Found out that MaxPrims are only honored in regions.ini if the Module PrimLimitsModule is activated in permissions in the OpenSim.ini. <div><br></div><div>Right now I am still trying to figure out how to force the software to kick or ban someone from a region. That seems to be a pretty big hole but I dont know if there is something in the configuration I am missing or what. I know some of the god tools are not working, wondering if this is related at all, but probably not. <br>
<br><div class="gmail_quote">On Mon, Oct 8, 2012 at 9:17 PM, Justin Clark-Casey <span dir="ltr"><<a href="mailto:jjustincc@googlemail.com" target="_blank">jjustincc@googlemail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Prim limits should be respected when set in Regions.ini. If not, then that's a reportable bug.<br>
<br>
You can also set prim limits per parcel in the viewer which is a different mechanism.<div class="im"><br>
<br>
On 08/10/12 13:15, James Stallings II wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
To summarize:<br>
<br>
- No SQL server needs to be accessible over the network except in the event of a 'special case' (e.g., an<br>
externally-hosted web front end).<br>
- No other ports but 8002 in a standard or default ROBUST configuration need be accessible to the viewer-based end user.<br>
- The keys were removed by consensus because they provided *no* security.<br>
<br>
Joshua:<br>
Use the similar settings in the OpenSim.ini file, the one's in the Region.ini file should be removed.<br>
<br>
<br>
Cheers<br>
James/Hiro<br>
<a href="http://SimHost.com" target="_blank">http://SimHost.com</a><br>
<br>
<br></div><div class="im">
On Mon, Oct 8, 2012 at 3:01 AM, Joshua Rubeck <<a href="mailto:jrubeck1989@gmail.com" target="_blank">jrubeck1989@gmail.com</a> <mailto:<a href="mailto:jrubeck1989@gmail.com" target="_blank">jrubeck1989@gmail.com</a>><u></u>> wrote:<br>
<br>
Thanks for the info guys, that was very helpful. One of the other things we were having issues with is the MaxPrims<br>
setting in the region INI files. Clearly this setting is available, however it does not appear to work. I am sure on<br>
my grids this is not an issue after all OpenSimulator is usually used to eliminate many of the restrictions SL has.<br>
However for us we are trying to follow the same style of region and prims counts as SL for the sole reason that it<br>
appears to be more cost effective in terms of resources. I mean we can have more regions on Server A if each region<br>
is limited to 15k prim, where as Server B can only host a few safely without thos limitations. Any idea how to make<br>
sure the software enforces the max prim limitations?<br>
<br>
<br></div><div><div class="h5">
On Sun, Oct 7, 2012 at 10:12 PM, Tom Haines <<a href="mailto:hainest@gmail.com" target="_blank">hainest@gmail.com</a> <mailto:<a href="mailto:hainest@gmail.com" target="_blank">hainest@gmail.com</a>>> wrote:<br>
<br>
Blocking port 8003 on the firewall to block unauthorized regions doesn't work if you have an external<br>
organization that hosts a region server that connects to your grid and has OpenSim users both NATing to the same<br>
IP address. And situations like this tend to pop up for political, and not technical reasons, which means there<br>
is little recourse for the grid operator.<br>
<br>
I've considered SSH tunneling for the 8003 connection, but have not had a chance to experiment.<br>
<br>
And to confirm, there is no communication directly between viewer and SQL server. The database will, and should<br>
be run unexposed to the end user.<br>
<br>
<br>
On Sunday, October 7, 2012, wrote:<br>
<br>
Further to this i understand there should be no reason for a normal viewer<br>
to talk directly to the SQL server. It is all done via the simulator.<br>
<br>
As such it would be feasible to set your SQL server to only allow your<br>
OpenSim users to authenticate from servers you run (usually by IP or<br>
FQDN). There should always be a focus on security but I would imagine all<br>
these factors would make it at least very difficult for someone to<br>
casually connect a simulator to your grid even without additional<br>
authentication in OpenSim.<br>
<br>
<br>
<br>
> unless there have been profound recent changes in the OS services<br>
> connectors structure that i've failed to notice (which is QUITE<br>
