MantisBT - opensim
View Issue Details
0008291opensim[GRID] Robust Serverpublic2018-02-16 23:342018-07-13 07:12
tampa 
UbitUmarov 
normalfeaturealways
resolvedfixed 
master (dev code) 
 
Standalone (1 Region) , Standalone (Multiple Regions) , Grid (1 Region per Sim) , Grid (Multiple Regions per Sim)
Other
Unknown
None
0008291: Add ability for banning via mac address
Currently, although not documented, banning users can be done via their names or client names. This method works for both local and hypergrid users. However since names can be easily changed and viewer banning is not really effective either implementing another system for banning users would make sense.

The most obvious choice is the mac banning method described on the wiki, unfortunately said method only works on local users, hypergrid users retain the ability to visit even if their mac is blocked in iptables.

acircuit and login data both contain various information about the user, including their mac, which makes it fairly easy to create a list of banned mac addresses both login and gatekeeper can check against.

I choose not to use the regex system for this and instead opted for the system.Contains function, as matching may result in a set of macs to be banned. Contains should match the absolute parts of the list only.

There appears to have been an attempt to write a BanService in the past, however it is unclear from lack of documentation if said service actually functions. It also uses the circuit Id instead of just the mac. Which approach yields better results is unclear. Beyond even that, since macs, IPs and various other parts of the login or HG request can be easily switched out in the viewer I am led to believe that it would be very difficult to fully ban a user.

Regardless, I have implemented a way to add a list of banned mac addresses to the Robust.ini both in the LoginService and GatekeeperService.
For testing:

Fetch your mac string from the login or gatekeeper service(should both be the same anyways), and add inside the GateKeeper and LoginService section:

DeniedMacs = "YOURLONGMACTRSING ANOTHERMAC"

Keep spaces between each mac, do not use vertical bars e.g. | to separate the mac strings.

Attempt to login or hypergrid in to the grid, teleport should timeout and login should fail.
Both DeniedClients, AllowedClients,.. etc seem to not be defined in the Robust.ini.example, however I do have their definition and explanation in my version of said file and in the in-use Robust.ini, it would probably make sense to add this back into the file.

Patch file is attached, please excuse the slight mess in it. Tested on ZetaWorlds using local and foreign user with the same mac address.
No tags attached.
diff mac_banning.diff (12,280) 2018-02-16 23:34
http://opensimulator.org/mantis/file_download.php?file_id=4716&type=bug
diff mac-banning.diff (5,397) 2018-07-04 07:45
http://opensimulator.org/mantis/file_download.php?file_id=4729&type=bug
Issue History
2018-02-16 23:34tampaNew Issue
2018-02-16 23:34tampaFile Added: mac_banning.diff
2018-02-16 23:34tampaStatusnew => patch included
2018-02-17 12:30Fredy KyongNote Added: 0032546
2018-02-17 12:35Fredy KyongNote Edited: 0032546bug_revision_view_page.php?bugnote_id=32546#r6549
2018-02-17 12:35Fredy KyongNote Edited: 0032546bug_revision_view_page.php?bugnote_id=32546#r6550
2018-02-17 12:36Fredy KyongNote Edited: 0032546bug_revision_view_page.php?bugnote_id=32546#r6551
2018-02-17 12:38Fredy KyongNote Edited: 0032546bug_revision_view_page.php?bugnote_id=32546#r6552
2018-02-17 15:51watcher64Note Added: 0032548
2018-06-16 06:59UbitUmarovNote Added: 0032703
2018-07-04 05:01Fly-Man-Note Added: 0032718
2018-07-04 07:45tampaFile Added: mac-banning.diff
2018-07-04 07:47tampaNote Added: 0032723
2018-07-08 05:45UbitUmarovNote Added: 0032740
2018-07-08 05:46UbitUmarovNote Added: 0032741
2018-07-08 05:46UbitUmarovStatuspatch included => resolved
2018-07-08 05:46UbitUmarovResolutionopen => fixed
2018-07-08 05:46UbitUmarovAssigned To => UbitUmarov

Notes
(0032546)
Fredy Kyong   
2018-02-17 12:30   
(edited on: 2018-02-17 12:38)
Won´t realy help when you use a CopyBot Viewer with proxy/mac masking. SL has the same problem. Only option: Close your sim for the public. When a bad guy has such tools he/she will alway be able to get in otherwise.

(0032548)
watcher64   
2018-02-17 15:51   
That is really a poor attitude, just because there are armor piercing rounds, I guess we should make tanks out of paper, and bulletproof vests out of fishnets ..


I vote for this, not only this but possibly a wildcard IP/Grid Deny access list.
(0032703)
UbitUmarov   
2018-06-16 06:59   
actually german leopard I tank was made paper thin because of rounds increased capabilities, It was made a mobile platform for a deadly 105mm gun (back then)
same for other tanks of its generation.

Long before that, body armor was totally abandoned on regular armies, made totally obsolute by guns and other armor piercing weapons. In that case not even replaced by mobility, like we seen on those compact infantry lines of Napolean wars for example.


well just a coment. :)
(0032718)
Fly-Man-   
2018-07-04 05:01   
I think this is def. worth implementing. Even if it keeps some people out of grids.

Codewise it looks decent enough to push into a branch @UbitUmarov
(0032723)
tampa   
2018-07-04 07:47   
I added the patch I now use for my fork rather than the messy one of my original development branch. This patch is tested and working in latest httptests.
(0032740)
UbitUmarov   
2018-07-08 05:45   
ok i don't like is that much, but on master now
Thanks :)
(0032741)
UbitUmarov   
2018-07-08 05:46   
patch applied on master