What to do when your mush is attacked


  • Coder

    Ok, I've seen people ping a few times on here asking how to go about blocking people who are attacking their game, so I'll cover TinyMUSH3, PennMUSH, MUX2, and RhostMUSH on ways to cockblock attackers on your games. Please keep in mind my knowledge on Penn, TM3, and MUX is a wee bit rusty, but I'm fairly certain I've covered the majority.

    First, TinyMUSH3:
    TinyMUSH3 allows the base set that MUX2 allows, and some additional features customized for the codebase.

    Site Restrictions:
    Syntax ingame: @admin <param>=<IP> <MASK>
    Syntax tinymush.conf file: <param> <IP> <MASK>

    Parameters:
    forbid_site -- forbid the IP from connection entirely
    guest_site -- allow guests from the IP
    register_site -- forbid new player creation from the IP
    suspect_site -- mark connections with the SUSPECT flag

    Example: (assume player is from IP 12.12.20.200)

    @admin guest_site=12.12.20.0 255.255.255.0
    

    This blocks all IP's from 12.12.20.1 through 12.12.20.255 which is the preferred start for blocking since most people have DYNAMIC IP addresses and not STATIC IP addresses.
    NOTE: TinyMUSH3 allows CIDR (/24 instead of 255.255.255.0) notation from TinyMUSH 3.2 on.

    Keep in mind @admin is NOT persistent. When you reboot or restart your mush, those values are no longer there. To make them permanent you need to use the .conf file method.
    Example:

    guest_site 12.12.20.0 255.255.255.0
    

    To make any .conf file change take effect, the system will have to be @restarted.

    Now for Limits:
    To set:

    @admin command_recursion_limit=50
    

    or in your .conf file

    command_recursion_limit 50
    

    command_recursion_limit (default 50) -- number of commands that can be nested from another command
    command_invocation_limit (default 2500) -- number of commands that can be called in a single command queue
    function_cpu_limit (default 60) -- amount of time, in seconds, that a command is allowed to process. Anything over this will be aborted.
    function_invocation_limit (default 2500) how many functions can be called from a single command
    function_recursion_limit (default 50) how many times a function can call itself
    instance_limit (default 100) -- this has to do with TM3's construct feature and limits the amount of memory-based structures allowed in-game
    lock_recursion_limit (default 20) -- amount of times a lock is allowed to be called
    notify_recursion_limit (default 20) -- number of times notify() can be called recursively. Notify() is an internal call to TinyMUSH3 that handles the messaging bus. So it's essentially a low-level run away process handler for potential bad coding ;)
    player_queue_limit (default 100) -- total number of queue entires a player may have at any one time
    player_alias_limit (default 10) -- total number of @aliases a player may have
    propdirs_limit (default 10) -- PROPDIR in TinyMUSH3 is in effect a localized 'parent' you can assign an object to inherit attributes from a list of dbref#'s. Kinda silly, but there we go.
    register_limit (default 50) -- amount of setq registers a player can define
    retry_limit (default 3) -- number of times a player can attempt to connect to a player before being disconnected
    stack_limit (default 50) -- number of stack entries allowed with push()
    structures_limit (default 100) -- number of structure()'s allowed
    variables_limit (default 50) -- number of unique variables (tm3-ism) allowed per target
    wildcard_match_limit (default 25000) -- number of recursion attempts allowed for wildcard/regexp matching
    zone_recursion_limit (default 20) -- maximum number of zones that can be chained

    Commands:
    @boot -- boot player from game
    @nuke/@toad -- destroy/remove player from game (note: TM3 has @nuke aliased to @destroy/override)
    @disable -- disable logins
    @newpassword -- change target's password

    Flags:
    To set:

    @set *player=slave
    

    SLAVE -- When set the player can not issue any command that could potentially change the database
    GAGGED - player can not talk
    STOP -- Once a $command is matched, no further command searching will occur
    CONSTANT -- only the #1 player (God) can set attributes on the target
    WATCHER -- allows a player to monitor player connects/disconnects
    NOSPOOF -- allows you to see enactor of a @pemit, @emit, say, pose, etc. Can be spammy
    FIXED -- target can not teleport

    -----------------------------------------------------------------------------------------------------------------
    And now, MUX2
    You will notice early on that MUX2 and TinyMUSH3 hale from the same parent codebase as the restrictive qualities are nearly identical minus customizations between codebases

    Site Restrictions:
    Syntax ingame: @admin <param>=<IP> <MASK>
    Syntax tinymush.conf file: <param> <IP> <MASK>

