Created a tool that can prevent griefing/trolling

andrew_klassen · 2019-01-05 06:17:32

My automated server installation tool now has the ability to create a ticketing system. This allows server owners to create individual accounts for clients just like Jason does.

https://github.com/andrew-klassen/onelife_easy_install

This prevents users from "leaking" the server's password because clients no longer share a password. Clients individual access can also be blocked in the event that a player goes berserk, without needing to restart the server.

Security Warning: Do not use personal passwords or your official One Hour One Life key on custom servers because they exist on the server in clear text.

Greep · 2019-01-05 06:24:39

Wait, the keys exist on a custom server in clear text? Or just the ticketing server? My impression was the client encrypts the key, the encrypted key passes through the server to the ticketing server. I got 0 answers when I asked about it on discord unfortunately, and I wasn't about to spend 5 hours digging around to find out I know the emails exist on the custom server, but that doesn't feel like a huge deal.

Last edited by Greep (2019-01-05 06:31:45)

andrew_klassen · 2019-01-05 07:10:51

Greep wrote:

Wait, the keys exist on a custom server in clear text? Or just the ticketing server? My impression was the client encrypts the key, the encrypted key passes through the server to the ticketing server. I got 0 answers when I asked about it on discord unfortunately, and I wasn't about to spend 5 hours digging around to find out I know the emails exist on the custom server, but that doesn't feel like a huge deal.

Technically both.

A custom server can either be setup with a single password, ticketing system, or both (but this is uncommon).

- if server is setup with single password, the password is stored in clear text in the server's OneLife/server/settings/clientPassword.ini file

- if the server is setup using its own unique ticketing system, the emails and keys are stored in clear text inside a mysql database in the tickets table, in this case the emails and keys are unique to this server

By default servers are are setup to authenticate using Jason's ticketing server. So if this is the case, only Jason can see your key.

Here is a high level overview of how the authentication works.

1. A sha-1 hmac is created on the client.
2. The hash is sent to the server.
3. The server then pulls it's stored key and hashes it the same way as the client.
4. The hashes are then compared. If they are the same, then the client is granted access.

Fortunately for us, the code is open source and is located here.

https://github.com/jasonrohrer/minorGem … server.php

The function ts_checkTicketHash() is the part of the server.php that is responsible for ticket authentication.

Where this gets interesting is when you ask the question, "What happens if the client accidentally submits a sensitive key? Could a malicious server owner modify the source code to steal the hash?"

The answer to this is yes. Which is why I'm recommending not to submit any sensitive data to server you don't trust. With custom ticketing servers you don't have to use them with a valid email. You could just ask the server owner to make you an account like the following.

Username: andrew@server
password: <random_password_unique_to _this_server>

Last edited by andrew_klassen (2019-01-05 10:23:43)

Greep · 2019-01-05 07:27:13

Sweet. That scared me a bit xD I was using jason's authentication system. I'll look into this later, your stuff looks interesting Right now my only way of handling a griefer is shutting down the server for a moment and blocking their email.

Last edited by Greep (2019-01-05 07:27:38)

lionon · 2019-01-05 08:13:09

Greep wrote:

Right now my only way of handling a griefer is shutting down the server for a moment and blocking their email.

Well it wouldn't be hard to code the server to reload a "blocked.ini" file every time someone tries to connect, so you could simply change that file on the go.

Greep · 2019-01-05 08:23:07

Yeah that's a fair point. I could also check for my user on SAY commands and give myself super powers, like adding people to a blocked list until I have to shut the server down anyways. Either way, I wish something like this was easy to find before I started my own server, although uncle gus' thread was super awesome too.

lionon · 2019-01-05 09:07:52

Greep wrote:

Yeah that's a fair point. I could also check for my user on SAY commands and give myself super powers, like adding people to a blocked list until I have to shut the server down anyways. Either way, I wish something like this was easy to find before I started my own server, although uncle gus' thread was super awesome too.

What you need is a functional curse server ... then your players can take it on themselves to curse people and have them a downtime... and reenable donkeytown for them.

Greep · 2019-01-05 09:27:55

Yeah I'm not sure how effective a curse system would be on a server with generally low population. If griefers want, they can outnumber the players at any time, which the curse "voting" doesn't deal with very well. My thinking is just getting several players I trust at various time zones SAY powers similar to cursing or banning.

