Proxies, inside jobs, phishing, verify names, and I haven't looked into it, but the passwords might be stored in an accessible (through hacking) location. Also, bad .exe's can do this, but unless you do "C:// Minecraft/minecraft-server, you are safe from that :tongue.gif:
passwords are encrypted, it doesn't matter if you find it or not, you still need the encryption algorithm.
lolwut? First of all, the only place passwords are stored is on the central Minecraft server. Notch has confirmed that it's encrypted and salted, I assume using MD5, though it may be another method. IT would be very easy to tell if someone hacked the database, and while there is no way to reverse engineer MD5 or other popular salted hashes, a brute force attack on all the hashes would be moderately fast and find the password. Because it's all local, it would be miles faster than brute forcing the webserver, and unable to be stopped.
Also, Notch has confirmed, and has yet to fix the cookie issue. Passwords are stored in your cookies in 100% plaintext, and any noob writing a cookie stealer can look them straight in the face. I've tried in the past to communicate the seriousness of this to Notch, and I think he got it. But what I said before about using an opnet and verify-names stands (verify-names -> op 100 of your usernames -> they op more of your alts). In which case, purge your admins.txt.
oh i think i will be fine i have a very good computer. i thought it would like because it can get hacked or something lol. can mindcraft servers get hacked into???
Sorry for the double, I'm replying to two posts.
No. There is no way to root a box running just a Minecraft server. As for hacks that are intended to make the game perform differently than it's supposed to, there are plenty of those. One can also cause all the players on your Minecraft server to be booted, but there's nothing that will adversely affect your box.
Seeing as he's new, dexter's script might be better.
EDIT:
Unless he has perl/JSON knowledge.
Hold on... you need Perl knowledge to use Adura's script? And JSON knowledge? I filled out the whole config without knowing a damn thing about Perl, and very little about regular expressions, as I'm sure Adura can testify.
Sorry this post took so long Adura, got a little tied up in some stuff today.
Feature Request: Auto IP Banning / Admin list banning
Here's my general outline. Of course these are all suggestions, and implementing them is 100% up to Adura (his script is not the only one this request can apply for, though it's the one I use and recommend for server admins, having not used the other ones).
The ban / banip systems will have to be segregated due to different methods of banning.
Here's my idea for the ban system:
The script pulls a txt from a pre-defined URL on a regular basis (say 5 minutes). It calculates the MD5 for this txt, and compares it to the one in a file. If the MD5 (or any other hash/comparison method) matches, it does nothing, as it assumes the execution is complete. If the hash (comparison) turns up a different file, it'll parse each one of the lines as an argument for a defined command.
Config probably looking something like (not written in JSON of course):
txt file, interval, command to use line for as arg
Which would pull bans.txt every 5 minutes, perform the check, and if it's different, execute each line as ban [x], followed by writing the new hash to the file.
This would also work for unban, which would of course require a separate file and therefore, line in the config.
Unfortunately, the ban-ip process has been made by Notch to be much more complicated. I'm thinking something along these lines... (try to follow me here).
Same getting process, but this time, if the hash is different, append the new lines to a file of one's choice (defined in the config). When the script starts, either remove all of the lines in that file, or add all of the lines in that file, based on what's described in the config. Then wipe the file (keep the hash of course).
Might have been hard to follow, so I'll provide to examples. The first is for banning the IPs.
Something like http://minecraft.net/banned-ip.txt, 300, /home/user/Minecraft/ipbansadd.txt, add, /home/user/Minecraft/[all]/banned-ip.txt
Would pull that file from the minecraft server every 5 minutes, append it to ipbansadd.txt locally if the hash differs, and append all of the lines in ipbansadd.txt to banned-ip.txt when the server is reset (in all subdirectories of Minecraft).
Unbanning would work much the same way, except possibly with remove rather than add.
I know that was all a bit long and unclear, I can surely clarify. Thanks for reading, and thanks for the support in general. Adura++ :biggrin.gif:
I posted in the other topic, will do so here also. Being on this list can constitute two servers out of the four requirements on the MAA OP list, and in addition I would be willing to work with Zachariasmith to offer a lower-requirement version for MAA. I'll do a full writeup on why I chose the requirements I did and why I preferred those, but I am certainly not opposed to variety.
