this:
[IMG]http://www.abload.de/img/banswfz9v.png[/IMG]
The web frontend needs openID authentication and whatnot of course (check if the steamid owns garrysmod? limit the amount of servers per account? somehow do something about registering dynamic ips?)
[editline]31st January 2012[/editline]
Oh god i got badly ninja'd by all the talk above me
[QUOTE=DrogenViech;34467977]My idea:
When a user connects, the server displays a message similiar to
The web frontend could look like this:
[IMG]http://www.abload.de/img/banswfz9v.png[/IMG]
The web frontend needs openID authentication and whatnot of course (check if the steamid owns garrysmod? limit the amount of servers per account? somehow do something about registering dynamic ips?)
[editline]31st January 2012[/editline]
Oh god i got badly ninja'd by all the talk above me[/QUOTE]
I personally think there shouldn't be a web front-end. This system is more-so meant to protect servers, not act as a search/display engine for everyone banned.
What I would suggest is a small addition to the API which allows individual users to check their "reputation" (good idea, by the by) in a client-side piece of the addon. Less bandwidth to just send text.
The server message I agree with, though.
[editline]30th January 2012[/editline]
As for allowing a server owner to check aliases and stuff like that, use of the API would be preferable.
This ban-list should not become a public spectacle, this isn't SourceBans. Server owners check everyone that affects them, clients only allowed to check themselves.
Well I'd just like to say that I often find myself googling a banned user's SteamID to see what kind of bans they have at other communities, so I think that having a public database with a ban record would be relatively useful (and an API for accessing it too?)
[QUOTE=Banana Lord.;34468426]Well I'd just like to say that I often find myself googling a banned user's SteamID to see what kind of bans they have at other communities, so I think that having a public database with a ban record would be relatively useful (and an API for accessing it too?)[/QUOTE]
I don't know, I feel like that functionality violates a user's privacy. The "reputation" suggested by DragonViech is probably the best solution to this.
Unless you're a server owner, you really shouldn't be worrying about what others have been banned for, because as a client you really have no power to do anything anyway. If you're acting for a server as an admin or whatever, when you actually have power, then you'd have the sort of information you want anyway.
I posted this in the wrong thread.. blah.
[img]http://puu.sh/f9Fk[/img]
Those paint skills. They're using Windows XP. (I'm referring to their printscreen)
I seem to pointedly remember that andre guy in another thread going NOOB SETH NOT ASSOCIATED WITH DDOS FIX SETHHACK OR BAD THINGS HAPPEN
Knights of the Told Republic.
[QUOTE=Inugami;34468725]I seem to pointedly remember that andre guy in another thread going NOOB SETH NOT ASSOCIATED WITH DDOS FIX SETHHACK OR BAD THINGS HAPPEN
Knights of the Told Republic.[/QUOTE]
You mean the same guy that I gave my IP to and nothing happened? Yeah, I remember that too.
[QUOTE=Blasphemy;34468736]You mean the same guy that I gave my IP to and nothing happened? Yeah, I remember that too.[/QUOTE]
-stupidity-
[QUOTE=wizardsbane;34468896]It probably didn't come through enough to cripple you because your ISP would have detected the load spike and then have mitigated it. I think that's why, anyway.
Correct me if I'm wrong, I feel that I probably am.[/QUOTE]
Nah, I've been DoSed before on my home internet. Not DDoS, but it still knocked me offline until it was stopped.
OH MY GOD ASPERGERS
Here is a quick SQL I whipped up in boredom, hopefully it will inspire someone to make something awesome.
[url]http://dl.dropbox.com/u/1540469/sample.sql[/url]
Basically the "server owners" go into users.
Servers go in servers and are connected to their "owner" by the "owners" "_ID" along with each servers API key
Bans go in bans and tie to servers by the servers "_ID"
Probably a better way but thought I'd give it a try :)
[url]http://bancentral.net/[/url]
[QUOTE=Bawbag;34466605]It is being developed by ColdFusion and Flapadar.[/QUOTE]
Hopefully that will go over as well as Coldfire.
[QUOTE=BlackAwps;34463974]Whenever I catch a seth hacker, I iptable ban them. Makes them think the server crashed.
[lua]local exitCode = cmd.exec( string.format( "iptables -I INPUT -s %s -j DROP", ply:GetIP() ) ) >> 8[/lua]
[/QUOTE]
You can do the same thing on windows
[code]netsh firewall add portopening udp 27005 Wireshark DISABLE 255.255.255.255[/code] Of course you have to get the correct client port for each user.
[QUOTE=Aide;34599928]You can do the same thing on windows
[code]netsh firewall add portopening udp 27005 Wireshark DISABLE 255.255.255.255[/code] Of course you have to get the correct client port for each user.[/QUOTE]
you can specify a port range that occupies all ports. But beware that the windows firewall is very slow and not made for a large amount of rules.
Sorry, you need to Log In to post a reply to this thread.