Last edited by Greep (2019-01-05 09:28:36)

andrew_klassen · 2019-01-05 09:54:59

Greep wrote:

Yeah I'm not sure how effective a curse system would be on a server with generally low population. If griefers want, they can outnumber the players at any time, which the curse "voting" doesn't deal with very well. My thinking is just getting several players I trust at various time zones SAY powers similar to cursing or banning.

This is a great idea.

As of right now, the tool only allows people who have access to the server to block and unblock users. However, I could easily have some script running in the background that would parse the server logs and look for SAY commands, then preform the blocks automatically. This would also simplify the the account creation process, by allowing trusted users to create accounts. I would just mark the trusted users with a column in the database with something along the lines of "admin".

If I can't think of something better within the next hour or so, I'm implementing this.

lionon · 2019-01-05 09:59:44

andrew_klassen wrote:

If I can't think of something better within the next hour or so, I'm implementing this.

Before you write a deamon that polls the logs I sincerely suggest simply patching server.cpp somewhat instead. I've done this with my MARK / RECALL commands...

Last edited by lionon (2019-01-05 10:00:01)

lionon · 2019-01-05 10:03:17

andrew_klassen wrote:

By default servers are are setup to authenticate using Jason's ticketing server. So if this is the case, only Jason can see your key and email.

This is not true, just saying. As far I remember by default was no ticketing system at all and accept any connections... (could be wrong tough, I don't remember for 100%). Secondly, and this is sure, I've configured to use Jason's ticket server and I do get emails in the server logs. Not that I do anything with them or would ever plan to do so... Or that there would be a huge harm.. Not like going to sell it for 0.00000000001 cent or so to spammer.

Greep · 2019-01-05 10:07:52

Yeah if a spammer hacked a small custom server for emails that are mostly fake steam emails, they probably should find a new line of business xD

andrew_klassen · 2019-01-05 10:29:58

lionon wrote:

andrew_klassen wrote:
By default servers are are setup to authenticate using Jason's ticketing server. So if this is the case, only Jason can see your key and email.
This is not true, just saying. As far I remember by default was no ticketing system at all and accept any connections... (could be wrong tough, I don't remember for 100%). Secondly, and this is sure, I've configured to use Jason's ticket server and I do get emails in the server logs. Not that I do anything with them or would ever plan to do so... Or that there would be a huge harm.. Not like going to sell it for 0.00000000001 cent or so to spammer.

I meant to just say key. I've corrected it.

andrew_klassen · 2019-01-05 10:34:34

lionon wrote:

andrew_klassen wrote:
If I can't think of something better within the next hour or so, I'm implementing this.
Before you write a deamon that polls the logs I sincerely suggest simply patching server.cpp somewhat instead. I've done this with my MARK / RECALL commands...

I definitely look into it, but I like the idea of editing Jason's code as little as possible because I don't have control over it, in regards to how it changes.

lionon · 2019-01-05 14:04:02

andrew_klassen wrote:

I definitely look into it, but I like the idea of editing Jason's code as little as possible because I don't have control over it, in regards to how it changes.

Nor do you have control over the way the log files are generated

As long the patch cleanly applies, there is IMO very little chance a change actually breaks.

One Hour One Life Forums

#1 2019-01-05 06:17:32

Created a tool that can prevent griefing/trolling

#2 2019-01-05 06:24:39

Re: Created a tool that can prevent griefing/trolling

#3 2019-01-05 07:10:51

Re: Created a tool that can prevent griefing/trolling

#4 2019-01-05 07:27:13

Re: Created a tool that can prevent griefing/trolling

#5 2019-01-05 08:13:09

Re: Created a tool that can prevent griefing/trolling

#6 2019-01-05 08:23:07

Re: Created a tool that can prevent griefing/trolling

#7 2019-01-05 09:07:52

Re: Created a tool that can prevent griefing/trolling

#8 2019-01-05 09:27:55

Re: Created a tool that can prevent griefing/trolling

#9 2019-01-05 09:54:59

Re: Created a tool that can prevent griefing/trolling

#10 2019-01-05 09:59:44

Re: Created a tool that can prevent griefing/trolling

#11 2019-01-05 10:03:17

Re: Created a tool that can prevent griefing/trolling

#12 2019-01-05 10:07:52

Re: Created a tool that can prevent griefing/trolling

#13 2019-01-05 10:29:58

Re: Created a tool that can prevent griefing/trolling

#14 2019-01-05 10:34:34

Re: Created a tool that can prevent griefing/trolling

#15 2019-01-05 14:04:02

Re: Created a tool that can prevent griefing/trolling

Board footer