    Parameters:

    forbid_site -- forbid the IP from connection entirely
    guest_site -- allow guests from the IP
    noguest_site -- disallow guests from the IP
    nositemon_site -- stop spamming logs of connect/disconnect
    register_site -- forbid new player creation from the IP
    suspect_site -- mark connections with the SUSPECT flag

    Example: (assume player is from IP 12.12.20.200)

    @admin guest_site=12.12.20.0 255.255.255.0
    

    This blocks all IP's from 12.12.20.1 through 12.12.20.255 which is the preferred start for blocking since most people have DYNAMIC IP addresses and not STATIC IP addresses.
    NOTE: MUX2 since 2.7 allows CIDR notation (ergo, /24 instead of 255.255.255.0)

    Keep in mind @admin is NOT persistent. When you reboot or restart your mush, those values are no longer there. To make them permanent you need to use the .conf file method.
    Example:

    guest_site 12.12.20.0 255.255.255.0
    

    To make any .conf file change take effect, the system will have to be @restarted.

    Now for Limits:
    To set in-game:

    @admin function_invocation_limit=25000
    

    To set in .conf file:

    function_invocation_limit 25000
    

    allow_guest_from_register_site -- allow guest to connect to register sites (boolean)
    function_invocation_limit (default 2500) how many functions can be called from a single command
    function_recursion_limit (default 50) how many times a function can call itself
    lock_recursion_limit (default 20) -- amount of times a lock is allowed to be called
    notify_recursion_limit (default 20) -- number of times notify() can be called recursively. Notify() is an internal call to TinyMUSH3 that handles the messaging bus. So it's essentially a low-level run away process handler for potential bad coding ;)
    player_queue_limit (default 100) -- total number of queue entires a player may have at any one time
    retry_limit (default 3) -- number of times a player can attempt to connect to a player before being disconnected
    stack_limit (default 50) -- number of stack entries allowed with push()
    zone_recursion_limit (default 20) -- maximum number of zones that can be chained
    parent_recursion_limit (default 50) -- maximum number of parents that can be chained
    pcreate_per_hour (default 100) -- maximum number of player creations allowed an hour
    references_per_hour (default 500) -- maximum number of @references allowed an hour
    user_attr_per_hour (default 5000) -- maximum number of attributes a player can create new per hour
    mail_per_hour (default 50) -- maximum number of mail allowed per hour

    Commands:
    @disable -- the ability to disable all logins except staff
    @icmd -- disable commands based on player or room/location
    @nuke/@toad -- destroy a player
    @boot -- boot a player from the game
    @newpassword -- change target's password

    Flags:
    To set:

    @set *player=slave
    

    SLAVE -- When set the player can not issue any command that could potentially change the database
    GAGGED - player can not talk
    SITEMON -- allows a player to monitor player connects/disconnects
    NOSPOOF -- allows you to see enactor of a @pemit, @emit, say, pose, etc. Can be spammy
    FIXED -- target can not teleport

    -----------------------------------------------------------------------------------------------------------------
    And now, PennMUSH

    You will see PennMUSH is a unique animal and has... very little to do with the TinyMUSH/MUX method of restrictions, and I may miss a few and if I do, please message me and I'll update this ASAP.

    Site Restrictions:
    @sitelock <args>=<parameters>

    Examples, to block specific player:
    @sitelock/player PLAYERNAME=RESTRICTION
    Examples:

    @sitelock/ban/player Buttclown
    @sitelock/register/player Buttclown
    

    First example bans (forbids) the player from his current IP
    Second example disallows new players (registers) from his current IP

    Examples, to block specific sites:
    @sitelock IP=RESTRICTION
    Examples:

    @sitelock *.buttclown.com=!connect
    @sitelock *.mildlyannoying.com=!register
    @sitelock *.aol.com=!connect,Guest
    

    First example bans (forbids) anyone connecting from that site
    Second example registers anyone connecting from that site
    Third example blocks only guests from that given site.

    As you can see, it does allow hostnames unlike TinyMUSH3 and MUX, and also allows wildcarding. Which is much nicer.

