NoCheatPlus

NoCheatPlus

NoCheatPlus

Detect and fight the exploitation of various flaws/bugs in Minecraft!

Main Features Permissions Commands Configuration Jenkins

Introduction

NoCheatPlus attempts to prevent cheat clients from exploiting weaknesses of Minecraft or its protocol, making your server more safe. Checks cover a wide range of issues including flying and speeding, fighting hacks, fast block breaking and nukers, inventory hacks, chat spam and other types of malicious behaviour. For a more complete list have a look at the Features Page.

NoCheatPlus puts emphasis on configurability and allows you to customize actions that are carried out when a player fails a check (e.g. silent cancelling, executing commands, just logging). Bypass permissions allow to control what check to apply for which players, all checks can be deactivated in the configuration, also having the option for world-specific configuration files. Many checks allow more detailed configuration to adjust sensitivity.

Certainly NoCheatPlus is not a magical bullet, it uses a lot of heuristics and even guessing, so you will encounter false positives here and there and also not catch every single violation. Example video of how NoCheatPlus blocks cheats (outdated plugin version).

NoCheatPlus was introduced by NeatMonster, building on the code base of NoCheat by Evenprime.

The following plugins might be useful to have a look at.

CompatNoCheatPlus (cncp)

Make plugins like mcMMO, Citizens, MagicSpells or MachinaCraft more compatbile with NoCheatPlus. Not all existing plugins are covered (yet), but you can leave a note or ticket request for cncp.

Orebfuscator

Orebfuscator fights all sorts of X-ray-hacks by altering the map information that is sent to the players, such that they have to mine blocks to actually reveal what is behind. Virtually a "must have".

Downloads and History of Changes

  • Download officially approved versions on the Files page at BukkitDev.
  • Development builds have been moved over to the Jenkins at EcoCityCraft.
  • Do not download from any other source, do not use jars other people send you.
  • Changes by build number can be examined in the Jenkins changes list.
  • All commits can be seen in the GitHub commit history.
  • Plugin statistics are no longer reported to mcstats.org.

Support

Documentation Resources

Contact us

  • Quick questions can be asked on this page,
    or on IRC (Server: irc.spi.gt | Default-Port: 6667 | SSL-Port: 6697 | Channel: #nocheat | Web client: WebIRC)
  • For real issues or feature requests please create a new ticket or add to an existing ticket.
  • To send information that is not to be seen by all, you can also reach us by PM to @asofold and @MyPictures. Please do not contact the user 'NoCheatPlus', it is for administrative purposes only and will likely not be answered in time. Keep to BukkitDev and GitHub for support, do not trust users on other forums or websites, also not if their nick names are the same as NCP staff on BukkitDev.

Please always state the output of the "ncp version" command to let us know versions in use (users of cncp also the "cncp" command).

Sponsors

Thanks to all supporters (hall of fame pending) and past donators!
RockServer: Big thanks for providing us with a virtual Server!
Our work for your enjoyment

You must login to post a comment. Don't have an account? Register to get one!

  • Avatar of Red_Jay Red_Jay Jan 13, 2014 at 23:02 UTC - 0 likes

    @ asofold Thanks for the explanation, I'll start testing them 1 by 1. Also, thanks for taking the time to reply to each individual person that needs help. It shows you care about the plugin and the people that use it. :)

    EDIT:

    I had two people fight while I monitored it. WadeAURules' violations are just for that battle and Im_Allos' are total for all of his fights.

    Image

    As you can see knockback and direction are pretty big issues. There are two different locations with direction as a check...

    Image

    You are saying I should disable the "strict" variable for direction?

    EDIT: x2 So I disabled the strict in the picture above and then 1v1ed someone. We had no violations before the fight and here's afterwards:

    Fight

    Last edited Jan 14, 2014 by Red_Jay
  • Avatar of asofold asofold Jan 13, 2014 at 21:07 UTC - 0 likes

    @thedjshow: Go

    They can always jump as high as possible and halt - then the hover check will catch them at some point.