> possible), all end-user accessibility is handled by port 8002 and the<br>
> rest (connection services) is governed by port 8003 (in a standard<br>
> ROBUST based grid setup). therefore, placing :8003 behind your firewall<br>
> (thus preventing 'unauthorized' outside users from attaching to your<br>
> grid services) should not interfere with public/open access via viewers<br>
> on :8002 which would remain outside the firewall. afaik, this is the<br>
> only reliable and in my experience completely effective solution to the<br>
> problem.<br>
><br>
> i also believe the security key function was removed by concensus as it<br>
> didn't provide any hardcore security.<br>
><br>
> hope this helps and is remotely correct in it's technical assumptions -<br>
> or at least follows the path your concerns and argument were headed...<br>
><br>
> - core<br>
><br>
> On 10/7/2012 11:50 AM, Tom Haines wrote:<br>
>> I disagree that this should not be considered a concern. Under this<br>
>> security model, anyone with the information to connect to the grid as<br>
>> a user has enough information to connect a region to the grid.<br>
>><br>
>> I am concerned with this as an operator of an educational grid. We<br>
>> offer our services to students and educators with the understanding<br>
>> that we can limit the objectionable content they would be exposed to<br>
>> in SL or other public OpenSim grids. Obviously if anyone can connect<br>
>> their own regions without authorization from the grid operators, our<br>
>> ability to offer this service is compromised.<br>
>><br>
>> I know there were pass keys used in the past to authenticate regions,<br>
>> but I believe this functionality has been removed. I haven't seen<br>
>> anything on the website regarding this. I've read before that<br>
>> firewalls are the best defense, but this is untenable, since our usage<br>
>> requirements demand controlled access by region operators, but open<br>
>> access to end users from heterogeneous network environments.<br>
>><br>
>> Could someone weigh in with the official line on this?<br>
>><br>
>> On Sunday, October 7, 2012, Fleep Tuque wrote:<br>
>><br>
>> Hi Josh,<br>
>><br>
>> As far as I know, in order to connect a region to your grid,<br>
>> someone would need to know all the connection details and unless<br>
>> you provide that information, I'm not sure how anyone would know<br>
>> how to or be able to connect to your grid. FleepGrid has been<br>
>> running for nearly 2 years and I've never seen any attempts to<br>
>> connect a rogue region as far as I know, so I'm not sure it's much<br>
>> of a concern.<br>
>><br>
>> I'll let someone with more knowledge of the possible configuration<br>
>> options address any .ini settings that you might be able to use to<br>
>> disable region connections, but if this is a security issue or<br>
>> problem, it's the first I've heard of it.<br>
>><br>
>> Sincerely,<br>
>><br>
>> - Chris/Fleep<br>
>><br>
>> Chris M. Collins (SL/OS: Fleep Tuque)<br>
>> Center for Simulations & Virtual Environments Research (UCSIM)<br>
>> UCIT Instructional & Research Computing<br>
>> University of Cincinnati<br>
>> 406A Zimmer Hall<br>
>> 315 College Drive<br>
>> PO BOX 210088<br>
>> Cincinnati, OH 45221-0088<br>
>> <a href="mailto:chris.collins@uc.edu" target="_blank">chris.collins@uc.edu</a> <javascript:_e({}, 'cvml',<br>
>> '<a href="mailto:chris.collins@uc.edu" target="_blank">chris.collins@uc.edu</a>');><br></div></div>
>> <a href="tel:%28513%29%20556-3018" value="+15135563018" target="_blank">(513) 556-3018</a> <tel:%28513%29%20556-3018><div><div class="h5"><br>
>><br>
>> <a href="http://ucsim.uc.edu" target="_blank">http://ucsim.uc.edu</a><br>
>><br>
>> On Sun, Oct 7, 2012 at 9:52 AM, Joshua Rubeck<br>
>> <<a href="mailto:jrubeck1989@gmail.com" target="_blank">jrubeck1989@gmail.com</a> <javascript:_e({}, 'cvml',<br>
>> '<a href="mailto:jrubeck1989@gmail.com" target="_blank">jrubeck1989@gmail.com</a>');>> wrote:<br>
>><br>
>> Okay so here is a question for everyone. Myself and a few<br>
>> others are setting up a grid for public use, but we do not<br>
>> want other people to be able to connect their regions on a<br>
>> home based computer to our grid. One of my friends remembers<br>
>> that there used to be a setting that would prevent an<br>
