1. Post #81
    LauIsFun's Avatar
    August 2009
    69 Posts
    You don't drop them from the PlayerPasswordAuth hook... you return {false, "your witty message here"}

    You probably want http://wiki.garrysmod.com/?title=Gamemode.PlayerAuthed when you can catch the real steamid and kick them then.
    allow them to join, then kick them midjoin after the hook. That's what I'm getting at.

  2. Post #82
    Gold Member
    AzuiSleet's Avatar
    September 2007
    758 Posts
    PlayAuthed is after the password hook, and is the place where you want to be checking your bans. You can gatekeeper.DropClient(pl:UserID(), "message") any time, assuming you know the player isn't going to be referenced the rest of the frame.

  3. Post #83
    infinitywrai's Avatar
    December 2007
    539 Posts
    Thanks for this.
    Reply With Quote Edit / Delete Reply United States Show Events Agree Agree x 3 (list)

  4. Post #84
    Pimpin' Member
    Stebbzor's Avatar
    September 2008
    630 Posts
    -snip-

  5. Post #85
    Grocel's Avatar
    October 2008
    1,238 Posts
    This is a server site module and must be run server site.
    init.lua is a server site run
    cl_init.lua is a client site run
    Reply With Quote Edit / Delete Reply Germany Show Events Funny Funny x 1Bad Spelling Bad Spelling x 1 (list)

  6. Post #86
    infinitywrai's Avatar
    December 2007
    539 Posts
    This is a server site module and must be run server site.
    init.lua is a server site run
    cl_init.lua is a client site run
    serverside
    clientside... not -site
    Reply With Quote Edit / Delete Reply United States Show Events Dumb Dumb x 1Friendly Friendly x 1 (list)

  7. Post #87
    Gold Member
    slayer3032's Avatar
    November 2007
    3,472 Posts
    Would it be possible for the the PlayerPasswordAuth hook to also have userid as an argument?

    Currently I have to check my database every time a player joins, then if the callback from tmysql returns a steamid that is currently connected the server will ban the ip to drop him from the server.

    I would much rather just use the gatekeeper.Drop() function than banning their IP so they leave the server, I can't use kickid on their steamid at this point because according to the command their steamid does not exist yet. I do not wish to have banned clients getting any further into the connection progress because then they can run commands on the server and I don't want that, they are banned they shouldn't be able to do anything to the server from an in-game level.

  8. Post #88
    Lau
    Lau's Avatar
    November 2009
    97 Posts
    Would it be possible for the the PlayerPasswordAuth hook to also have userid as an argument?

    Currently I have to check my database every time a player joins, then if the callback from tmysql returns a steamid that is currently connected the server will ban the ip to drop him from the server.

    I would much rather just use the gatekeeper.Drop() function than banning their IP so they leave the server, I can't use kickid on their steamid at this point because according to the command their steamid does not exist yet. I do not wish to have banned clients getting any further into the connection progress because then they can run commands on the server and I don't want that, they are banned they shouldn't be able to do anything to the server from an in-game level.
    Aye.

  9. Post #89
    Gold Member
    AzuiSleet's Avatar
    September 2007
    758 Posts
    I've added gatekeeper.GetUserByAddress, I can't find an IClient or userid on the stack, so you have to use the address passed to PlayerPasswordAuth.

    http://gmodmodules.googlecode.com/sv...gatekeeper.dll

    You should be aware that not returning immediately allows an attacker to run commands anyway, so you need to decide in the callback whether or not you want to kick them. The solution would be to pre-load the banlist on map load.
    Reply With Quote Edit / Delete Reply United States Show Events Dumb Dumb x 1 (list)

  10. Post #90
    Gold Member
    slayer3032's Avatar
    November 2007
    3,472 Posts
    I've added gatekeeper.GetUserByAddress, I can't find an IClient or userid on the stack, so you have to use the address passed to PlayerPasswordAuth.

    http://gmodmodules.googlecode.com/sv...gatekeeper.dll

    You should be aware that not returning immediately allows an attacker to run commands anyway, so you need to decide in the callback whether or not you want to kick them. The solution would be to pre-load the banlist on map load.
    Ah, thank you.

