BlacklistCheck
Blacklist Check
Overview
This plugin is designed to use public DNS Blacklist servers to check incoming connections and disallow anyone using a known public proxy from being able to connect. The list of DNSBL servers used is configurable.
Features
- Stop grief before they even connect
- Increased security
- (v0.2) Whitelist known IP addresses to always allow connections
- (v0.3) Whitelist entire IP subnets
- (v0.5) Choose to block the connection until the address may be verified, or allow the connection and kick if they are blacklisted
Configuration
Plugin Configuration
- DNSBLServers (v0.1) A list of DNS servers that will resolve blacklisted IP addresses
- Whitelist (v0.2) A list of IP addresses that will always be allowed in and will not be checked against the DNSBL servers. NOTE: As of v0.3 these addresses must be in CIDR notation. For example to enter a single IP address use "127.0.0.1/32" to allow an entire class C subnet use "192.168.1.0/24". Please be sure to update the config file when upgrading from v0.2.
- Debug (v0.3) (Boolean) [Default: false] A directive to have the plugin print more information to the console
- LogDisconnects (v0.4) (Boolean) [Default: true] A directive to have the plugin output connection refusals to the console
- DelayCheck (v0.5) (Boolean) [Default: false] A directive to have the plugin allow the connection, then thread the DNS lookups. This option is not recommended, as there will be a period of time when they will be connected to the server until the DNS lookup returns. It will, however, not delay the connection process.
- DisconnectMessage (v0.5) (String) [Default: "Connected from a publicly blacklisted server!"] The configurable message to send along with the disconnect / kick.
- LogToFile (v0.6) (Boolean) [Default: true] A directive to have the system log to the BlacklistCheck.log file in the plugin's directory for debug and disconnect messages.
Installation
- To install the plugin, simply place the jar in the plugins directory
Bugs / Known Limitations
- The default server list contains 8 DNS servers, checking each one takes time. Increasing this list will cause client timeout errors (without the DelayCheck configuration directive)
- The client will be disconnected if even one DNS server returns a result for the address
Future Plans
- Try to incorporate any additional user requests.
See Also
DNSBL is a common practice to block spammers and other unwanted traffic. For a full description about how DNSBL operates, a list of available public DNSBL servers, and other information, use Google.
New: http://dev.bukkit.org/server-mods/easy-anti-join-bot-proxie/
does this block users using proxies?
update please
This plugin still work with R5, or you will make an Update ?
would adding http://www.proxybase.org/ work?
@ArchmageInc
Just a clarification on the Zen blacklist for anyone considering using it:
The Zen blacklist is a composite that includes the PBL (in addition to the XBL and SBL).
The PBL's purpose is to stop mail (usually Spam) from IP's which should (for one reason or another) never send mail directly,
Unfortunately many residential Internet Providers list all their dynamic IP's in the PBL to prevent spam, therefore adding Zen as a blacklist would prevent a large amount of minecraft players from connecting to a minecraft server,
Therefore adding it to your minecraft server would not be a good plan, unless you feel like whitelisting a large portion of your userbase.
<<reply 686051>>
this plugin creates a lot of lag for me.. will making the delaycheck true abate this lag? no sooner did i shut this plugin down to fix lag, did i get hit by a proxy pwnage attack.. so its definitely a crucial plugin, but it also does a real number on performance, specifically i think when one of the dnsbl servers is running latent. any ideas?
Please add the following functionality:
1. Command to add a currently online users IP to the whitelist. i.e. /dnsbl add <playername>
2. Either add blacklist or add functionality to execute a banip command. The blacklist functionality would be for those who for whatever reason don't have banip understanding or functionality (I don't need that). More specifically though this would make the 'DelayCheck' functionality much much more useful. This would allow users to join but then if it is determined that their IP is in one of the BL repositories it would just ban the ip. or add it to the blacklist.
3. Just a suggestion but if you would add functionality to automatically add a player's IP to the whitelist after they have spent xxx minutes, hours, etc etc online that would be awesome. For the moment anyway that functionality would probably be best served if you would allow the plugin to submit queries to a LogBlock database.
Thanks
Cecell
Very awesome plugin, you have saved me on more than one occasion. Keep up the good work, I owe you a donation for saving me from downtime
People don't realize how important this plugin is. There is no other current working plugin that performs the function of blocking connections from IPs listed in DNSBLs. Without this plugin, you are forced to use nasty firewall configurations. It will be unfortunate if this plugin doesn't see more activity by the time proxy flooders become more rampant than they already are. I know there are already tools out there that can effectively DoS a server by connecting through many proxies and massively text flooding. If I remember correctly, the name of the tool used to proxy flood my server contained the word "PWN", but I can't remember the exact name.
@tremor77:
I'm having the same problem.
@ArchmageInc
Hey! Would you be interested in helping me implement DNSBL in my plugin that's found here? If not, I totally understand, I'll figure it out when I get the time.
Thanks!
-xDrapor
@CoolOppo
The DNSBL servers included in the configuration are merely to provide context and are considered the most common DNSBL servers available. There is no reason not to use ZEN to replace the list in the configuration. That is the beauty of configuration, you may use it as you see fit.
Why not use ZEN instead of XBL? http://www.spamhaus.org/zen/
@tremor77
tremor77,
I am not sure what is causing this, as the error shown is within Minecraft itself. If the error stops when removing this plugin, it may somehow be causing it. I will do my best to investigate this, though no one else has reported such an issue.
@epicbastion
I have addressed this in v0.6. There is now a directive to have the system log to an external file instead of directly to the console. This will also include debug messages.
Great plugin, my server just found the first listed ip, I have only had the plugin for 3 days so you saved me some grief.
I did have one request if possible. could this log to a file instead of the console? when these freaks try to connect they just keep trying and it spams the console, i know i can turn that off but it would be nice to have a log file that i can do reverse dns on and report the spamming to the ip owners/companies.
Thanks for your plugin.
Getting alot of this when this plugin is installed:
problem goes away when removing this plugin.
@kozzy68
You can enable debugging, which will show you all of the attempts to lookup the addresses.
looks good now thanks, tho it works so fast that I hope it really does try to reslove those ips :)