With cordite in the air, splintered steel, shell casings and powder burns, there’s only one explanation...
Game server information & questions.

Moderators: Joe Kari, Pardner, TheDoctor

A perl script for unbounded IP bans on Q3 based servers

Postby TheDoctor » Wed Sep 08, 2010 12:22 am

Here is a small perl script augmenting any Q3 based server with IP banlist functionality. Bans can be issued, tested and revoked via RCON. The script maintains a local list of black and white entries (bans and exceptions), which can be directly edited and gets re-read automatically. It also is able to follow a global list via FTP or HTTP.

This script needs to be configured (=edited) requiring the server address and the RCON passwort. Hosting it on the game server's computer is self suggesting, but not required. Any trustworthy person having access to a reliable server can host it for you.

Dependencies: LWP::Simple (since v3).

Handling: the script introduces two server variables: command and response. The cvar command defaults to "" and, if changed by a user, will be read and then resetted by the script. The result of the user's command will be saved in the cvar response and a broadcast informs of the command execution (without details).

Valid values for command are:
Code: Select all
add: IPPREFIX # COMMENT      -- adds an IPPREFIX to the black list (bans).
                                Example: set command add: 127.0. # loopback
add: +IPPREFIX # COMMENT     -- adds an IPPREFIX to the white list (exceptions).
                                Example: set command add: +127.0.0.1 # localhost
del: IPPREFIX                -- deletes any black list entries matching IPPREFIX.
                                Example: set command del: 127.
del: +IPPREFIX               -- deletes any white list entries matching IPPREFIX.
                                Example: set command del: +127.
test: IPPREFIX               -- tests if IPPREFIX is banned.
                                Example: set command test: 127.0.0.
password: NEWPASSWORD        -- updates the script's RCON password.
                                Example: set command password: iam2clever
The add: IPPREFIX # COMMENT command can be used to change the comment of existing lines, since a more general or equal IPPREFIX will substitute older, more specific entries. White list entries always override blacklist entries. For more information and further examples, refer to the help file.

A way to (permanently) start this script on a unix based server would be:
Code: Select all
nohup perl bans_by_ip.pl &> bans_by_ip.log&
Last edited by TheDoctor on Sat Mar 19, 2011 4:03 pm, edited 14 times in total.
User avatar
TheDoctor
Smokin' Amigo!
 
Posts: 820
Joined: Sun Jun 06, 2010 3:31 am



Postby TheDoctor » Sun Sep 19, 2010 6:40 pm

UPDATE #1: The script was somewhat successfully tested on Jeuxlinux. Thanks to rane and lululaglue for giving it a try and for their patience. However, it turned out the clientkick commands did not reach the server until some waiting time was added before and after them. Reason: RCON authorization takes some time and multiple commands in a short period of time are silently dropped. I've updated the script accordingly.

UPDATE #2: The script now re-initializes command and response as variables, e.g. after a server restart. Moreover, a command to remotely change the script's RCON password has been added. After this command successfully sets the response, it will use the new password and will not be able to connect to the server until the server's new password is in effect.

UPDATE #3: Major overhaul of the script global banlist functionality was added. The password command no longer logs the password. The RCON response to clientkick is now logged. Extensive comments were added and the sleeping time between rcon commands was refactored into the rcon() subroutine itself. Finally, native g_banIPs functionality via addIP/removeIP was added. Since this version, the modul LWP::Simple is required.

UPDATE #3.1: Found another embarrassing bug and eliminated it when trying to host this script for Rawhide.

UPDATE #4: A bad rcon password is now recognized and handled like a missed status query (triggering sleep phases). Instead of sleeping 4 seconds in every main loop iteration, the RCON socket is flushed for 4 seconds (to catch delayed/straying UDP packets).

UPDATE #5: Corrected the prefix check: dots "." are treated as any other character.

UPDATE #6: Revised error messages regarding missed status and failed global banlist updates, added (limited) GUID logging functionality (a player masks all other players of same name), fixed g_banips / IPPREFIX bug, added status_file support (an overview who is on the server and who recently connected, added optional g_banips import/delete functionality (see $manage_g_banips), slightly enhanced the logging of kicks (GUID and precise rule), whitelist functionality (entries of the form "+IPPREFIX # COMMENT")

REMARK: The current version supports also global banlists via FTP (e.g. ftp://username:password@host.tld/path/file.name). However, you probably need to set your shell environment variable FTP_PASSIVE to 1, which seems to be the only way to tell Perl (or it's module LWP:Simple) to default to passive FTP mode. This is necessary, since the active mode does not work if the script's host is protected by a firewall.

