Banning Foreign Users in Hypergrid
From OpenSimulator
(New page: Category:Hypergid Category:Security) |
(→On the Network Level) |
||
| (11 intermediate revisions by 7 users not shown) | |||
| Line 1: | Line 1: | ||
| − | [[ | + | __NOTOC__ |
| − | [[Category: | + | {{Quicklinks}} |
| + | |||
| + | '''Please note that none of the mechanisms on this page are foolproof. Banning a specific IP address on the firewall may be more effective, though then there is a danger of blocking large numbers of addresses hiding behind a NAT.''' | ||
| + | |||
| + | = Banning Foreign Users = | ||
| + | |||
| + | '''It may now be possible to ban known Hypergrid user names (of the form Joe Bloggs@somegrid.net) directly in certain third party viewer dialogs. This needs to be ascertained.''' | ||
| + | Even though the current viewers are incapable of dealing with foreign users in the estate dialogs that they present to the user, it is possible to ban specific foreign users from your estates. For now, you have to do it on the backend, i.e. directly editing the database and reviewing the log. Not easy for the faint of heart, but any sys admin should be able to do this with their eyes shut. What follows are instructions for adding a foreign user to the estate's ban list. | ||
| + | |||
| + | == Via the Database == | ||
| + | |||
| + | '''Note that this relies on the foreign user not changing their UUID. This is difficult to do for an existing user but, of course, it is not hard to create a completely new account.''' | ||
| + | |||
| + | The first thing you need to do is to find out the UUID and IP address of the user you want to ban. For that you need to look at OpenSim.log. Search for log messages like this: | ||
| + | |||
| + | 2009-01-23 03:45:11,995 INFO - OpenSim.Region.Communications.Hypergrid.HGGridServicesGridMode [HGrid]: Incoming HGrid Agent | ||
| + | Annoying.Person http://problematic.domain.org:9002 | ||
| + | 2009-01-23 03:45:11,995 DEBUG - OpenSim.Region.Environment.Scenes.Scene [CONNECTION BEGIN]: Region Gateway 3000 told of incoming client | ||
| + | Annoying.Person http://problematic.domain.org:9002 c3c9ecbf-bfb3-43eb-8dce-140afad7995f (circuit code 1896255323) | ||
| + | |||
| + | In this case, the information you need is: UUID = c3c9ecbf-bfb3-43eb-8dce-140afad7995f and IPAddress = problematic.domain.org | ||
| + | |||
| + | Next, let's add this foreign user to the ban list. Note that the estate information and ban lists are kept at the region server, not in the Robust services. If you are using local storage for your regions, this information is stored in bin/OpenSim.db. So, open that DB with whatever tool you use to access your DBs. The instructions here assume a local sqlite database; if you're using MySql or other DB technologies for the regions' storage, the instructions are almost identical, but may need adjustments. | ||
| + | |||
| + | SqlLite usually comes with a common Linux installation. In Linux, just type: | ||
| + | |||
| + | $ sqlite3 OpenSim.db | ||
| + | |||
| + | In Windows, you need to get it from [http://www.sqlite.org/download.html here]. Once installed, run it on your OpenSim.db, like this, for example (on a command shell): | ||
| + | |||
| + | $ C:/Opt/SQLite3/sqlite3.exe OpenSim.db | ||
| + | |||
| + | Once you are connected to the database, you can explore as much as you want. What follows are the concrete interactions you need for adding that foreign user into an estate ban list. Change the data for your situation. | ||
| + | |||
| + | [opensim@ucigrid04 bin]$ sqlite3 OpenSim.db | ||
| + | SQLite version 3.3.6 | ||
| + | Enter ".help" for instructions | ||
| + | sqlite> .tables | ||
| + | estate_groups estate_users migrations regionban | ||
| + | estate_managers estateban primitems regionsettings | ||
| + | estate_map land prims terrain | ||
| + | estate_settings landaccesslist primshapes | ||
| + | sqlite> .schema estateban | ||
| + | CREATE TABLE estateban ( | ||
| + | EstateID int(10) NOT NULL, | ||
| + | bannedUUID varchar(36) NOT NULL, | ||
| + | bannedIp varchar(16) NOT NULL, | ||
| + | bannedIpHostMask varchar(16) NOT NULL, | ||
| + | bannedNameMask varchar(64) default NULL | ||
| + | ); | ||
| + | CREATE INDEX estate_ban_estate_id on estateban(EstateID); | ||