    Limits:
    @config/set PARAMETER=VALUE (only lasts until reboot/restart)
    @config/save PARAMETER=VALUE (#1/God only -- and permanent)

    Examples:

    @config/set max_attrs_per_object=50
    @config/save max_attrs_per_object=50
    

    max_attrs_per_object -- maximum attributes allowable per object
    max_guests -- maximum number of guests allowed
    connect_fail_limit -- maximum number of times in a 10 minute window someone can fail to connect to a player
    startups -- disable @startups from triggering on start (useful if hackers)
    player_creation -- globally enable/disable player creates at connect screen
    guests -- enable/disable guest connects
    safer_ufun -- enable/disable the use of safer ufunctions
    function_side_effects -- enable/disable the use of SIDEEFFECT functions
    player_queue_limit -- max entries a player can have in a queue
    max_depth -- max recursions a @lock can have
    function_recursion_limit -- max recursions a function can call itself
    function_invocation_limit -- maximum functions allowed per command
    queue_entry_cpu_time -- maximum cpu a queue entry is allowed
    max_aliases -- maximum @aliases a player can have
    max_parents -- maximum parents allowed in a chain
    call_limit -- maximum depth of the stack the parser is allowed to have

    Commands:
    @boot -- boot the player from the game
    @nuke -- destroy/remove the player from the game entirely
    @newpassword -- change target's password
    @disable -- disable logins

    Flags:
    To set:

    @set *player=fixed
    

    NO_TEL -- Stop teleporting period
    FIXED -- stops from using @tel/home
    SUSPECT -- Set suspect
    GAGGED -- stop from talking
    Z_TEL -- stops from teleporting out of the zone

    -----------------------------------------------------------------------------------------------------------------
    And now, RhostMUSH

    RhostMUSH is an combination of, well, everything. And because of the flexibility and customizations, can be daunting, but here we go:

    Rhost allows two ways for site restrictions.
    Site Restrictions
    @admin PARAM=SITE IP
    @admin PARAM2=WILDCARDHOST

    NOTE: Since Rhost 3.2.4p13 Rhost allows CIDR notation (/24 instead of 255.255.255.0)

    The first method:
    Example:

    @admin forbid_site=12.12.20.0 255.255.255.0
    @admin forbid_site=12.12.20.0 255.255.255.0 3
    

    The first example hardforbids the site from connecting.
    The second example forbids the site from connecting after 3 connects have already been allowed. This allows connections but stops spamming.
    Both options are available for all site parameters.

    forbid_site -- forbid site from connecting
    register_site -- disallow player creation from site (set to 0.0.0.0 0.0.0.0 to disable player creation entirely)
    suspect_site -- set site suspect
    noguest_site -- disallow guest from connecting.
    noauth_site -- disallow AUTH IDENT lookups
    noautoreg_site -- disallow site from auto-registration on connect screen
    passproxy_site -- allow IP to bypass auto-proxy blocking
    nodns_site -- don't do DNS/RDNS lookups
    forbidapi_site -- don't allow API connections from site

    For the second method we have: (wildcards optional)
    Examples:

    @admin forbid_host=*.buttclown.com *.bob.com !*.foo.com
    @admin forbid_host=*.buttclown.com|3
    

    First example blocks wildcard buttclown.com, bob.com, and removes foo.com
    Second example adds buttclown.com and forbids after 3 connections.

    tor_localhost -- the hosting server that will monitor and block TOR connections
    noautoreg_host -- the hostname for blocking autoregistration
    passproxy_host -- the hostname to bypass proxy blocking
    validate_host -- disallow email from autoregistration
    forbidapi_host -- hostname to forbid api
    mysql_host -- hostname for the MySQL server
    register_host -- hostname to stop player creation
    forbid_host -- hostname to stop connections
    suspect_host -- hostname to set suspect
    noguest_host -- stop guests from connection
    nobroadcast_host -- stop site monitor chatter for site (still logs)

    The following specific other options are useful for site restrictions:
    @goodsite -- attribute to set on target player to specify what wildcard IP's -are- allowed to connect from (IP only, no hostname)
    @badsite -- attribute to set on target to specify what wildcard IP's are not allowed to connect from (IP only, no hostname)
    NOCONNECT -- flag to set on player to stop connections
    Examples:

    @goodsite #1=127.0.0.1
    @badsite *twink=12.12.20.*
    

    And now, the configuration list of hell:
    Examples:
    Ingame:

    @admin function_invocation_limit=25000
    

    In netrhost.conf file:

