SecurePlugin

Discussion in 'Plugin Requests' started by 123keelos, May 26, 2015.

Thread Status:
Not open for further replies.
  1. Offline

    123keelos

    Description

    It blocks any commands that let you see plugins. Also TAB completer should be blocked for /about, /ver, etc...

    Commands
    Doesn't have to be like this but...

    - /plsecure - Help command
    - /plsecure reload - Reload
    - /plsecure bypass <name> - Adds the player the permission (pex compatible)
    - /plsecure remove <name> - Removes player with the permission (pex compatible)

    Permissions

    plsecure.admin - All Admin commands

    Plugin Files

    Config

    The config should be similar

    enabled: true
    use-whitelist: true #Will not use permissions if enabled
    logging-enabled: false #Will use the log.txt
    prefix-enabled: true
    prefix: '&8[&9&lPluginSecurity&8)'
    deny-msg: '{prefix} &c&oPlugins are secured'

    Whitelist

    This is the whitelist if enabled in the config. Should look similar to this...

    - <uuid> | <playername>
    - 12232339sd87w89a6e | DeezNuhtz

    Logs

    This is the log who tried to see your plugins...

    - <playername>
    - Ashkar28
    - Ahkbar1
     
    Last edited: May 29, 2015
  2. Offline

    shades161

    Why not just use the default bukkit permissions? Give the default player group a negative node (for bperms its - ^bukkit.command.plugins) to prevent them from doing /plugins. And then just give the admin group bukkit.command.plugins if you want them to be able to use the command /plugins.
     
  3. Offline

    123keelos

    They can use tab
     
  4. Offline

    au2001

    @123keelos Not sure, if they don't have the permission for the command the hein shouldn't be able to use the tab completer...
     
  5. Offline

    AdamQpzm

    @123keelos I still don't understand why so many of these plugins exist, or why so many people want it. Why does it matter if people know what plugins you use? I assume you're going to come out with arguments like "but then people can see what plugins I have and make a server like mine" but don't.

    There are two possibilities: Either the plugins you're using are not available to the public, in which case the knowledge of what plugins you use is of no benefit to them, or you use publicly available plugins, in which case your approach to server management is wrong. If the only thing that makes your players play your server is the plugins you're using, then you're in for a rough time. Someone will be able to find similar - or even the same - plugins that you use, regardless of if you hide it or not. If they come here like you have, we'll even help them do it, because Minecraft servers were never intended to be closely guarded things, they were made to play with friends.

    So don't rely on the plugins you use to bring you members, especially if those plugins are public and made by other people. Don't try to hid what plugins you use, be open about it. That's what I did for the servers I've owned, and I've not had a problem with it at all. Sure some of the plugins I used were privately made, but not all of them were. In fact, I've even benefited from the openness before - I remember a player once telling me that an update was available for one of my plugins that had had a bug for a while, and was annoying people. I would have spotted it eventually, but I wasn't paying too close attention, so it might have been a while.

    Were my communities really popular? No, they weren't. But they were fun anyway. Did some people see the plugins I was using, and use them on their own servers? Of course they did. But it didn't affect me in the slightest. I never had somebody try to emulate my whole server, because what would have been the point? The plugins themselves weren't the fun part, they were merely enablers. The community made it fun, and knowing what plugins I used couldn't change that.
     
    Googlelover1234 and Irantwomiles like this.
  6. Offline

    au2001

    @AdamQpzm I personnally hide my plugin because some plugins contain exploitable bugs.
    For exemple, yesterday some players used a "feature" in ChestShop (AdminShop) to get free stuff.
    ChestShop is really easy to detect, so players can get free items/money, but some other plugins can also be used.
    Look, one of my friends had found a duplication glitch in one of the post used plugin for shops.
    Of course, I reported it the bug to the developpers, but my friend went on many servers, checked their plugins and gave himself tones of items.
    Note that this bug had been fixes since then, and is no longer working ^.^
    But don't forget to ban the player AdminShop if you are using ChestShop :)
    (Or you could simply change it/disable it in the plugin's config)

    It's pretty rare to have bugs in known plugins, but when there's one, players won't wait to use it.
    I don't say hidding plugins is bad, I just find it more "secure".

    Another reason for me to hide my plugins is that I use some names for my custom plugins that should stay private.
    For exemple, I've got some plugins that contain the ports of pur servers, and that would allow players to use any account they wanted (mine for exemple) and connect on our server. So they could be opped.
    I know I could change their names, but it's much easier for me to differciate them.

    Most servers don't have any reason to hide their plugins, that's true. But some do...
    And if this plugin is used to hide public plugins, then it's totally useless, I agree.
    But for custom/private plugins, it may be usefull... in some specific cases...

    The l'est thing I want to say is that server owners - and even regular players - do what they want...
    If they want their plugins hidden - and I don't say it's a good idea - they can, it's their choice :)
    Minecraft is a game where you do almost whatever you want, so why would we change that?