| + | sqlite> select EstateID, EstateName from estate_settings; | ||
| + | 100|My Estate | ||
| + | 101|My Estate | ||
| + | 102|My Estate | ||
| + | 103|My Estate | ||
| + | sqlite> insert into estateban values (100, 'c3c9ecbf-bfb3-43eb-8dce-140afad7995f', 'problematic.domain.org', ' ', ' '); | ||
| + | sqlite> insert into estateban values (101, 'c3c9ecbf-bfb3-43eb-8dce-140afad7995f', 'problematic.domain.org', ' ', ' '); | ||
| + | sqlite> insert into estateban values (102, 'c3c9ecbf-bfb3-43eb-8dce-140afad7995f', 'problematic.domain.org', ' ', ' '); | ||
| + | sqlite> insert into estateban values (103, 'c3c9ecbf-bfb3-43eb-8dce-140afad7995f', 'problematic.domain.org', ' ', ' '); | ||
| + | sqlite> select * from estateban; | ||
| + | 100|c3c9ecbf-bfb3-43eb-8dce-140afad7995f|problematic.domain.org|| | ||
| + | 101|c3c9ecbf-bfb3-43eb-8dce-140afad7995f|problematic.domain.org|| | ||
| + | 102|c3c9ecbf-bfb3-43eb-8dce-140afad7995f|problematic.domain.org|| | ||
| + | 103|c3c9ecbf-bfb3-43eb-8dce-140afad7995f|problematic.domain.org|| | ||
| + | sqlite> .quit | ||
| + | |||
| + | Once this data is entered you need to restart OpenSim, so that it gets loaded. | ||
| + | |||
| + | == On the Network Level == | ||
| + | |||
| + | '''Note: This is a ban by MAC address on the firewall level. It is possible for advanced users to change their MAC address.''' | ||
| + | |||
| + | The following guide is an excerpt from the [https://grimore.org/opensim/banning_agents full article at Wizardry and Steamworks]. The principle is that all viewers are meant to send a MAC address that is hashed using a hex digest algorithm. Since under linux iptables understands only MAC addresses, we can use ipt_string to match the MAC address. | ||
| + | |||
| + | For example, when a user connects to a grid, whether it is a direct login or a hypergrid teleport, a string like the following is displayed: | ||
| + | |||
| + | <pre> | ||
| + | OpenSim.Services.HypergridService.GatekeeperService [GATEKEEPER SERVICE]: | ||
| + | Login request for Jaine Mariolack @ http://virtualrealmsgrid.com:8002/ | ||
| + | (0a009e79-7c56-11e2-b122-000c76240986) at VIBE using viewer | ||
| + | Imprudence 1.3.2.0, channel Imprudence, | ||
| + | IP 109.112.128.89, | ||
| + | Mac d6812bb4d7625027d53c2e9715410caf, | ||
| + | Id0 dd76693a887c545f4d65c2ff2da3a4d7 | ||
| + | Teleport Flags 0 | ||
| + | </pre> | ||
| + | |||
| + | the segment that reads '''d6812bb4d7625027d53c2e9715410caf''' is the hashed MAC address which gets sent by the viewer. | ||
| + | |||
| + | We can block that with iptables: | ||
| + | <pre> | ||
| + | iptables -A INPUT -m string --string 'd6812bb4d7625027d53c2e9715410caf' --algo bm -p tcp --dport 9000 -j DROP | ||
| + | </pre> | ||
| + | |||
| + | Additionally, we can even block the agent using their firstname and lastname: | ||
| + | <pre> | ||
| + | iptables -A INPUT -m string --string 'Jaine' --algo bm -m string --string 'Mariolack' --algo bm -p tcp --dport 9000 -j DROP | ||
| + | </pre> | ||
| + | |||
| + | The result is that the viewer will time-out while trying to teleport or while logging in. | ||
| + | |||
| + | [[Category:Hypergrid]] | ||
Latest revision as of 02:13, 7 January 2023
 |
Languages: |
|
Please note that none of the mechanisms on this page are foolproof. Banning a specific IP address on the firewall may be more effective, though then there is a danger of blocking large numbers of addresses hiding behind a NAT.
[edit] Banning Foreign Users
It may now be possible to ban known Hypergrid user names (of the form Joe Bloggs@somegrid.net) directly in certain third party viewer dialogs. This needs to be ascertained. Even though the current viewers are incapable of dealing with foreign users in the estate dialogs that they present to the user, it is possible to ban specific foreign users from your estates. For now, you have to do it on the backend, i.e. directly editing the database and reviewing the log. Not easy for the faint of heart, but any sys admin should be able to do this with their eyes shut. What follows are instructions for adding a foreign user to the estate's ban list.
[edit] Via the Database
Note that this relies on the foreign user not changing their UUID. This is difficult to do for an existing user but, of course, it is not hard to create a completely new account.