    function_invocation_limit 2500
    

    authenticate -- toggle to specify authentication (AUTH) lookups
    max_players -- max players allowed to connect to the mush at any time. The default for this is 40 less than the current maximum allowed based on server specifications to avoid DoS/DDoS. This ceiling is impossible to go past.
    cpu_secure_lvl -- define how the mush will treat those who hit the CPU limit. 0 is just stop 1 is halt the owner, 2 sets FUBAR, 3 sets NOCONNECT and boots, 4 does all of 3 and sets register, 5 does all of 3 and sets forbid
    cpuintervalchk CPU load before engaging CPU protection (default 5% system load)
    cputimechk CPU time in seconds before CPU protection (default 5 seconds)
    heavy_cpu_max (default 50) heavy cpu intensive features are auto-tagged this for additional cpu protection. This is how many times it can be called per 'command'
    max_cpu_cycles (default 3) number of times a target can hit the CPU alert before restrictive measures via cpu_secure_lvl is enacted
    max_lastsite_cnt (default 20) number of connections from a site allowed a minute
    min_con_attempt (default 60) seconds to check for max_lastsite_cnt
    lastsite_paranoia (0-3) sets restrictive level to use if max_lastsite_cnt is reached. 0 is take no action. 3 is forbid
    max_sitecons -- (default 50) absolute maximum number of connections a specific site can have online at any time.
    max_pcreate_lim -- number of connect creates allowed per minute
    max_pcreate_time -- time allotted between pcreate lim checks
    pcreate_paranoia -- (0-3) sets restrictive level to use if max_pcreate_lim is reached.
    spam_limit -- maximum number of commands allowed by a player per minute if set SPAMMONITOR (default 60)
    player_queue_limit -- maximum queues allowed per player at any time (default 100)
    wizard_queue_limit -- maximum queues allowed for a wizard at any time (default 1000)
    function_invocation_limit -- (default 2500) maximum functions allowed per command
    function_recursion_limit -- (default 50) maximum number of times a function can call itself.
    secure_functions -- switches internal permissions of old-processing functions to be more secure, but breaks backward compatibility
    fascist_teleport -- players can't teleport out of anything they don't control or isn't set JUMP_OK
    restrict_home -- lock down the 'home' command to specific bitlevel
    restrict_home2 -- toggle enable/disable 'home' from those set NO_CODE
    restrict_sidefx -- specify what bitlevel SIDEEFFECT functions will work
    sideeffects -- specify what sideeffects are allowed
    sidefx_maxcalls -- how many sideeffects are allowed per command
    max_vattr_limit -- maximum unique user-attributes a player can create for his lifetime
    wizmax_vattr_limit -- maximum unique user-attributes a wizard can create for his lifetime
    vlimit -- maximum attributes allowed per object
    wildmatch_limit -- maximum number of wildmatches allowed per command
    lock_recursion_limit -- maximum lock recursion per command
    notify_recursion_limit -- maximum notify's allowed (internal notify call)
    nonindxtxt_maxlines -- maximum number of lines allowed to be read from @log
    max_percentsubs -- maximum percent substitutions allowed per command
    max_dest_limit -- maximum number of items that can be @destroyed by a player for a lifetime
    wizmax_dest_limit -- maximum number of items that can be @destroyed by a wizard for a lifetime
    safer_passwords -- enforce strict @passwords
    newpass_god -- allow newpasswording #1
    nospam_connect -- consolidates logs on people who attempt to keep trying to connect while forbidden
    examine_restrictive -- lockdown who can examine/@decompile
    ahear_maxtime -- maximum ceiling in seconds an @ahear is allowed to process
    ahear_maxcnt -- maximum recursions @hears are allowed
    cluster_cap -- ceiling on the number of cluster members allowed
    cluster_func_cap -- recursion ceiling on the cluster function handler
    includecnt -- number of times @include is allowed per command set
    includenest -- number of recursions @include is allowed
    lfunction_max -- maximum number of @lfunctions allowed a player
    safer_ufun -- make u() become protected in evaluation
    max_name_protect -- maximum number of @protect alises a player can have
    float_precision -- floating point precision you want allowed. from 0 to 48
    functions_max -- maximum number of @functions allowed to be defined
    parent_nest_limit -- maximum parents allowed in a parent chain
    imm_nomod -- is the NOMODIFY flag only allowed to immortals?
    start_build -- specifies if new players will or will not start with the WANDERER flag -- This defaults to '0' meaning they have the WANDERER flag which restricts all building.
    admin_object -- the @admin object that you can use to set permanent config settings in-game
    file_object -- the master override for all .txt files. this allows you to either set softcode to all those .txt files (like connect.txt) or design custom commands at the connect screen.
    access -- change access of various commands
    func_access -- change access of various functions
    config_access -- change access of various config options
    flag_access_set -- set who can set flags
    flag_access_unset -- set who can unset flags
    flag_access_see -- set who can see flags
    flag_access_type -- typecast permissions on flags
    toggle_access_set -- set who can set toggles
    toggle_access_unset -- set who can unset toggles
    toggle_access_see -- set who can see toggles
    toggle_access_type -- typecast permission on toggles
    proxy_checker -- set permission restriction level on dynamic proxy detection. Please note, use this sparringly and only if you absolutely have to. The Good news: this will detect most proxies, most of the time. It does this by scanning and comparing the MTUand MSS values and scraping the TCP header for overhead. most proxies require this padding to actually, well, proxy the information out. This means that MSS and MTU values will almost always be a different size for anyone and anything that uses a proxy. Now, the Bad News. Anyone coming out from a business SOCKS server, Firewall, DMZ, or, well, just coming out of a business will likely be identified by a proxy. You use your android device to mush? That's a proxy as well since the android TCP layer is ontop of a java stack. IPhone? Same beast. Pretty much any mobile device will be seen as a proxy, which is accurate, but likely not the type of people you want to block. Sooo, again, use this sparringly. I suggest enabling it to a level to allow monitoring, and only crank it up to deny if you're being directly attacked.