I would be willing to work with Zacharia to make a more lax version of the admin list and feature that on the website also, but it would come with several warnings about reading the requirements first. Barring this, I'm willing to accept being on that list as two servers towards the mandatory four server credit.
http://redditpublic.com/ ... Good to see that they don't have the features I wasted all my time implementing (the players online is borked, I need to reset the server to have it be accurate again... :/)
Make sure you read the about page, and put any questions here.
We're now accepting server and OP applications.
About page copypaste:
What is Minecraft Admins Alliance?
Minecraft Admins Alliance is a way for Minecraft admins to communicate and share bans outside of the tools provided in the game. It strives to be exclusive in its ban sources, and ensure that a thorough approval and appeal process means all the bans that are pushed to the admins are not only legitimate, but safe.
Why?
We try to provide more efficient methods for griefer protection and prevention without impacting the level of play experienced by the average player. Our methods are all tested and non-intrusive into the server, unlike those with spawn prisons or the suggested permissions system, both of which impede creativity.
How is this organized?
Member servers are the only servers that can submit bans. Bans from these servers must be submitted with a reason for each ban, in the appropriate forum, whether it be IP or user. Servers must apply to become member servers and most servers will be denied. Bans are compiled into .txt files consisting of both new banlists and updates, and processes for servers to implement these bans will be clear at a later date. We are working with Adura of Adura's perl script to attempt to automate this process using his script. IP bans cannot be automated, so this will require work by the server administrator. Currency in banning and unbanning listed IPs will be checked often by our admins. We reserve the right to revoke membership if bans / unbans are not current within two days. Furthermore, all member servers have the right to use our +m tag in their server name to identify themselves, and for players to have a smoother experience. We will also be writing our own serverlist in order to prevent fakes. All servers that are not members, but are using our banlist, may use that -m tag.
What is the OP Application Section?
In addition to maintaining a banlist we are maintaining a universal OP list. We understand that as server admins it takes a tremendous leap of faith to op someone who they do not know in person, therefore, the OP requirements are extremely strict. Please don't complain if you're not accepted, I'm not even putting myself (AlLnAtuRalX) up for review for that list because I fail the requirements.
How do I apply?
Register an account and post an application as a new topic in the forum per the templates.
Communication?
#mcadmins on irc.esper.net, same network as #minecraft.
The forums here.
Imitation is rather annoying. Unfortunately. It can't be avoided on IRC cause there is no NickServ (didn't it die or something, that's what I read). As for in game, Notch will just have to come up with a less buggy Verify Names system that is always enabled and causes no problems for people.
It died because I msg'd C418 to alert him of it. As for verify-names, I believe that it should always be an option, as should all the other server settings.
0
lolwut? First of all, the only place passwords are stored is on the central Minecraft server. Notch has confirmed that it's encrypted and salted, I assume using MD5, though it may be another method. IT would be very easy to tell if someone hacked the database, and while there is no way to reverse engineer MD5 or other popular salted hashes, a brute force attack on all the hashes would be moderately fast and find the password. Because it's all local, it would be miles faster than brute forcing the webserver, and unable to be stopped.
Also, Notch has confirmed, and has yet to fix the cookie issue. Passwords are stored in your cookies in 100% plaintext, and any noob writing a cookie stealer can look them straight in the face. I've tried in the past to communicate the seriousness of this to Notch, and I think he got it. But what I said before about using an opnet and verify-names stands (verify-names -> op 100 of your usernames -> they op more of your alts). In which case, purge your admins.txt.
0
JDE? Do you mean JRE? Or possible JDK?
You need Sun JRE 6 in order to run the server. Check what version you have now.
0
Sorry for the double, I'm replying to two posts.
No. There is no way to root a box running just a Minecraft server. As for hacks that are intended to make the game perform differently than it's supposed to, there are plenty of those. One can also cause all the players on your Minecraft server to be booted, but there's nothing that will adversely affect your box.
0
Hold on... you need Perl knowledge to use Adura's script? And JSON knowledge? I filled out the whole config without knowing a damn thing about Perl, and very little about regular expressions, as I'm sure Adura can testify.