The first thing you need to do is to find out the UUID and IP address of the user you want to ban. For that you need to look at OpenSim.log. Search for log messages like this:
2009-01-23 03:45:11,995 INFO - OpenSim.Region.Communications.Hypergrid.HGGridServicesGridMode [HGrid]: Incoming HGrid Agent Annoying.Person http://problematic.domain.org:9002 2009-01-23 03:45:11,995 DEBUG - OpenSim.Region.Environment.Scenes.Scene [CONNECTION BEGIN]: Region Gateway 3000 told of incoming client Annoying.Person http://problematic.domain.org:9002 c3c9ecbf-bfb3-43eb-8dce-140afad7995f (circuit code 1896255323)
In this case, the information you need is: UUID = c3c9ecbf-bfb3-43eb-8dce-140afad7995f and IPAddress = problematic.domain.org
Next, let's add this foreign user to the ban list. Note that the estate information and ban lists are kept at the region server, not in the Robust services. If you are using local storage for your regions, this information is stored in bin/OpenSim.db. So, open that DB with whatever tool you use to access your DBs. The instructions here assume a local sqlite database; if you're using MySql or other DB technologies for the regions' storage, the instructions are almost identical, but may need adjustments.
SqlLite usually comes with a common Linux installation. In Linux, just type:
$ sqlite3 OpenSim.db
In Windows, you need to get it from here. Once installed, run it on your OpenSim.db, like this, for example (on a command shell):
$ C:/Opt/SQLite3/sqlite3.exe OpenSim.db
Once you are connected to the database, you can explore as much as you want. What follows are the concrete interactions you need for adding that foreign user into an estate ban list. Change the data for your situation.
[opensim@ucigrid04 bin]$ sqlite3 OpenSim.db
SQLite version 3.3.6
Enter ".help" for instructions
sqlite> .tables
estate_groups estate_users migrations regionban
estate_managers estateban primitems regionsettings
estate_map land prims terrain
estate_settings landaccesslist primshapes
sqlite> .schema estateban
CREATE TABLE estateban (
EstateID int(10) NOT NULL,
bannedUUID varchar(36) NOT NULL,
bannedIp varchar(16) NOT NULL,
bannedIpHostMask varchar(16) NOT NULL,
bannedNameMask varchar(64) default NULL
);
CREATE INDEX estate_ban_estate_id on estateban(EstateID);
sqlite> select EstateID, EstateName from estate_settings;
100|My Estate
101|My Estate
102|My Estate
103|My Estate
sqlite> insert into estateban values (100, 'c3c9ecbf-bfb3-43eb-8dce-140afad7995f', 'problematic.domain.org', ' ', ' ');
sqlite> insert into estateban values (101, 'c3c9ecbf-bfb3-43eb-8dce-140afad7995f', 'problematic.domain.org', ' ', ' ');
sqlite> insert into estateban values (102, 'c3c9ecbf-bfb3-43eb-8dce-140afad7995f', 'problematic.domain.org', ' ', ' ');
sqlite> insert into estateban values (103, 'c3c9ecbf-bfb3-43eb-8dce-140afad7995f', 'problematic.domain.org', ' ', ' ');
sqlite> select * from estateban;
100|c3c9ecbf-bfb3-43eb-8dce-140afad7995f|problematic.domain.org||
101|c3c9ecbf-bfb3-43eb-8dce-140afad7995f|problematic.domain.org||
102|c3c9ecbf-bfb3-43eb-8dce-140afad7995f|problematic.domain.org||
103|c3c9ecbf-bfb3-43eb-8dce-140afad7995f|problematic.domain.org||
sqlite> .quit
Once this data is entered you need to restart OpenSim, so that it gets loaded.
[edit] On the Network Level
Note: This is a ban by MAC address on the firewall level. It is possible for advanced users to change their MAC address.
The following guide is an excerpt from the full article at Wizardry and Steamworks. The principle is that all viewers are meant to send a MAC address that is hashed using a hex digest algorithm. Since under linux iptables understands only MAC addresses, we can use ipt_string to match the MAC address.
For example, when a user connects to a grid, whether it is a direct login or a hypergrid teleport, a string like the following is displayed:
OpenSim.Services.HypergridService.GatekeeperService [GATEKEEPER SERVICE]: Login request for Jaine Mariolack @ http://virtualrealmsgrid.com:8002/ (0a009e79-7c56-11e2-b122-000c76240986) at VIBE using viewer Imprudence 1.3.2.0, channel Imprudence, IP 109.112.128.89, Mac d6812bb4d7625027d53c2e9715410caf, Id0 dd76693a887c545f4d65c2ff2da3a4d7 Teleport Flags 0
the segment that reads d6812bb4d7625027d53c2e9715410caf is the hashed MAC address which gets sent by the viewer.
We can block that with iptables:
iptables -A INPUT -m string --string 'd6812bb4d7625027d53c2e9715410caf' --algo bm -p tcp --dport 9000 -j DROP
Additionally, we can even block the agent using their firstname and lastname:
iptables -A INPUT -m string --string 'Jaine' --algo bm -m string --string 'Mariolack' --algo bm -p tcp --dport 9000 -j DROP
The result is that the viewer will time-out while trying to teleport or while logging in.