>> opensimulator instance from connectiong to robust without<br>
>> authentication but I cannot find that in the configuration<br>
>> files. Is there a configuration that allows us to run a public<br>
>> grid without other people being able to connect their regions<br>
>> to our gird.<br>
>> ______________________________<u></u>_________________<br>
>> Opensim-users mailing list<br>
>> <a href="mailto:Opensim-users@lists.berlios.de" target="_blank">Opensim-users@lists.berlios.de</a> <javascript:_e({}, 'cvml',<br>
>> '<a href="mailto:Opensim-users@lists.berlios.de" target="_blank">Opensim-users@lists.berlios.<u></u>de</a>');><br>
>> <a href="https://lists.berlios.de/mailman/listinfo/opensim-users" target="_blank">https://lists.berlios.de/<u></u>mailman/listinfo/opensim-users</a><br>
>><br>
>><br>
>><br>
>><br>
>> ______________________________<u></u>_________________<br>
>> Opensim-users mailing list<br>
>> <a href="mailto:Opensim-users@lists.berlios.de" target="_blank">Opensim-users@lists.berlios.de</a><br>
>> <a href="https://lists.berlios.de/mailman/listinfo/opensim-users" target="_blank">https://lists.berlios.de/<u></u>mailman/listinfo/opensim-users</a><br>
><br>
> ______________________________<u></u>_________________<br>
> Opensim-users mailing list<br>
> <a href="mailto:Opensim-users@lists.berlios.de" target="_blank">Opensim-users@lists.berlios.de</a><br>
> <a href="https://lists.berlios.de/mailman/listinfo/opensim-users" target="_blank">https://lists.berlios.de/<u></u>mailman/listinfo/opensim-users</a><br>
<br>
<br>
______________________________<u></u>_________________<br>
Opensim-users mailing list<br>
<a href="mailto:Opensim-users@lists.berlios.de" target="_blank">Opensim-users@lists.berlios.de</a><br>
<a href="https://lists.berlios.de/mailman/listinfo/opensim-users" target="_blank">https://lists.berlios.de/<u></u>mailman/listinfo/opensim-users</a><br>
<br>
<br>
______________________________<u></u>_________________<br>
Opensim-users mailing list<br></div></div>
<a href="mailto:Opensim-users@lists.berlios.de" target="_blank">Opensim-users@lists.berlios.de</a> <mailto:<a href="mailto:Opensim-users@lists.berlios.de" target="_blank">Opensim-users@lists.<u></u>berlios.de</a>><div class="im">
<br>
<a href="https://lists.berlios.de/mailman/listinfo/opensim-users" target="_blank">https://lists.berlios.de/<u></u>mailman/listinfo/opensim-users</a><br>
<br>
<br>
<br>
______________________________<u></u>_________________<br>
Opensim-users mailing list<br></div>
<a href="mailto:Opensim-users@lists.berlios.de" target="_blank">Opensim-users@lists.berlios.de</a> <mailto:<a href="mailto:Opensim-users@lists.berlios.de" target="_blank">Opensim-users@lists.<u></u>berlios.de</a>><div class="im">
<br>
<a href="https://lists.berlios.de/mailman/listinfo/opensim-users" target="_blank">https://lists.berlios.de/<u></u>mailman/listinfo/opensim-users</a><br>
<br>
<br>
<br>
<br>
--<br>
==============================<u></u>=====<br>
<a href="http://simhost.com" target="_blank">http://simhost.com</a><br>
<a href="http://twitter.com/jstallings2" target="_blank">http://twitter.com/jstallings2</a><br>
<a href="http://www.linkedin.com/pub/5/770/a49" target="_blank">http://www.linkedin.com/pub/5/<u></u>770/a49</a><br>
<br>
<br>
______________________________<u></u>_________________<br>
Opensim-users mailing list<br>
<a href="mailto:Opensim-users@lists.berlios.de" target="_blank">Opensim-users@lists.berlios.de</a><br>
<a href="https://lists.berlios.de/mailman/listinfo/opensim-users" target="_blank">https://lists.berlios.de/<u></u>mailman/listinfo/opensim-users</a><br>
<br>
</div></blockquote><span class="HOEnZb"><font color="#888888">
<br>
<br>
-- <br>
Justin Clark-Casey (justincc)<br>
OSVW Consulting<br>
<a href="http://justincc.org" target="_blank">http://justincc.org</a><br>
<a href="http://twitter.com/justincc" target="_blank">http://twitter.com/justincc</a></font></span><div class="HOEnZb"><div class="h5"><br>
______________________________<u></u>_________________<br>
Opensim-users mailing list<br>
<a href="mailto:Opensim-users@lists.berlios.de" target="_blank">Opensim-users@lists.berlios.de</a><br>
<a href="https://lists.berlios.de/mailman/listinfo/opensim-users" target="_blank">https://lists.berlios.de/<u></u>mailman/listinfo/opensim-users</a><br>
</div></div></blockquote></div><br></div>