Security
This is a password-protection system for players and operators acting as an extra layer of security for an online server. Please note: This will not work in offline-mode.
You may ask, if my server is in online mode, can't I rely on the Minecraft.net authentication servers to keep hackers out? Well the honest answer is, you can if you want to, but they don't have a very reliable track record. In recent history there have been two different major security loopholes found and exploited by hackers that allowed them to sign in as famous player accounts such as Notch, or sign in as operators for servers in order to cause harm or take over the server.
A password system provides an extra layer of security, so even if they do sign in as you, they cannot do anything unless they know the password you set up for it. As an added bonus, it can also help to keep player's nosy siblings out of their game ;-)
Security uses the Bukkit Conversation API to prompt players to enter information. These prompts override the standard chat, preventing you from sending chat messages or commands. You must read the prompt and enter the information requested into the chat box before you can use commands or send chat messages.
Features
- Simple and straightforward commands for players and operators
- Prompts players for their password whenever they login from a different IP address
- Players can optionally set their accounts to "secure" mode where they are prompted every login regardless of IP address
- Stored passwords have strong encryption on them so not even people with access to the server files can read them
- Passwords can be reset by operators in case players forget them
- Can optionally store player email address to confirm their identity before resetting passwords
- If hackers attempt to guess a player's password they can be IP auto-banned
- You can set up permissions to require passwords, recovery emails or secure mode for given players
- Compatible with the LanguageAPI and can be translated into multiple languages
Player Commands
Command | Permission | Description |
---|---|---|
/ChangePassword [new password] | security.changepassword (default all) | Allows a player to change their password, if one was previous set they will be prompted for it to confirm the change |
/SecureMode [enable/disable] | security.changemode (default all) | Allows a player to change their account to or from secure mode, note this is overridden by the "security.requiresecuremode" permission. Players will be prompted for the current password in order to change this |
/SetRecoveryEmail [email address] | security.changeemail (default all) | Set up a recovery email address which will help to identify the real account owner if they should forget their password. Players will be prompted for their current password in order to change this |
Admin Commands
Command | Permission | Description |
---|---|---|
/ResetPassword [player] | security.admin (default op) | Manually reset the password on a player account in case they forget it |
/StrikeAutoBan [max strikes] [duration] | security.admin (default op) | Set the maximum number of strikes before an IP is banned for entering incorrect passwords, and how long in minutes they are banned for (0 for permanent ban) |
/GetRecoveryEmail [player] | security.admin (default op) | Get the recovery email address for a player so that you can determine if they are the real account holder |
/SetAdminEmail [email address] | security.admin (default op) | Set the admin email address that players should send emails to for password resets |
Other Permissions
Permission | Default | Description |
---|---|---|
security.requirepassword | none | Requires that players with this permission have a password set up |
security.requiresecuremode | none | Requires that players with this permission have secure mode accounts |
security.requirerecoveryemail | none | Requires that players with this permission have a recovery email set |
Planned Features
- Configurable command executed on a player typing an incorrect password
- Configurable command executed on an IP exceeding their maximum number of strikes
- Configurable command executed after a player has unlocked their account
- Ignore slash-commands that are entered into a password prompt by accident (no passwords starting with a slash allowed either)
- Delay the initial password prompt while in secure mode to allow MOTD plugins to send their initial messages to the player
- Configurable set of commands that require a password before they can be used
Compatibility and Troubleshooting
Full compatibility informationg and troubleshooting is available on the Compatibility and Troubleshooting page.
Translations
If you are fluent in English and another language, you can help translate Security! See the Translations page for details.
Donations
If you'd like to contribute towards the continued development, support and maintenance of this project, please consider joining me on Patreon, and making a one-time or recurring pledge.
Help
If you need help you can leave a comment below and I will get back to you as soon as I can. You can also join my IRC chatroom using the following link. Please note, I am not always at my keyboard! http://webchat.esper.net/?channels=XHawk87&prompt=1
@XHawk87
OK, I see your problem. That's difficult.
Just one last idea:
If online-mode is set to false, you could disable the main functions of your plugin, but instead allow some server command executions on player join configurable via config. (Placeholder like <player> or something.)
Like this it would be possible to use /deop <player> and /mandemote <player> whatever on every player from the console.
I guess this is quiet some work and I don't blame you if you don't include this.
The language file:
Well, I'm not a Java developer, but I'm pretty sure the Minecraft client understand and display unicode.
But of course it is very important that the java-function which is used allow the backslash escape function to interpret the unicode in the first place.
Maybe helpfull:
language file of the plugin "Essentials":
https://github.com/essentials/Essentials/blob/2.9/Essentials/src/messages_de.properties
Also there is a small chance the plain ANSI text will work:
http://pastebin.com/66da4fQ8
In the worst case the characters 'äöü' will be displayed as questionmarks or random symbols.
If so, you can use a work around. Everybody will understand this translation, but it's a little bit ugly:
http://pastebin.com/i1iT9WKp
@Fumihiko356
I am not sure that the Minecraft vanilla client can understand unicode, but we can test it and see.
Unfortunately, I cannot force it into online-mode=true or else I would have done so. I originally wanted to shut down the server for security purposes but the BukkitDev moderators felt that this would cause more trouble than good with people complaining that their server keeps shutting itself down. All I can advise is that you contact your host and complain that they are not allowing you to put your server into online mode.