    Yea I understand, however the chances of them doing any major harm is slimmer if they can't sit in the server for like 20 seconds running commands or get to actually load into the server.

    It's a much better method to drop them rather than ban their ip, the problem was that if a client was banned on one server then decides to go to another server before the list is updated they could slip right in without the passwordauth hook being able to catch them so the only way to prevent that would be to query the database every few seconds which is rather wasteful and dumb even if it is a locally hosted database. The banlist would have been preloaded on mapload anyways otherwise it wouldn't exist for the first client.

    Now if I could only get all the clients to stop crashing out when people are kicked or banned randomly, it seems to happen with kickid and gatekeeper..
    Reply With Quote Edit / Delete Reply United States Show Events Dumb Dumb x 1 (list)

  11. Post #91
    Gold Member
    ComWalk's Avatar
    August 2005
    107 Posts
    Yea I understand, however the chances of them doing any major harm is slimmer if they can't sit in the server for like 20 seconds running commands or get to actually load into the server.
    This is not a safe assumption to make. If the client successfully authenticates (as in, its 'k' packet is accepted, which will happen if you accept the password), commands can immediately be sent to the server. 'Slimmer' is not good enough, especially given how easy this would be to abuse.

    Ah, thank you.
    It's a much better method to drop them rather than ban their ip, the problem was that if a client was banned on one server then decides to go to another server before the list is updated they could slip right in without the passwordauth hook being able to catch them so the only way to prevent that would be to query the database every few seconds which is rather wasteful and dumb even if it is a locally hosted database. The banlist would have been preloaded on mapload anyways otherwise it wouldn't exist for the first client.
    The PlayerPasswordAuth hook should not be used as your sole line of defense. The steamid it receives can be missing and it is theoretically possible for it to be maliciously manipulated. Always verify the steamid again in the PlayerAuthed hook, as this is the 'blessed by valve' steamid.

    If anything, I would frequently query the ban table for new bans, deny a connection attempt if either the reported steamid (keep in mind, this will not always be provided) OR ip is banned, and then in PlayerAuthed check again as well as run a threaded query as you do now in PlayerPasswordAuth to catch anybody trying to game the system.

    Ah, thank you.
    Now if I could only get all the clients to stop crashing out when people are kicked or banned randomly, it seems to happen with kickid and gatekeeper..
    I'm going to need more details on this one. Every client connected is crashing? Gatekeeper does not affect connected and authenticated clients in any way. If it is possible to crash a client, it would be caused by a malformed kick message sent to gatekeeper.Drop. Why are you using kickid anyways?

    EDIT: In respose to your earlier post, the userid cannot be provided in PlayerPasswordAuth because the userid simply hasn't been allocated for the user yet. I suppose it could be possible to pass the userid next in line to be used, but it seems an ugly hack at best. AzuiSleet's UserByIPAddress function is as good as it is going to get as the IClient isn't assocated with a steamid until the steam callback is received.
    Reply With Quote Edit / Delete Reply United States Show Events Agree Agree x 1 (list)

  12. Post #92
    Gold Member
    slayer3032's Avatar
    November 2007
    3,472 Posts
    This is not a safe assumption to make. If the client successfully authenticates (as in, its 'k' packet is accepted, which will happen if you accept the password), commands can immediately be sent to the server. 'Slimmer' is not good enough, especially given how easy this would be to abuse.
    There isn't much else I could do other than do it the best I could.

    The PlayerPasswordAuth hook should not be used as your sole line of defense. The steamid it receives can be missing and it is theoretically possible for it to be maliciously manipulated. Always verify the steamid again in the PlayerAuthed hook, as this is the 'blessed by valve' steamid.
    Good idea, I'll add that, thanks.