UPDATE #7/#8: Various bug fixes, some minor, some major! The script no longer uses "ceil" (which isn't a standard perl command, so it seems). Included an optional functionality to warn or kick players without a GUID. Added a child-proof lock for "del:" to prevent people from deleting their whole local banlist. Included support for an external configuration file (that's good, for updating or running several ban scripts for several servers). Fixed also a wrong initial value of the advertisment_index variable.
Last edited by TheDoctor on Wed Feb 29, 2012 2:22 am, edited 16 times in total.
User avatar
TheDoctor
Smokin' Amigo!
 
Posts: 820
Joined: Sun Jun 06, 2010 3:31 am



Postby Bodie » Sun Sep 19, 2010 10:24 pm

Thanks Doctor, for both explaining how it works and helping to add delays for commands to work. Lu installed the new version and I verified it works as intended. :-) (by banning myself!)

I will move all the bans there now, it will help quite a bit with resurfacing cheaters like L4ci who came back with aimbot today and whom we had no space to ban forever earlier.

It's awesome work and something that ought to be done to make SG better. If admins of other servers want the script - for example RAWHIDE seems to have had quite some trouble with too many bans, but don't feel very confident how to make it happen, I volunteer to help them install, configure and use it. So just ping me on IRC if you need a hand with it.
SG names: Bodie (aka mS // Donnie).
Admin on Jeuxlinux, RAWHIDE, #sg.wars and some other servers.
User avatar
Bodie
Jeuxlinux Admin
 
Posts: 633
Joined: Thu Mar 26, 2009 7:59 pm



Postby TheDoctor » Sun Sep 19, 2010 11:06 pm

Thanks for your positive feedback. If there are any problems with this script let me know.

On the one hand this script is just intended to be a temporary solution for the 12 IP banlist limit you had before. On the other hand, it is also a good example of what a real security framework written in an interpreted language (Perl or Python) could do for SG (admins).

Developing with Python or Perl is so much easier than to fumble around with ten years old legacy C code. And being a separate application, it can be bug fixed/updated/extended/restarted while the game server continues to operate (without all or most users even knowing what happened).
User avatar
TheDoctor
Smokin' Amigo!
 
Posts: 820
Joined: Sun Jun 06, 2010 3:31 am



Postby ReD NeCKersoN » Tue Sep 21, 2010 3:49 am

rane wrote:If admins of other servers want the script - for example RAWHIDE seems to have had quite some trouble with too many bans, but don't feel very confident how to make it happen, I volunteer to help them install, configure and use it.

I doubt my server provider would host & run this for RAWHIDE. I'd need a separate server to run it. Sounds like good work Doc.
User avatar
ReD NeCKersoN
SG Team
 
Posts: 3245
Joined: Wed Mar 27, 2002 6:22 am
Location: VA, USA



Postby Bodie » Tue Sep 21, 2010 8:03 am

Something is still odd on Jeux. It's like script can't set command and response variables to be existent in the server - so it keeps printing "command" to the console instead of actually getting a value.

Any idea what's wrong? Will adding command and response variables as empty to server.cfg fix it?
SG names: Bodie (aka mS // Donnie).
Admin on Jeuxlinux, RAWHIDE, #sg.wars and some other servers.
User avatar
Bodie
Jeuxlinux Admin
 
Posts: 633
Joined: Thu Mar 26, 2009 7:59 pm



Postby TheDoctor » Tue Sep 21, 2010 1:17 pm

rane wrote:It keeps printing "command" to the console instead of actually getting a value.

The only way I know to query the value of a variable is to send "rcon variable". However, if the variable is non-existent, variable is printed instead :roll: . Now, I should have caught this case and initialize the two variables (again). The script already does this when it starts, but I forgot Jeuxlinux is restarted every night.

rane wrote:Will adding command and response variables as empty to server.cfg fix it?

Yes, that is a very good idea. This will fix the problem, as variables don't go away.
User avatar
TheDoctor
Smokin' Amigo!
 
Posts: 820
Joined: Sun Jun 06, 2010 3:31 am



Postby sparcdr » Fri Sep 24, 2010 3:19 pm

ReD NeCKersoN wrote:I doubt my server provider would host & run this for RAWHIDE. I'd need a separate server to run it. Sounds like good work Doc.
Most hosts allow Perl, they advertise it as CGI-Bin support. If it's only slot-based, you'd need a webserver and a few modifications to the script to get around limitations to manage it though, at least on most the cheap hosts. This merely shows to people the value of buying a decent VPS or dedicated and the deficiency of managed hosts and their control over what you run due to pre-notions their staff have.
sparcdr
SG Team
 
Posts: 334
Joined: Wed Jun 13, 2007 3:41 pm



Postby TheDoctor » Fri Sep 24, 2010 5:36 pm

ReD NeCKersoN wrote:I'd need a separate server to run it.