    Special commands to monitor/set security:
    @snoop -- Yup, it exists. This is an optional log or real-time monitor of a player
    @newpassword -- change target's password
    @aflags -- list permissions of attributes or set up global prefix restrictions based globally, by target, by enactor, or by sub-group
    @log -- control system logs
    @logrotate -- rotate logs real-time or verify current status of log file
    @api -- control who can set/unset/config/use the restful-like API interface
    @blacklist -- load in the blacklist which is created with the script tor_pull.sh that queries and pulls down the majority of public proxy IP's
    @tor -- control real time TOR proxy protection
    @freeze/@thaw -- real time queue freezing and thawing for sandboxing queues live
    @icmd -- control individual, room, or zone based access control of all commands a player can access
    @nuke/@toad/@turtle -- destroy and/or convert a player to a non-player.
    @recover -- recover a @nuked or @destroyed item from the database. This can be done until the object is @purged. Works like a recycle bin.
    @snapshot -- make a live snapshot image dump of the targetted dbref# for safe keeping
    @boot -- boot the player
    @disable -- disable logins to all but staff
    @flagdef/@toggledef -- in-game alter permissions of flags and toggles
    @site -- remove site permissions set via @admin foo_site (like forbid_site, suspect_site, etc)
    @limit -- assign limits (@destroy, user-attribute, or @lfunction) to target player. This has the effect of enabling, disabling, or overriding the global values for max values. so you can use this, for example, to disable a player's ability to set any user-defined attributes requiring them to only use @va-vz, @desc, and so forth.

    Well, wasn't that fun. Now we get to @toggles and @set flags:
    Toggles:
    Example:

    @toggle *player=forcehalted
    

    CPUTIME -- returns extremely useful data on runtime values of a command that executes
    FORCEHALTED -- allows you to @force something even if it's halted
    LOGROOM -- log everything the room sees. This is intended for IC purposes and will notify the player that logging is going into the room
    MAIL_LOCKDOWN -- stop wizards from being able to see other people's mail.
    MONITOR/MONITOR_AREG/MONITOR_SITE/MONITOR_CPU/MONITOR_VLIMIT/MONITOR_etcetc -- drilldown of all the in-game broadcasts for most of the built-in game RhostMUSH monitoring. CPU overloads, attribute caps being reached, success/failed connect attempts, and so forth. Ergo, day to day monitoring needs. The MONITOR foo in Rhost is very beefy, so please refer to the wizhelp on all the MONITOR @toggles for more information.

    Flags:
    Example:

    @set *player=slave
    

    WANDERER -- restrictive flag. Set on all new players by default unless configured otherwise. Stops all building/creating and requires removal before building allowed.
    GUILDMASTER -- first tier of staff bit
    ARCHITECT -- second tier of staff bit
    COUNCILOR -- third tier of staff bit
    ROYALTY -- this is your vanilla Wizard on other mushes
    IMMORTAL -- this is essentially #1 and 'all powerful'
    BACKSTAGE/NOBACKSTAGE control flags specifying who can control things set BACKSTAGE
    FUBAR -- stop from doing absolutely everything except ':' and '"'. Nothing else.
    SLAVE -- this also stops ':' and '"'. Used in combination with FUBAR to make a statue.
    INDESTRUCTIBLE -- nothing can destroy the target, not even #1
    NO_CODE -- stops target from doing all but the most basic commands and functions
    NO_CONNECT -- target can not log in
    NO_EXAMINE -- target can not be examined/@decompiled except by wizards
    NO_MODIFY -- target can not be modified except by wizards (or optionally just immortals)
    NO_MOVE -- target can not be moved by any means
    NO_TEL -- target can not be teleported, use teleport, or use home
    NO_PESTER -- target can not use whisper or @pemit
    NO_POSSESS -- target can not log into their player more than twice
    SPAMMONITOR -- target can not issue more than 60 commands a minute

