Completed please delete

Discussion in 'Plugins' started by ponktacology, Jan 30, 2020.

Thread Status:
Not open for further replies.
  1. ponktacology

    ponktacology Member Disabled Account

    Messages:
    14
    Reactions:
    +5
    please delete
     
    Last edited: Feb 16, 2020 at 12:01 PM
    • Like Like x 1
    • Agree Agree x 1
    • Interesting Interesting x 1
  2. NV6

    NV6 epic niteman Premium

    Messages:
    271
    Reactions:
    +127
    i l,ove u
     
    • <3 <3 x 1
  3. autofocuses

    autofocuses i write code Premium

    Messages:
    29
    Reactions:
    +3
    2 questions,

    1. when ever you (lets say) blacklist someone, will the color of the player's rank show like is there a placeholder for it (%color%)
    2. what intelij theme is that
    --- Double Post Merged, Jan 31, 2020 ---
    and also glws
     
  4. OP
    OP
    ponktacology

    ponktacology Member Disabled Account

    Messages:
    14
    Reactions:
    +5
    yep, it will show color of the rank + player name

    it's
     
  5. autofocuses

    autofocuses i write code Premium

    Messages:
    29
    Reactions:
    +3
    vouch

    glws
     
  6. Eric

    Eric Inactive Ultimate Supreme Premium

    Minecraft Accounts: PluginSupport
    Messages:
    1,902
    Reactions:
    +1,615
    Storing IPs is not recommended. You should hash the IPs before storing incase of a rouge staff member or data breach.
     
  7. Fozzie

    Fozzie Developer Supreme Premium

    Minecraft Accounts: Fozzie
    Messages:
    106
    Reactions:
    +14
    What hashing algorithm are you proposing? It is very simple to brute force hashed IP addresses, let’s say you store them in bcrypt which is a smart choice as it is quite slow so is good for this explanation. 8x NVIDIA Tesla V100’s which I’m sure you can find on Google Cloud or AWS for fairly cheap (if not free if you take advantage of GCP’s free credit) will calculate 434,200 hashes a second (https://github.com/siseci/hashcat-b...r/8x Tesla V100 p3.16xlarge Hashcat Benchmark). There are 4 billion possible IPv4 addresses which means it will take 9212 seconds or about 2.5 hours to brute force every possible IPv4 address.
     
    Last edited: Feb 3, 2020
  8. Eric

    Eric Inactive Ultimate Supreme Premium

    Minecraft Accounts: PluginSupport
    Messages:
    1,902
    Reactions:
    +1,615
    Hash + Salt + Pepper, prevents you being able to do this easily.
    --- Double Post Merged, Feb 3, 2020 ---
    In fact all you'll need is to pepper the raw ip with a value, that way he can still do relational IP checks.
     
    Last edited: Feb 3, 2020
  9. Fozzie

    Fozzie Developer Supreme Premium

    Minecraft Accounts: Fozzie
    Messages:
    106
    Reactions:
    +14
    All bcrypt hashes are salted. Salting an IP address will not prevent brute forcing as the salt will be stored alongside the IP address, if you do not store the salt you will be creating a new hash each time a player logs in which would be useless.

    I also don’t know what you mean by “peppering”.
     
    Last edited: Feb 3, 2020
  10. Eric

    Eric Inactive Ultimate Supreme Premium

    Minecraft Accounts: PluginSupport
    Messages:
    1,902
    Reactions:
    +1,615
    You've seemed to have failed to understand the point of salting, it's to prevent premade rainbow table lookups. Peppering appends/prepends a hardcoded or jar specific string to the IP address BEFORE HASHING, which is unknown to the attacker. This way, it can't be bruteforced easily.
    --- Double Post Merged, Feb 3, 2020 ---
    https://en.wikipedia.org/wiki/Pepper_(cryptography)
     
    Last edited: Feb 3, 2020
  11. Fozzie

    Fozzie Developer Supreme Premium

    Minecraft Accounts: Fozzie
    Messages:
    106
    Reactions:
    +14
    I know what a salt is, and what I'm explaining is not a rainbow table, you would input your hashes and then calculate 4 billion hashes with the salts to compare them. If the pepper is included in the jar file what's to stop the bad actor from simply downloading the jar file and extracting the pepper? Note string obfuscation would do nothing here.
     
  12. Eric

    Eric Inactive Ultimate Supreme Premium

    Minecraft Accounts: PluginSupport
    Messages:
    1,902
    Reactions:
    +1,615
    You're assuming here that the bad actor has access to the jar file, meaning they have full server access; by that point it's game over regardless as they can grab IPs much easier from log files. It's about maximising the amount of time it takes someone to accomplish their task, which, by salting and peppering and hashing, it will do.

    You're basically arguing here that standard security practices when dealing with things such as passwords are pointless, it's just another barrier to jump over, not about total prevention.

    Stop being pedantic ;p
     
  13. OP
    OP
    ponktacology

    ponktacology Member Disabled Account

    Messages:
    14
    Reactions:
    +5
    Well, you shouldnt give access to such a command if you dont trust your staff member.

    Altough, I can add option to hash ips.
     
  14. Fozzie

    Fozzie Developer Supreme Premium

    Minecraft Accounts: Fozzie
    Messages:
    106
    Reactions:
    +14
    When did passwords come into the equation? Hashing passwords is a good idea and there is no feasible set amount of passwords that can be tried if you are using a random password and good length. There is however a set limit to the amount of IPv4 addresses making brute forcing feasible. In what scenario would a bad actor have access to the logs folder and not the plugins folder? Are we also just going to forget the fact that IP addresses are logged on join anyway by Spigot?

    You can delay an attacker for 2.5 hours which is definitely better than plaintext IP addresses but it’s in no way as secure as you make it out to be.
     
    Last edited: Feb 4, 2020
    • Agree Agree x 1
  15. OP
    OP
    ponktacology

    ponktacology Member Disabled Account

    Messages:
    14
    Reactions:
    +5
    # ADDED FILTER #
     
Thread Status:
Not open for further replies.