I've added a command to remotely update the script's RCON password. If you entrust Biondo with Rawhide's RCON password, BB can host the script for your server.

This offer extends to any other SG server, assuming manual intervention is not required too often.
User avatar
TheDoctor
Smokin' Amigo!
 
Posts: 820
Joined: Sun Jun 06, 2010 3:31 am



Postby mLy! » Fri Sep 24, 2010 7:03 pm

Can we not have the same script for all (or some of ) the servers? that way every server has the same banlist.

This is how anti cheat tools in other games work, once busted you are banned from any server with the anti scheat tool.

If a player breaks specific server rules they can still be IP banned from that server only
My Latest fragmovies:
Winning BB cup
User avatar
mLy!
Gunslinger
 
Posts: 218
Joined: Wed Feb 11, 2009 8:46 pm



Postby sparcdr » Fri Sep 24, 2010 7:21 pm

Yes you could have the script compile a ban database and have each server periodically retrieve lists from each other using a socket to transmit a data payload, then compare the lists and insert the new differences. Though security practices, load issues may come up by doing this.
sparcdr
SG Team
 
Posts: 334
Joined: Wed Jun 13, 2007 3:41 pm



Postby TheDoctor » Fri Sep 24, 2010 8:26 pm

mLy! wrote:Can we not have the same script for all (or some of ) the servers? that way every server has the same banlist.

Technically, everything is possible. The easiest way would be to use the same host (and the same banlist file) for all instances of this script. Aside from rare timing issues, this should be even possible with the current version.

Apart from how this is solved technically, the question arises whether you would blindly accept bans from a centralized instance, especially if the bans can be issued by any participating server (or their admins, to be precise). Unfortunately, there is no best practice to determine the IP address segments to be banned for a given offender.

Apparently, we first have to discuss what we want and what we can agree on. What we currently have is a manual exchange of demos/information. Which bans are taken over and how they are enforced is at the discretion of each server's team.
User avatar
TheDoctor
Smokin' Amigo!
 
Posts: 820
Joined: Sun Jun 06, 2010 3:31 am



Postby ReD NeCKersoN » Fri Sep 24, 2010 8:54 pm

TheDoctor wrote:If you entrust Biondo with Rawhide's RCON password, BB can host the script for your server.

Thanks Doc. I'll give it some thought.
User avatar
ReD NeCKersoN
SG Team
 
Posts: 3245
Joined: Wed Mar 27, 2002 6:22 am
Location: VA, USA



Postby sparcdr » Sat Sep 25, 2010 12:09 am

TheDoctor wrote:Apart from how this is solved technically, the question arises whether you would blindly accept bans from a centralized instance, especially if the bans can be issued by any participating server (or their admins, to be precise).
That's why usage is accountability and proliferating email to all interested parties for each deleted or added entry would be required in addition to a timestamped and checksumed commit log. Using subversion itself may be a more worthwhile avenue against blatant human loophole concerns. I didn't tackle the centralized monster and suggested a socket-based seeding approach for appendage and churning purposes on each machine.
sparcdr
SG Team
 
Posts: 334
Joined: Wed Jun 13, 2007 3:41 pm



Postby Bodie » Sat Sep 25, 2010 2:09 am

Mly is right. In the long run we could host all those scripts here on s-g.net and have a centralised mutually-agreed list of cheaters shared between them (we have a thread for that agreeing already) - so when someone is caught cheating he's banned on all the participating servers - including for example smokinguns.fr, jeux, rawhide, baller, sg.wars, fail or bacon servers, and whoever else wants to sign up. This would really damage careers of some of the migrant cheaters who don't really care for lag and can ab in rawhide almost as effectively as they ab-ed elsewhere.

All admins would need to do would be volunteering rcon password to whoever has root here - which I think isn't a huge threat to their security. :-) Since admin persons overlap on many of those servers it wouldn't take long to set it up.

To address fairness issue, we can just remove command/response from script and simply take a vote on each demo and put people in banlist.txt by hand according to the result. We have a crowd of people here who can tell cheat from legit player with just a glance...
SG names: Bodie (aka mS // Donnie).
Admin on Jeuxlinux, RAWHIDE, #sg.wars and some other servers.
User avatar
Bodie
Jeuxlinux Admin
 
Posts: 633
Joined: Thu Mar 26, 2009 7:59 pm



Next

Return to Telegraph Station

Show Sidebar
Show Sidebar

User Control Panel