    @123keelos Even if they fan use tab, every body knows /pl, /version, /icanhasbukkit etc. exist...
    So why would you hide them? Not just disable them?
     
    123keelos likes this.
  7. Offline

    123keelos

    This os truee
     
  8. Offline

    AdamQpzm

    @au2001 Security through obscurity isn't really security. While I'll admit the 'known bugs exploiting' might be a possibility, it's not particularly likely, and they could test whether you have the plugin rather than just check. A lot of the time it wouldn't take long. And about the ports point.... are you being serious?! Is that your only line of defence against someone gaining OP on your server, that they don't know the port to unprotected servers? Offline mode is not safe for this very reason.

    1) Why the hell are you giving out these vital numbers in the plugin name? Couldn't you have just called the plugin something else? Like a code word?

    2) Do you have any idea how many ports there are? There are a number of them (over 65,000 of them) but it would be fairly straight forward to test all of these with a program. PM me your minecraft username and the IP to connect to, and I might just OP myself some point tonight.
     
  9. Offline

    au2001

    @AdamQpzm No, it isn't my only defense, I got IP checks in my custom plugin, of course ;)
    But still, I feel like it's just not secure :/
    My login plugin only works on my lobby server, so if they try to join while I'm updating my plugin (under whitelist, and lasts less than a second though), they could technically get control on my server.

    1) I just use these numbers to differentiate them, that's definitely a bad solution but I like it x)

    2) Hum, I prefer if you don't get opped on my server ;)
    And don't worry for my server, I just took that as an exemple... since I know some servers that work like that.
     
  10. Offline

    AdamQpzm

    @au2001 Either way it's not our place here at Bukkit to support offline mode servers, with the glaring security risks they have. So that arguments doesn't factor into why this plugin is necessary.
     
  11. Offline

    shades161

    @AdamQpzm not to mention most people already know the server port if the server doesn't have its out subdomain or is on a different port than the default 25565.
     
  12. Offline

    au2001

    @AdamQpzm Tones of plugins are unnecessary, but they still exist :p

    I think even if hiding our plugins is a bad idea, we should still be able to do so :)
     
  13. Offline

    timtower Moderator Moderator

  14. Offline

    au2001

  15. Offline

    AdamQpzm

    Why not use permissions?
     
  16. Offline

    au2001

    @AdamQpzm I guess @123keelos will add all his admins to the whitelist, and since they are the ones who will be able to use this command, I just made it that way.
    If he wants it changed though, it won't be hard for me...
     
  17. Offline

    123keelos

    Ehh makes it not unique. Plus bypaaslist looks better

    Thx :)
     
  18. Offline

    123keelos

    No one has made it yet :(
     
  19. Offline

    au2001

  20. Offline

    123keelos

    K thx testing...

    Hmm.. not yet good enough...

    @au2001

    - Whitelist needs to be in another file
    - Remove kick
    - Remove banning

    EDIT by Timtower: merged posts
     
    Last edited: May 30, 2015
  21. Offline

    au2001

    The log section is for this:
    Do you still want me to remove it?
     
    timtower likes this.
  22. Offline

    123keelos

    - Whitelist needs to be in another file
    - Remove kick
    - Remove banning

    ...also the {prefix} should overwrite everything. What is someone does &c{prefix}... the prefix shouldn't change colors :). By the way keep logs :)
     
  23. Offline

    au2001

    @123keelos I don't really understand what you mean by overwriting everything...
    If you put colors in the prefix, and you put {PREFIX} it will replace the colors by the

    In &c{PREFIX} Text
    Do you mean prefix would be in the normal colors that were set, and text in red?

    For the rest, you can redownload the plugin, I updated it :)
     
  24. Offline

    123keelos

    Still unfixed :/

    -----

    - Whitelist needs to be in another file
    - Remove kick
    - Remove banning
    - Add logs.txt

    Logs.txt

    - <name>
    - au2001
    - 123keelos
     
  25. Offline

    au2001

    @123keelos Try again, the upload might not have worked :S
    It's working on my test server bye the way...
     
    shades161 and 123keelos like this.
  26. Offline

    123keelos

    Try a reupload
     
  27. Offline

    au2001

    123keelos likes this.
  28. Offline

    123keelos

    K lemme try it

    :(. Still not fully complete.

    1] Tab completer is not blocked for the blocked-commands
    2] For the logging, it needs to be log.txt not SecurePlugin.txt

    EDIT: You can use ProtocolLib to block tab completer for the blocked commands :)

    EDIT by Timtower: merged posts
     
    Last edited by a moderator: May 31, 2015
  29. Offline

    au2001

    @123keelos Okay, I will try ProtocolLib :)

    And the file is SecurePlugin.log, not .txt ;)
    But I'll make it editable in the config :p
     
    123keelos likes this.
  30. Offline

    Syrianen

Thread Status:
Not open for further replies.

Share This Page