    More questions:

    • How does the flying look like? Fast ascend or more like slowly drifting up?
    • You have the same problem with enable flight set to true?
    • What output (change of output before an after fly if possible) does "ncp info PLAYERNAME" provide for a player flying like that?
    • What's the output of "ncp version" ?
    • Please provide (pm / ticket / paste) a plugin list.

    Important: Do you have the fly checks of Towny and CB both turned off? They might conflict if turned on, especially those of other plugins, that would be Towny.

    We will have to carry this over to a ticket probably...

    Last edited Jan 13, 2014 by asofold

    BFAK:asofold,90573112,4305cd44b773216e4e4b4865b3831dcc3c507c15087fb5cfeebd9392050724fc

    NoCheatPlus
    Latest Release (1.7.2/.4/.5, approved): NoCheatPlus 3.10.9-RC-sMD5NET-b673 (Development builds, + MC 1.7.5: Jenkins)

  • Avatar of thedjshow thedjshow Jan 13, 2014 at 20:49 UTC - 0 likes

    @asofold: Go

    Im running a spigot server, players can move like 10 blocks up till they get kicked.

    It seems like it's only the config "enable flight = false" that does the work

    They can stand in the air without getting kicked, aslong as they are moving 10 blocks away or up in the sky they get kicked. What i mean is that should not even get up one block when using flying.

    Using the lates update

    Last edited Jan 13, 2014 by thedjshow
  • Avatar of asofold asofold Jan 13, 2014 at 20:32 UTC - 0 likes

    @Red_Jay: Go

    You can test things with executing "ncp info PLAYERNAME" before and after fighting and to check the difference of what is displayed. To start with a clean sheet, you can also do "ncp remove PLAYERNAME" in order to have all history of violations set to "0". Without analysis you won't know if players are secretly using a new godmode hack or if your hits just get cancelled somehow (i assume the latter though).

    Unfortunately the documentation is somewhat outdated, i will try to get it in shape as one of the next things. (https://github.com/asofold/NCPDocs/blob/master/wiki/configuration/configuration.creole)

    The checks are configured for something like an "optimum" between strictness and false positives. Depending on server type and how players are to be educated (:p), you will probably want to alter the settings. Of course relaxing bounds allows more cheating in general.

    The strict flag for fight.direction is probably the setting that hurts the fewest if disabled. If enabled this feature adds a check for the looking direction and demands a maximum threshold for the angle difference towards the opponents position. The usual check does something similar but uses a block-distance heuristics for the ray from looking direction towards the opponents position. So "strict" set to true will double the check , mostly with the effect that it is much more difficult to hit at close range.

    I suggest changing one setting at a time and re-test it, "ncp reload" can be done at runtime and does not hurt too much. It is important to keep checking violations "ncp info playername" + maybe the ingame alerts.

    The other "source of most trouble" would be fight.reach, which tests the distance to the target. By default it assumes a higher threshold distance than would be possible to hit at if standing still, due to latency and players and mobs moving. However to reduce the effect of killauras, we added a dynamic reach distance reduction, which takes effect if you hit at a long distance, effectively adapting the allowed hit range between two values depending on how far you are off your target when hitting. This is to prevent kill-auras getting too many hits in a row at too big distance. Since reach also deals an attack penalty when a player fails a check (500 milliseconds by default), it can hurt a bit. So you can set reduce to false, in order to have the "classic" reach check without adaption of the allowed distance. The penalty of 0.5 seconds might be alright still, but it can also be reduced to allow certain situations with closing in while hitting, typically if theres more networking delay (or "lag"). Best test one change at a time...

    @thedjshow: Go

    I am not sure how to interpret "flying" here. People get kicked for flying but they do what.... hover? Do they stand in the air? Do they move until getting kicked? How many blocks up do they get off the spot? How many blocks far do they get ? Is it a normal CraftBukkit server or a special setup (bungee)? What is the output of "ncp version" ?