    @depowers: -- These are tiered and inheritable from the player. Meaning permission levels can be decreased or removed entirely.
    Example:

    @depower/councilor *player=wall
    

    WALL -- disable walling
    STEAL -- disable getting items/gold
    WIZ_WHO -- disable wiz who
    BOOT -- disable boot
    FORCE -- disable @force/@sudo
    MASTER -- disable access to the master room
    NUKE -- disable @nuke/@toad/@turtle
    OVERRIDE -- disable overiding locks (wizards do this by default)
    TEL_ANYTHING -- disable teleporting anything
    POWER -- disable access to @power
    MODIFY -- disable ability to modify things
    CHOWN_OTHER -- disable ability to chown things you don't own
    UNL_QUOTA -- disable unlimited quota (useful on staff)
    GIVE -- disable the ability to give... anything...
    NOGOLD -- disable the ability to give or take gold
    PASSWORD -- disable ability to change passwords
    PERSONAL_COMMAND -- disable the ability to use any $commands on anything you own
    LONG_FINGERS -- disable all remote access features
    CREATE -- disable the ability to create anything
    CLOAK -- disable the overpowered wizcloaking ability from wizards
    PAGE -- no page for you!!!
    LOCK -- you can't pass locks. Ever. At all. Sucks to be you.
    COMMAND -- you can't use any $command. Anywhere. Only hardcoded commands for you!
    EXAMINE -- you can't examine/decompile or use any method to list attribs
    FREE -- everything is going to cost you gold
    TEL_ANYWHERE -- you can't teleport anywhere
    PCREATE -- disable wizards ability to create players
    QUOTA -- more more quota control for you
    CHOWN_ME -- you can't chown anything to yourself
    ABUSE -- you can only use $commands on things you own. Nothing else, including master room.
    SEARCH_ANY -- disable all db searching tools
    RECEIVE -- you can't receive anything
    DARK -- you can't go dark, and even if you miraculously were set DARK it'd not work for you.

    IMPORTANT NOTE: Wizards in RhostMUSH by default override all locks and have a unique ability called 'wizcloaking'. If a wizard is set DARK and UNFINDABLE then they become cloaked (like a Romulan bird of pray) and will be undetectable by any means except by another wizard. Immortals have a super-cloak ability that makes them invisible to Wizards in addition. As shown above, there is a @depower to disable cloaking if it's abused.

    ABOUT IMMORTALS: Immortals treat as #1. Seriously. They can do anything and everything. They have commands at their fingertips to literally hack and edit the database live, and naturally if they don't know what they're doing, can crash the mush, because of all this raw editing capabilities. Only set Immortal those who absolutely need it or you absolutely trust. Head coders, for example, should likely have an Immortal bit. Also, Immortals by default override pretty much every restriction in the game. A player set NO_TEL? Um yea, immortal can still @teleport them. This is intentional, because it's assumed Immortal's code should just work. So keep that in mind while coding. Cheers.

    For help identifying the twink, please refer to identifying the buttclown by IP

    For help in securing up your Evennia game (Thanks Griatch!)

    Expect updates here shortly on covering Ares (thank to Faraday).

    ** Edited: Mon Dec 7th, 23:05 CST **


  • Coder

    Step One: Upvote that post.
    Step Two: Look for the three dots next to the increased number. Click on it. Click on 'Bookmark'.
    Step Three: Profit. For real this time.


  • Coder

    And people ask why I prefer Rhost over any other server... snort


  • Coder

    I noticed I never covered how to actually find the twinks, so I'm covering that here, since the post would be over 32,000 characters otherwise.

    -----------------------------------------------------------------------------------------------------------------
    How to go about finding the twink

    Ok, I just realized I never had anything covered on how to actually run down and discover the twink that's attacking you.

    Let's assume the IP of the person attacking you is 172.217.4.36. For those curious, that's an IP for www.google.com. Now, you are likely curious how to go about tracing this person down and block as much as you can. So, first, let's go for the obvious.

    How do I know that IP is google?
    Easy, I did a reverse lookup on the IP.

    $ dig -x 172.217.4.36
    
    ; <<>> DiG 9.9.10-P2 <<>> -x 172.217.4.36
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56859
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;36.4.217.172.in-addr.arpa.	IN	PTR
    
    ;; ANSWER SECTION:
    36.4.217.172.in-addr.arpa. 21599 IN	PTR	lga15s46-in-f4.1e100.net.
    36.4.217.172.in-addr.arpa. 21599 IN	PTR	ord38s18-in-f4.1e100.net.
    36.4.217.172.in-addr.arpa. 21599 IN	PTR	lga15s46-in-f36.1e100.net.
    36.4.217.172.in-addr.arpa. 21599 IN	PTR	ord38s18-in-f4.1e100.net.
    36.4.217.172.in-addr.arpa. 21599 IN	PTR	lga15s46-in-f4.1e100.net.
    36.4.217.172.in-addr.arpa. 21599 IN	PTR	lga15s46-in-f36.1e100.net.
    