    If anything, I would frequently query the ban table for new bans, deny a connection attempt if either the reported steamid (keep in mind, this will not always be provided) OR ip is banned, and then in PlayerAuthed check again as well as run a threaded query as you do now in PlayerPasswordAuth to catch anybody trying to game the system.
    I don't host my database on the same computer, I really hate to needlessly query. I don't have any IPs banned and wasn't intending to put them into this script.

    I'm going to need more details on this one. Every client connected is crashing? Gatekeeper does not affect connected and authenticated clients in any way. If it is possible to crash a client, it would be caused by a malformed kick message sent to gatekeeper.Drop. Why are you using kickid anyways?
    What I meant was when I tried going back to kickid it still crashed out clients, I'm thinking either Garry or valve is doing something sketchy with their code and it's trying to do something to the now null played. It's not your fault that it is doing this but I thought someone might be able to shed some more light on it. It crashes all the clients in the server, however my screen doesn't yet show the message on the screen either. It doesn't crash the player that was kicked too.

    EDIT: In respose to your earlier post, the userid cannot be provided in PlayerPasswordAuth because the userid simply hasn't been allocated for the user yet. I suppose it could be possible to pass the userid next in line to be used, but it seems an ugly hack at best. AzuiSleet's UserByIPAddress function is as good as it is going to get as the IClient isn't assocated with a steamid until the steam callback is received.
    Chrisaster was telling me to use the gevents module to kick these clients but I figure that they would have already been able to run commands by then so I just stuck with banning their IP for a minute.

  13. Post #93
    Gold Member
    ComWalk's Avatar
    August 2005
    107 Posts
    Well, with AzuiSleet's addition of GetUserByAddress, you should be able to get everything working now.

    There isn't much else I could do other than do it the best I could.
    Sorry if I seemed harsh; it's just important to note that if you want to stop commands from being run then you cannot allow them to get past PlayerPasswordAuth. If that's not feasible to do, then at least don't get lulled into a false sense of security.

    I don't host my database on the same computer, I really hate to needlessly query. I don't have any IPs banned and wasn't intending to put them into this script.
    I only mentioned IP banning because that is guaranteed to be correct in the PlayerPasswordAuth hook, so it's really the only thing that you can be certain about in the hook. It's still good as the first line of a multi-line defense.

    Going off on a tangent, I don't think you're giving your database server enough credit. If you update it every 5-10 seconds with a threaded query (set up to select only bans that have been added since the last check) I think you'll find your performance unaffected. I have a P2 333 that putts right along with a sizable database and can get hit with multiple queries per second. The distance between the servers will really only affect the time it takes for your callback to get called, but I'd say that it's better to have your cached banlist out of date by a few seconds than it is to never update it until after you could have already used it! (Especially since it would allow you to more effectively block commands from being run, which seems like a big concern) I suppose there's probably more to it than that, though.

  14. Post #94
    |FlapJack|'s Avatar
    July 2009
    6,138 Posts
    The PlayerPasswordAuth hook should not be used as your sole line of defense. The steamid it receives can be missing and it is theoretically possible for it to be maliciously manipulated. Always verify the steamid again in the PlayerAuthed hook, as this is the 'blessed by valve' steamid.
    Didn't know about this - Good thing I hadn't started using gatekeeper in my admin mod before seeing this. Thanks.
    Reply With Quote Edit / Delete Reply United Kingdom Show Events Dumb Dumb x 1 (list)

  15. Post #95
    Gold Member
    slayer3032's Avatar
    November 2007
    3,472 Posts
    Well, with AzuiSleet's addition of GetUserByAddress, you should be able to get everything working now.
    Yea, working on it right now.

    Sorry if I seemed harsh; it's just important to note that if you want to stop commands from being run then you cannot allow them to get past PlayerPasswordAuth. If that's not feasible to do, then at least don't get lulled into a false sense of security.
    It's okay, I understand. Most the the remaining commands just lag the server so this will do fine for now. If it gets to the point where that one chance that a player can get after being banned of a server is being abused I'll think of something else or refresh the table from the database.

