MantisBT - opensim
View Issue Details
0008291opensim[GRID] Robust Serverpublic2018-02-16 23:342019-02-06 11:28
master (dev code) 
Standalone (1 Region) , Standalone (Multiple Regions) , Grid (1 Region per Sim) , Grid (Multiple Regions per Sim)
0008291: Add ability for banning via mac address
Currently, although not documented, banning users can be done via their names or client names. This method works for both local and hypergrid users. However since names can be easily changed and viewer banning is not really effective either implementing another system for banning users would make sense.

The most obvious choice is the mac banning method described on the wiki, unfortunately said method only works on local users, hypergrid users retain the ability to visit even if their mac is blocked in iptables.

acircuit and login data both contain various information about the user, including their mac, which makes it fairly easy to create a list of banned mac addresses both login and gatekeeper can check against.

I choose not to use the regex system for this and instead opted for the system.Contains function, as matching may result in a set of macs to be banned. Contains should match the absolute parts of the list only.

There appears to have been an attempt to write a BanService in the past, however it is unclear from lack of documentation if said service actually functions. It also uses the circuit Id instead of just the mac. Which approach yields better results is unclear. Beyond even that, since macs, IPs and various other parts of the login or HG request can be easily switched out in the viewer I am led to believe that it would be very difficult to fully ban a user.

Regardless, I have implemented a way to add a list of banned mac addresses to the Robust.ini both in the LoginService and GatekeeperService.
For testing:

Fetch your mac string from the login or gatekeeper service(should both be the same anyways), and add inside the GateKeeper and LoginService section:


Keep spaces between each mac, do not use vertical bars e.g. | to separate the mac strings.

Attempt to login or hypergrid in to the grid, teleport should timeout and login should fail.
Both DeniedClients, AllowedClients,.. etc seem to not be defined in the Robust.ini.example, however I do have their definition and explanation in my version of said file and in the in-use Robust.ini, it would probably make sense to add this back into the file.

Patch file is attached, please excuse the slight mess in it. Tested on ZetaWorlds using local and foreign user with the same mac address.
No tags attached.
diff mac_banning.diff (12,280) 2018-02-16 23:34
diff mac-banning.diff (5,397) 2018-07-04 07:45
Issue History
2018-02-16 23:34tampaNew Issue
2018-02-16 23:34tampaFile Added: mac_banning.diff
2018-02-16 23:34tampaStatusnew => patch included
2018-02-17 12:30Fredy KyongNote Added: 0032546
2018-02-17 12:35Fredy KyongNote Edited: 0032546bug_revision_view_page.php?bugnote_id=32546#r6549
2018-02-17 12:35Fredy KyongNote Edited: 0032546bug_revision_view_page.php?bugnote_id=32546#r6550
2018-02-17 12:36Fredy KyongNote Edited: 0032546bug_revision_view_page.php?bugnote_id=32546#r6551
2018-02-17 12:38Fredy KyongNote Edited: 0032546bug_revision_view_page.php?bugnote_id=32546#r6552
2018-02-17 15:51BillBlightNote Added: 0032548
2018-06-16 06:59UbitUmarovNote Added: 0032703
2018-07-04 05:01Fly-Man-Note Added: 0032718
2018-07-04 07:45tampaFile Added: mac-banning.diff
2018-07-04 07:47tampaNote Added: 0032723
2018-07-08 05:45UbitUmarovNote Added: 0032740
2018-07-08 05:46UbitUmarovNote Added: 0032741
2018-07-08 05:46UbitUmarovStatuspatch included => resolved
2018-07-08 05:46UbitUmarovResolutionopen => fixed
2018-07-08 05:46UbitUmarovAssigned To => UbitUmarov
2019-02-06 11:28BillBlightNote Added: 0034386
2019-02-06 11:28BillBlightStatusresolved => closed

Fredy Kyong   
2018-02-17 12:30   
(edited on: 2018-02-17 12:38)
Won´t realy help when you use a CopyBot Viewer with proxy/mac masking. SL has the same problem. Only option: Close your sim for the public. When a bad guy has such tools he/she will alway be able to get in otherwise.

2018-02-17 15:51   
That is really a poor attitude, just because there are armor piercing rounds, I guess we should make tanks out of paper, and bulletproof vests out of fishnets ..

I vote for this, not only this but possibly a wildcard IP/Grid Deny access list.
2018-06-16 06:59   
actually german leopard I tank was made paper thin because of rounds increased capabilities, It was made a mobile platform for a deadly 105mm gun (back then)
same for other tanks of its generation.

Long before that, body armor was totally abandoned on regular armies, made totally obsolute by guns and other armor piercing weapons. In that case not even replaced by mobility, like we seen on those compact infantry lines of Napolean wars for example.

well just a coment. :)
2018-07-04 05:01   
I think this is def. worth implementing. Even if it keeps some people out of grids.

Codewise it looks decent enough to push into a branch @UbitUmarov
2018-07-04 07:47   
I added the patch I now use for my fork rather than the messy one of my original development branch. This patch is tested and working in latest httptests.
2018-07-08 05:45   
ok i don't like is that much, but on master now
Thanks :)
2018-07-08 05:46   
patch applied on master
2019-02-06 11:28   
Marked as Resolved but never closed, can be reopened if needed.