    ;; Query time: 56 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Mon Dec 04 11:50:45 CST 2017
    ;; MSG SIZE  rcvd: 193
    
    

    NOTE online web based dig can be found at https://www.digwebinterface.com/
    Make sure to select 'Reverse' as the option you want.

    Hum, DNS shows corporate, but let's see if we can find anything more about it...

    $ nslookup 172.217.4.36
    Server:		8.8.8.8
    Address:	8.8.8.8#53
    
    Non-authoritative answer:
    36.4.217.172.in-addr.arpa	name = lga15s46-in-f4.1e100.net.
    36.4.217.172.in-addr.arpa	name = ord38s18-in-f4.1e100.net.
    36.4.217.172.in-addr.arpa	name = lga15s46-in-f36.1e100.net.
    36.4.217.172.in-addr.arpa	name = lga15s46-in-f36.1e100.net.
    36.4.217.172.in-addr.arpa	name = lga15s46-in-f4.1e100.net.
    36.4.217.172.in-addr.arpa	name = ord38s18-in-f4.1e100.net.
    
    Authoritative answers can be found from:
    

    NOTE For the online web interface for nslookup try https://centralops.net/co/
    Nope, nothing much more, but that's ok...

    1e100.net, if you're used to google will recognize that right off the bat, but if you are not, you can dig further...

    $ whois 172.217.4.36
    
    #
    # ARIN WHOIS data and services are subject to the Terms of Use
    # available at: https://www.arin.net/whois_tou.html
    #
    # If you see inaccuracies in the results, please report at
    # https://www.arin.net/public/whoisinaccuracy/index.xhtml
    #
    
    
    #
    # The following results may also be obtained via:
    # https://whois.arin.net/rest/nets;q=172.217.4.36?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
    #
    
    NetRange:       172.217.0.0 - 172.217.255.255
    CIDR:           172.217.0.0/16
    NetName:        GOOGLE
    NetHandle:      NET-172-217-0-0-1
    Parent:         NET172 (NET-172-0-0-0-0)
    NetType:        Direct Allocation
    OriginAS:       AS15169
    Organization:   Google LLC (GOGL)
    RegDate:        2012-04-16
    Updated:        2012-04-16
    Ref:            https://whois.arin.net/rest/net/NET-172-217-0-0-1
    
    
    OrgName:        Google LLC
    OrgId:          GOGL
    Address:        1600 Amphitheatre Parkway
    City:           Mountain View
    StateProv:      CA
    PostalCode:     94043
    Country:        US
    RegDate:        2000-03-30
    Updated:        2017-10-16
    Ref:            https://whois.arin.net/rest/org/GOGL
    
    
    OrgTechHandle: ZG39-ARIN
    OrgTechName:   Google LLC
    OrgTechPhone:  +1-650-253-0000 
    OrgTechEmail:  arin-contact@google.com
    OrgTechRef:    https://whois.arin.net/rest/poc/ZG39-ARIN
    
    OrgAbuseHandle: ABUSE5250-ARIN
    OrgAbuseName:   Abuse
    OrgAbusePhone:  +1-650-253-0000 
    OrgAbuseEmail:  network-abuse@google.com
    OrgAbuseRef:    https://whois.arin.net/rest/poc/ABUSE5250-ARIN
    
    
    #
    # ARIN WHOIS data and services are subject to the Terms of Use
    # available at: https://www.arin.net/whois_tou.html
    #
    # If you see inaccuracies in the results, please report at
    # https://www.arin.net/public/whoisinaccuracy/index.xhtml
    #
    

    NOTE For online whois, use http://ping.eu/ns-whois/ ... make sure to click 'full info'.

    Therreeeeee we go. Notice the OrgTechName ... 'Google LLC' Yup, that's Google!
    Now, let's assume this is an IP that you want to absolutely, beyond all measure block.
    You have a few things you can do.

    First, you can try the *.1e100.net that came from the nslookup. That should work for the RDNS blocking checks.

    @sitelock *.1e100.net=!connect
    @admin forbid_host=*.1e100.net
    

    Second, you can look above from the whois output above for a section similar to the CIDR or NetRange at the start. That, my good friends, is the subnet that this person is coming from. If you block that entire subnet, you have just nailed down their entire ISP subnet that they use. Bam, gone!. Keep in mind, other users may also use this ISP, so you may want to verify anyone currently using them first.