    I only mentioned IP banning because that is guaranteed to be correct in the PlayerPasswordAuth hook, so it's really the only thing that you can be certain about in the hook. It's still good as the first line of a multi-line defense.
    I thought about adding IPs to it but I'm not really sure, it might catch people with multiple accounts but the only people who might actually do anything malicious to your server probably would have multiple accounts, along with the average troll. I might think about it since you are right and it could easily catch people who do try to modify their steamid info and the various idiots with lots of accounts.

    Going off on a tangent, I don't think you're giving your database server enough credit. If you update it every 5-10 seconds with a threaded query (set up to select only bans that have been added since the last check) I think you'll find your performance unaffected. I have a P2 333 that putts right along with a sizable database and can get hit with multiple queries per second. The distance between the servers will really only affect the time it takes for your callback to get called, but I'd say that it's better to have your cached banlist out of date by a few seconds than it is to never update it until after you could have already used it! (Especially since it would allow you to more effectively block commands from being run, which seems like a big concern) I suppose there's probably more to it than that, though.
    I realize that isn't very expensive to do more queries just to make sure but I don't see the the banlist being used highly in the first place, even if people get to the point where they can connect to the server anything they do will be in vain because if they manage to crash one of the other servers it will just restart in 20-30 seconds and they won't be able to touch the server again until their ban is gone. Spamming queries every 5-10 seconds for that one chance that a banned user to attack the other servers before the list is refreshed by someone connecting even if it is pretty cheap still seems like a waste to me. An added IP to check along with their SteamID might be useful but any resourceful script kiddie or idiot can reset their router/spoof a MAC address/use a VPN. A IP doesn't mean much more than a direct connection to that specific person and not a personal identification. At the point where IPs come in would be a better job for a human to put the pieces together trying to find alt accounts than a script.

    Even when commands come in I still have other things as a protection such as SLog or Cvar2.

    Edited:

    Actually, it seems as though almost every time a client is dropped while being in the server all the clients crash out. Gatekeeper.Drop() seems to do it more than kickid ever did...

    Argh, why is Garry's Mod doing this now, I think it started happening after that one update where Garry added the new voice hud item.

    I'll try to look into this more later, it's getting too late for me.
    Reply With Quote Edit / Delete Reply United States Show Events Dumb Dumb x 1 (list)

  16. Post #96
    Lau
    Lau's Avatar
    November 2009
    97 Posts
    I've added gatekeeper.GetUserByAddress, I can't find an IClient or userid on the stack, so you have to use the address passed to PlayerPasswordAuth.

    http://gmodmodules.googlecode.com/sv...gatekeeper.dll

    You should be aware that not returning immediately allows an attacker to run commands anyway, so you need to decide in the callback whether or not you want to kick them. The solution would be to pre-load the banlist on map load.
    Its no big deal if you know the commands to block and can just use slog to patch them. Plus, the addon I released is a WIP, and I'll take this topic's discussion of using PlayerPasswordAuth hook and using PlayerAuthed to make sure that players dont get past the filter. Thank you for your edit, i'll probably be using that instead now.
    Reply With Quote Edit / Delete Reply United States Show Events Dumb Dumb x 1Agree Agree x 1 (list)

  17. Post #97
    leeetdude's Avatar
    April 2009
    434 Posts
    error loading module 'gatekeeper' from file 'c:\_x\lua\includes\modules\gmsv_gatekeeper.dll':
    %1 is not a valid Win32 application.

    Edit: SVN Version.
    The 3.1 seems to work fine for me (the zip file)
    Reply With Quote Edit / Delete Reply Germany Show Events Dumb Dumb x 1Agree Agree x 1 (list)

  18. Post #98
    leeetdude's Avatar
    April 2009
    434 Posts
    Tried on my other DEDI too, not working :!

  19. Post #99
    Gold Member
    AzuiSleet's Avatar
    September 2007
    758 Posts
    Sounds like a runtime issue, I compile everything with 2008 SP1, here's the redist: http://www.microsoft.com/downloads/d...displaylang=en

  20. Post #100
    yuriman's Avatar
    January 2009
    566 Posts
    -snip-
    fixed it and nice module

  21. Post #101
    Gold Member
    ComWalk's Avatar
    August 2005
    107 Posts
    New version of gatekeeper has been released. Linux support has been added and some of the internals have been cleaned up.