P.S. I tested it using your language file in the German language client, the unicode characters appear as you see them rather than as the correctly accented character. We can attempt using non-ascii characters, or if necessary strip the accents. This is a deficiency in the Minecraft client and its connection to the server, so we'll just have to work around it and hope Mojang allow use of unicode in the future.
@XHawk87
I translated the language file to german (ger/de). I used Unicode instead of non-ASCII characters (ÄÖÜäöü).
http://pastebin.com/iYbaRWdk
Hope you like it ;)
So you disabled it on purpose. I guessed so. Well that doesn't sound "secure".
Would it be possible to force enable online-mode=true even if it is set to false, instead of disable the plugin?
Or to prevent the server start at all?
Maybe configurable via config file.
That would be a much better solution for my needs.
@Fumihiko356
Security is intentionally disabled in online-mode=false because it is against the Bukkit Terms of Use to provide security for servers that allow players who have not bought Minecraft. You should not find any plugin that does this anywhere on Bukkit.
Security is compatible with the LanguageAPI. If you can provide me with a translated language file, I will make it available for everyone to use in that language.
This plugin works great. It complete stop commands (because they are threaded as the password as well) and block changes.
However in online-mode=false it is completly useless. Like you said in your discription.
The reason I look for a security plugin is because my Serverprovider overwrote my server.properties and set online-mode=false.
(No idea why or how.)
For short your plugin is worthless for me.
I don't know why your plugin stop working in this case, maybe something with the API?
Will you fix this? I hope so.
Oh and did you think about the possibility to change the display language? I'm not sure if everbody on my server understand english ;)
Greeting.
Append: The server is in online-mode=true again, of course. But I'm worried this could happen again...
This will not currently work correctly on /reload. This is not a security concern as it will lock any player online at the time of the reload. It is easily fixed by disconnecting and reconnecting, or by using the /stop command and restarting the server properly.
@MinecraftMan001
Sorry, I can't support modded CraftBukkit. Its the responsibility of mod-makers to ensure that their mods are compatible with plugins and not the other way around.
My account was locked upon joining, It might be because it's a tekkit xlassic 1.2.5 server and not a 1.4.7 server, I am not going to ask you to downgrade or release a build for 1.2.5 but that would be good as tekkit 1.2.5 is still very popular.
That's why my account was being locked
@MinecraftMan001
Security uses the Bukkit Conversation API to prompt players to enter information. These prompts override the standard chat, preventing you from sending chat messages or commands. You must read the prompt and enter the information requested into the chat box before you can use commands or send chat messages.
Although I have already included detailed on-screen instructions for using these prompts when they are opened, it seems a lot of people are still unaware of this Bukkit feature so don't pay close enough attention to these messages. I will include the above explanation in the description for better clarity.
"I installed the plugin on the server and i couldn't run any commands"
This doesn't happen immediately after installing Security. By default nobody has a password and therefore the accounts are not locked on joining. Also, unless you specifically granted players the security.requirepassword or security.requirerecoveryemail nodes you will receive no prompts on joining which would prevent you from entering commands. The prompts for these give detailed explanations just like account unlocking, just read the on-screen instructions and it should be straightforward to give the information requested.
If your account was locked, you would be kicked for incorrect password if you typed anything other than your password.
Also, Security has no effect whatsoever on the console. You can always use commands from the console. If you forget or mis-entered your account password initially, you can use the ResetPassword command from the console to reset it.
Prompting for a password on granting operator status to other players would not improve security in any measurable way, as only operators can do this and if an operator is able to type commands their account must already be unlocked. If a hacker has already gained access to an operator account then your server is already compromised. It is far better to stop them from getting access to that account in the first place.
The best way to prevent this is not to use OP. Use permissions instead, and anyone with privileges on the server can be given the security.requirepassword, security.requirerecoveryemail and security.requiresecuremode nodes to ensure that their accounts are safe, and allow managing important permissions, such as elevating a players privileges, only from the console itself.
I've been waiting for a plugin like this.
Sorry, I'll explain myself better, On my server i use OP Password to make sure people can't hack their way into being an OP by using handshaking/hacks ect, The thing i would like is when you attempt to OP someone you need to enter a password to authorise his OP status,This is to stop players op'ping other player without the owners knowledge,Also you need to make it clear how to unlock your account after this plugin has been installed.
I installed the plugin on the server and i couldn't run any commands without unlocking my account first. Now this would not usually be a problem as i am quite knowledgeable about bukkit plugins, but i couldn't for the life of me figure out how to unlock my account.
@MinecraftMan001
I can only guess that the purpose of this is to make operator more secure. It sounds a very roundabout and convoluted way of doing that. Perhaps if you tell me exactly what it is you want to prevent by doing this, I can find a better solution to fix it.
Can you add a feature to require a password to OP someone? and the person getting OP'ed needs to know the password? I would love to see that so i don't have to run 2 plugins
The first release for Security is now available
@genesis_aix
It is in the alpha testing phase at the moment. I have been working on some other projects recently, but I can return to finish this sometime soon.
How is the development?
Looking forward to the release.