1
0
Feature Request: Auto IP Banning / Admin list banning
Here's my general outline. Of course these are all suggestions, and implementing them is 100% up to Adura (his script is not the only one this request can apply for, though it's the one I use and recommend for server admins, having not used the other ones).
The ban / banip systems will have to be segregated due to different methods of banning.
Here's my idea for the ban system:
The script pulls a txt from a pre-defined URL on a regular basis (say 5 minutes). It calculates the MD5 for this txt, and compares it to the one in a file. If the MD5 (or any other hash/comparison method) matches, it does nothing, as it assumes the execution is complete. If the hash (comparison) turns up a different file, it'll parse each one of the lines as an argument for a defined command.
Config probably looking something like (not written in JSON of course):
txt file, interval, command to use line for as arg
An example would be:
http://minecraft.net/bans.txt, 300, ban
Which would pull bans.txt every 5 minutes, perform the check, and if it's different, execute each line as ban [x], followed by writing the new hash to the file.
This would also work for unban, which would of course require a separate file and therefore, line in the config.
Unfortunately, the ban-ip process has been made by Notch to be much more complicated. I'm thinking something along these lines... (try to follow me here).
Same getting process, but this time, if the hash is different, append the new lines to a file of one's choice (defined in the config). When the script starts, either remove all of the lines in that file, or add all of the lines in that file, based on what's described in the config. Then wipe the file (keep the hash of course).
Might have been hard to follow, so I'll provide to examples. The first is for banning the IPs.
Something like
http://minecraft.net/banned-ip.txt, 300, /home/user/Minecraft/ipbansadd.txt, add, /home/user/Minecraft/[all]/banned-ip.txt
Would pull that file from the minecraft server every 5 minutes, append it to ipbansadd.txt locally if the hash differs, and append all of the lines in ipbansadd.txt to banned-ip.txt when the server is reset (in all subdirectories of Minecraft).
Unbanning would work much the same way, except possibly with remove rather than add.
I know that was all a bit long and unclear, I can surely clarify. Thanks for reading, and thanks for the support in general. Adura++ :biggrin.gif:
0
0
0
0
0
I don't see a reason to post in this topic then.
0
Edit - Fixed
0
0
Make sure you read the about page, and put any questions here.
We're now accepting server and OP applications.
About page copypaste:
What is Minecraft Admins Alliance?
Minecraft Admins Alliance is a way for Minecraft admins to communicate and share bans outside of the tools provided in the game. It strives to be exclusive in its ban sources, and ensure that a thorough approval and appeal process means all the bans that are pushed to the admins are not only legitimate, but safe.
Why?
We try to provide more efficient methods for griefer protection and prevention without impacting the level of play experienced by the average player. Our methods are all tested and non-intrusive into the server, unlike those with spawn prisons or the suggested permissions system, both of which impede creativity.
How is this organized?
Member servers are the only servers that can submit bans. Bans from these servers must be submitted with a reason for each ban, in the appropriate forum, whether it be IP or user. Servers must apply to become member servers and most servers will be denied. Bans are compiled into .txt files consisting of both new banlists and updates, and processes for servers to implement these bans will be clear at a later date. We are working with Adura of Adura's perl script to attempt to automate this process using his script. IP bans cannot be automated, so this will require work by the server administrator. Currency in banning and unbanning listed IPs will be checked often by our admins. We reserve the right to revoke membership if bans / unbans are not current within two days. Furthermore, all member servers have the right to use our +m tag in their server name to identify themselves, and for players to have a smoother experience. We will also be writing our own serverlist in order to prevent fakes. All servers that are not members, but are using our banlist, may use that -m tag.
What is the OP Application Section?
In addition to maintaining a banlist we are maintaining a universal OP list. We understand that as server admins it takes a tremendous leap of faith to op someone who they do not know in person, therefore, the OP requirements are extremely strict. Please don't complain if you're not accepted, I'm not even putting myself (AlLnAtuRalX) up for review for that list because I fail the requirements.
How do I apply?
Register an account and post an application as a new topic in the forum per the templates.
Communication?
#mcadmins on irc.esper.net, same network as #minecraft.
The forums here.
0
It died because I msg'd C418 to alert him of it. As for verify-names, I believe that it should always be an option, as should all the other server settings.