    Anybody interested in the makefile can take a look at the repo; it goes into the linux_sdk/ directory of the source sdk after some obvious changes to the main makefile. Everything was built with gcc 4.3.

  22. Post #102
    |FlapJack|'s Avatar
    July 2009
    6,138 Posts
    Did you fix the memory messup where clients end up dropped with the gamemode name as a reason on connect?
    Reply With Quote Edit / Delete Reply United Kingdom Show Events Disagree Disagree x 1 (list)

  23. Post #103
    Gold Member
    ComWalk's Avatar
    August 2005
    107 Posts
    Did you fix the memory messup where clients end up dropped with the gamemode name as a reason on connect?
    Given that it has not once been reported to me, no. I really doubt that gatekeeper is to blame. In this version, there isn't any strange memory voodoo going on during connect, and even the last version (which searched through the stack to find the call to ConnectClient) would never have stumbled across a pointer to the gamemode (the engine doesn't care about sv_gamemode and it has no reason to be on the stack for a connection attempt).

    If you can provide a way to reliably reproduce it, I'll look into it, but for now I'm fairly certain that fault lies with another module or script.

  24. Post #104
    Gold Member
    slayer3032's Avatar
    November 2007
    3,472 Posts
    gatekeeper.GetUserByAddress() doesn't seem to be working.

    When it should be kicking players on a secondary check it just returns nil.

    Edited:

    Code:
    > print(gatekeeper.GetUserByAdress)...
    nil
    > print(gatekeeper.Drop)...
    function: 02DD2850

  25. Post #105
    Gold Member
    ComWalk's Avatar
    August 2005
    107 Posts
    gatekeeper.GetUserByAddress() doesn't seem to be working.
    Code:
    > print(gatekeeper.GetUserByAdress)...
    nil
    > print(gatekeeper.Drop)...
    function: 02DD2850
    You spelled GetUserByAddress incorrectly.
    Code:
    > print(gatekeeper.GetUserByAddress)...
    function: 026CD508
    When it should be kicking players on a secondary check it just returns nil.
    What should be kicking players? What secondary check? I'm not certain what function you are referring to... If you are talking about GetUserByAddress, it doesn't kick. None of the functions that do kick should return anything but nil. Testing it just now, both GetUserByAddress and Drop behave exactly as I would expect them to.

  26. Post #106
    |FlapJack|'s Avatar
    July 2009
    6,138 Posts
    Can't exactly replicate it. However, it did stop after removing gatekeeper. It only happened occasionally, on initial connect.

  27. Post #107
    Gold Member
    slayer3032's Avatar
    November 2007
    3,472 Posts
    Woops, well gatekeeper.GetUserByAddress seemed to have been returning nil when checking for any recent connections by banned players after my ban list is refreshed.

    I might have been using a really old version of gatekeeper some how, I'm not really sure.

  28. Post #108
    Gold Member
    ComWalk's Avatar
    August 2005
    107 Posts
    Can't exactly replicate it. However, it did stop after removing gatekeeper. It only happened occasionally, on initial connect.
    Probably because the hook that was actually causing it was no longer being called.

    Woops, well gatekeeper.GetUserByAddress seemed to have been returning nil when checking for any recent connections by banned players after my ban list is refreshed.

    I might have been using a really old version of gatekeeper some how, I'm not really sure.
    Yeah, it would have to be an older version for that to happen. It's added to the table in the same way and in the same place as the other functions, so if the other functions are there, it should be there.
    Reply With Quote Edit / Delete Reply United States Show Events Dumb Dumb x 1 (list)

  29. Post #109
    Gold Member
    ComWalk's Avatar
    August 2005
    107 Posts
    I've updated gatekeeper to work with the source 2009 version of gmod. Do not attempt to use 4.1 with a server that isn't running the beta as it will probably crash on startup (or on first connect). This version should be compatible with the next update, whenever it comes out.