    @libraryaddict: Go

    There is no official standard, but you will see a couple of plugins adopting the habit of adding "npc" metadata to actual npcs. Changing bounding boxes but not other properties (getEyeHeight ?, width?, height?) of entities is similarly special to using Player or CraftPlayer impementations that are not actually players. So the idea of metadata would be to get some sort of "inofficial agreement" between disguise plugin/functionality developers to be able to tell other plugins that a player is changed/disguised or the bounding box is adapted to something else than the usual. The good thing about that is that other plugins do not need to "hook into plugins" because not hooking is much more simple.

    So as it stands now i will attempt to check the crash exploits with a variation to the bounding box validity check, which might then allow that setting for ender dragon disguises.

    Last edited Jan 13, 2014 by asofold
  • Avatar of libraryaddict libraryaddict Jan 13, 2014 at 13:13 UTC - 0 likes

    @asofold: Go

    Metadata? No.

    I don't see a valid use to store metadata on a player as it is simpler for plugins to simply hook into the api.

    BFAK:libraryaddict,75154,c9bc87ad599337d3271d3cb02958adc594ab27bb05cc09136881ff0723c8fcb4

  • Avatar of thedjshow thedjshow Jan 13, 2014 at 04:46 UTC - 0 likes

    Hello thanks for the great plugin just one problem, i can see some people fly on the server like 5 sec then they get kicked. and i have seen on other servers that you cant fly at all, so what should i do? my config is fresh not sure what to change.

  • Avatar of Red_Jay Red_Jay Jan 13, 2014 at 03:06 UTC - 0 likes

    @asofold: Go

    The problem is I don't know what is preventing them from hitting each other. It's almost impossible to hit people unless you are facing them or they are moving in the same direction. You just get the hit particles but no damage.

    "You can set some strict flag to false (fight.direction)." What would this change? What does fight.direction even do?

    "Maybe setting dynamic distance to 0 could also improve things for you (fight.reach)." What would this change? Would it allow users to use reach hacks?

    Thanks for the help. Really hope I can fix this.

  • Avatar of asofold asofold Jan 13, 2014 at 00:24 UTC - 0 likes

    @libraryaddict: Go

    It seems simply the y-dimension is a hard-coded check for players in NCP. However before removing such a security check, i might want to check, if there can be any server crashes in case of actual exploits, because CB first puts the event through and does some similar checks afterwards. I am also not sure what calls still can lead to a crash, probably the native MCAccess.standsOnEntity checks. If using the Bukkit-API for that method removes the crash, i might provide a compatibility switch to remove the bounding box check.

    Have you considered (or are you already) using any metadata for a disguised player, like "disguised" or "boundingbox" or "disguised:enderdragon"?

  • Avatar of asofold asofold Jan 13, 2014 at 00:10 UTC - 0 likes

    @libraryaddict: Go

    I'll check.

    @Red_Jay: Go

    Check first what checks prevent players from fighting. One common problem is latency, the players are just not where they appear to the other players. In situations with a lot of moving this means that one needs to move "smart" in order to actually hit. The alternative is to implement a much more complex system or to allow almost everything.

    You can set some strict flag to false (fight.direction). Maybe setting dynamic distance to 0 could also improve things for you (fight.reach).

    @godgodgodgo: Go

    Thx. Hello :)

    @levisn1: Go

    I assume that can be read from the plugin description (no fly unless allowed) - can you be more specific on what kind of flying/hacking seems to work? How does it look like, any violations in the logs or changes in "ncp info PLAYERNAME" ?

  • Avatar of levisn1 levisn1 Jan 12, 2014 at 15:42 UTC - 0 likes

    Is normal that ncp seems doesn't blocking the fly of some hack? I'm using the 655.

Facts

Date created
Apr 02, 2012
Categories
Last update
Mar 16, 2014
Development stage
Release
License
GNU General Public License version 3 (GPLv3)
Curse link
NoCheatPlus
Downloads
908,618
Recent files

Authors