IPLock
Protect your players! >> have a second login
This plugin allows you to require everyone or just selected players to authenticate their IP with a password set by them. This creates a second layer of security for servers. All data is stored encryptet on the server for maximal security. If someone joins with your name, but not with your IP he will be kicked. This plugin works great to protect admin and staff accounts on offline servers.
Setup
- Copy JAR to your plugins folder
- Edit the settings.yml in IPL folder => everybody:false means that IPLock is not required for everybody... true is self-explaining ;-)
- In case you have a firewall on your server make sure to free port 2004
- Give all users that you want to use IPL the permission node ipl.basic
- Each user with ipl.basic needs to login and use "/ipl register [password]" to make it function for them
- Dowload the updater, link appears ingame when you register
- Once they have registered they open the updater tool and enter the server info, then click start to update the server with their IP
Source
GitHub: volpi3000's sourcePermissions
- ipl.basic - Gives access to register with the server
- ipl.admin - Gives access to manage users
Commands
- /ipl help - Show IPL Help (ipl.basic)
- /ipl register [password] - Register yourself with the server (ipl.basic)
- /ipl unregister [username] - Remove a user from the list (ipl.admin)
Example Config
Upcoming Features
- WebInterface
updater doesnt work.
Pixusman, the updater doesnt need to be in any specific folder, just make to unzip it so that it generates the save file
Which folder should I put the updater file?
the port is 2004
what is the port? I've firewall
What is the updater for?
Please, can you update the version
with the lock.yml where you put the no-ip.org
addresses in? that was the best and most easy
but it not works anymore now
thanks
@niels1189
You want ? You get it! I will start working on it soon
@terraflops
Thanks, just as a little extra information, i use "prepared statements" for all SQL queries, which makes SQLInjection nearly impossible. I also promise to update this plugin soon, but i got a lot on my mind with my computer sience studies.
Estoy aprendiendo a configurar y etc.. y me han comentado que varios plugins que esten en la version 1.6.2 y quiero la 1.6.4 los puedo usar, mi pregunta es se actualizara el plugin??? gracias
@Dablakbandit - See your ticket
Everyone, IPL is a secure plugin! Do not panic! It is safe, user info is safe, and it has no practical vulnerabilities.
What about the updater not working on some people's computers?
@Dablakbandit - I read on your server, tekkit2thelimit, if that's the server you're currently hosting. From what you've said, I gather you've been hacked before. When introducing new security measures, please root out all backdoors.
Some ideas on how he got your password: Perhaps the hacker's level of server compromise is more than you think? Re-download all plugins and inspect all configuration files. Change your ssh password. IPL passwords are encrypted so they are pretty much undiscoverable without the key. One more thing: I'm not sure about this, but IPL stuff shows in the server log. Perhaps the hacker read that.
A good idea: Make sure ALL of your staff and privileged people are using iplock, otherwise its pointless. The hacker could just put backdoors in and change your iplock password.
Understandably, your server is very nervous about a hacker. I would say scan for viruses, update all plugins, and inspect permissions configuration files.
EDIT: I did find an unchecked cast of some consequence: Link Removed is a fix for it.
May i ask how he changed my iplock, and because my iplock was same as my xauth, he logged in as me and managed to login. I was using the 1.4.2 plugin as the 1.6 has errors on my 1.2.5 server cause of the bukkit coding is completely different.
@Dablakbandit - Don't criticize a plugin without actually knowing anything about it. 1. SQL injector? Who made one for bukkit plugins? Do you even know what SQL is and its relation to SQL injection? 2. It's most likely that you don't have the latest version. Get it and you should be fine. 3. I doubt anyone could get a password out of the plugin. As far as I know, it only returns 3 responses: ok, Wrong Password, Player not Found. Where did you get the idea that we could get a password? 4. SQL Injection is irrelevant because there is nothing you could add to the SELECT statements to make it return data because as I said before, it only returns 3 responses.
volpi3000 - Your plugin is fine.
Sometimes the IPLock updater doesnt work, i cant use 1.6 on my 1.2.5 tekkit server, but also someone did manage to hack this and so it isnt very secure...
Okay How do you use this with a BungeeServer?
unknown host
@volpi3000
I am very sorry, I forgot to mention it, yes I was talking about the updater :)