    Linux binaries will follow as soon as gmod linux binaries for source 2009 are released.

  30. Post #110
    Gold Member
    ComWalk's Avatar
    August 2005
    107 Posts
    GateKeeper has been updated with code necessary for the detection and removal of clients that using tools such as Tranquility to spoof their steamid. Not perfect, but the best solution available until valve patches it for good (not long now that they have a working POC in their hands).

  31. Post #111
    Gold Member
    VoiDeD's Avatar
    August 2005
    860 Posts
    The related lua code for making use of these new GateKeeper features is available here: http://www.facepunch.com/showthread.php?t=962042

  32. Post #112
    infinitywrai's Avatar
    December 2007
    539 Posts
    The latest version of gatekeeper has been misreporting the number of players. I clearly had 15 players in-game and connecting (reported by HLSW, and any viewing tool) but gatekeeper:GetNumClients().total was reporting a few players less than that. This happens every time.

  33. Post #113
    Gold Member
    ComWalk's Avatar
    August 2005
    107 Posts
    The latest version of gatekeeper has been misreporting the number of players. I clearly had 15 players in-game and connecting (reported by HLSW, and any viewing tool) but gatekeeper:GetNumClients().total was reporting a few players less than that. This happens every time.
    Just found the cause of this; one of the IServer functions had its behavior changed. I'll try to have the fix out later today.

    EDIT: Try this

  34. Post #114
    Gold Member
    Killer_Steel's Avatar
    October 2007
    1,362 Posts
    Can't remember if this was mentioned or not.

    Can this module in any way be used for kicking people from the server once they're connected? Or do I have to use ply:Kick()?

  35. Post #115
    Gold Member
    ComWalk's Avatar
    August 2005
    107 Posts
    Can't remember if this was mentioned or not.

    Can this module in any way be used for kicking people from the server once they're connected? Or do I have to use ply:Kick()?
    Yes, see the documentation for gatekeeper.Drop. It was not only mentioned, but very explicitly used in the example code. Instead of ply:Kick(), you're able to do
    gatekeeper.Drop(ply:UserID(), "bye.")

    And, since it can't really be repeated often enough, DO NOT use the player's entity after calling gatekeeper.Drop.

  36. Post #116
    Gold Member
    raBBish's Avatar
    March 2007
    2,667 Posts
    Can't remember if this was mentioned or not.

    Can this module in any way be used for kicking people from the server once they're connected? Or do I have to use ply:Kick()?
    gatekeeper.Drop( ply:UserID(), "I'm a big fat idiot" )

    Edited:

    :ninja:
    Reply With Quote Edit / Delete Reply Finland Show Events Friendly Friendly x 1Agree Agree x 1 (list)

  37. Post #117
    Gold Member
    Killer_Steel's Avatar
    October 2007
    1,362 Posts
    Thanks. Was just checking so I wouldn't end up crashing the server using a method the way it wasn't intended.

    And I'm ignoring that comment, raBBish.

  38. Post #118
    Gold Member
    raBBish's Avatar
    March 2007
    2,667 Posts
    And I'm ignoring that comment, raBBish.
    Oh sorry, that wasn't directed at anybody. I was just watching Simpsons (Angry Dad episode) when writing it and I just wrote the first thing I heard
    Reply With Quote Edit / Delete Reply Finland Show Events Funny Funny x 1 (list)

  39. Post #119
    Gold Member
    Killer_Steel's Avatar
    October 2007
    1,362 Posts
    Funny how that happens, actually. When yer listening to a conversation and IM chatting at the same time, then you just write a random word from whatever you're listening to.

  40. Post #120
    infinitywrai's Avatar
    December 2007
    539 Posts
    Excuse me, please fix GetNumClients()