    Ways you can check on your mush

    @search eplayer=match(get(##/lastsite),*.1e100.net)
    @search eplayer=match(get(##/lastip),172.217.4.*)
    

    Ok, so no one else uses that IP, it's free to block.

    @admin forbid_site=172.217.0.0 /16
    

    And done.

    Now, you ask what if they're using a proxy?
    Good question. There's no easy solution to that, but one thing you can do is find out what proxy group they're using, then manually go through and add every IP from that site. How do you find it?
    Believe it or not, it's fairly easy.

    Google search for the IP, again, we're assuming 172.217.4.36 is the attacker.
    So now you would google search for:

    172.217.4.36 proxy
    

    The first one or two pages of google's search will identify public proxies (if they exist) that host that IP address. So it's your job at this point to go to those proxy sites, grab the ENTIRE list of IP addresses, and then add them to your forbid_site lists. It's painful, it's long, but as I stated earlier, blocking people who use proxies is a war of attrition. Your job is to make finding new proxies harder for them than it is for you to block. And honestly cutting and pasting the entire list of IP's from these proxy sites is not that difficult.

    The only pain is before you know it, you're hitting 30,000 or more IP's blocked, but such is life.


  • Coder

    @ashen-shugar said in What to do when your mush is attacked:

    The only pain is before you know it, you're hitting 30,000 or more IP's blocked, but such is life.

    For the curious, the Internet has a little over 4,000,000,000 addresses. Do not be afraid to block a twink.

    But make sure your badsite.txt file has an address you can be reached at for false positives, but knowing that bad actors may want to spam the everloving begeezus out of it.


  • Coder

    @thenomain Which is ideally why you never use anything but a throw-away e-mail address for it. Cuz the bad actors will do horrible things with that e-mail address...


  • Coder

    @lithium said in What to do when your mush is attacked:

    @thenomain Which is ideally why you never use anything but a throw-away e-mail address for it. Cuz the bad actors will do horrible things with that e-mail address...

    As long as you can catch the good actors. Don't let the bad actor turn you into a bad person.


  • Coder

    @Ashen-Shugar asked me to supply a similar list for Evennia. Note that all of these commands could also be prepended with @, + etc if desired.

    who -- (as admin) Find the IP of a account. Note that one account can be connected to from multiple IPs depending on what you allow in your settings.
    examine/account thomas -- Get all details about an account. Can also use *thomas to get the account. If not given, you will get the Object thomas if it exists in the same location, which is not what you want in this case.
    boot thomas -- Boot all sessions of the given account name.
    boot 23 -- Boot one specific client session/IP by its unique id.
    ban -- List all bans.

    +----+---------------+--------------------------+--------+
    | id | name/ip       | date                     | reason |
    +~~~~+~~~~~~~~~~~~~~~+~~~~~~~~~~~~~~~~~~~~~~~~~~+~~~~~~~~+
    | 1  | 134.233.2.111 | Thu Dec  7 19:13:13 2017 |  Spam  |
    +----+---------------+--------------------------+--------+
    
    

    ban thomas -- Ban the user with the given account name
    ban/ip 134.233.2.111 -- Ban by IP
    ban/ip 134.233.2.* -- Widen IP ban
    ban/ip 134.233.*.* -- Even wider IP ban
    unban 34 -- Remove ban with id #34

    cboot mychannel = thomas -- Boot a subscriber from a channel you control
    clock mychannel = control:perm(Admin);listen:all();send:all() -- Fine control of access to your channel using lock definitions.

    Locking a specific command (like page) is accomplished like so:

    1. Examine the source of the command. The default page command class has the lock string "cmd:not pperm(page_banned)". This means that unless the player has the 'permission' "page_banned" they can use this command. You can assign any lock string to allow finer customization in your commands. You might look for the value of an Attribute or Tag, your current location etc.
    2. perm/account thomas = page_banned -- Give the account the 'permission' which causes (in this case) the lock to fail.

    perm/del/account thomas = page_banned -- Remove the given permission

    tel thomas = jail -- Teleport a player to a specified location or #dbref
    type thomas = FlowerPot -- Turn an annoying player into a flower pot (assuming you have a FlowerPot typeclass ready)
    userpassword thomas = fooBarFoo -- Change a user's password
    delaccount thomas -- Delete a player account (not recommended, use ban instead)

    server -- Show server statistics, such as CPU load, memory usage and how many objects are cached
    time -- Gives server uptime, runtime etc
    reload -- Reloads the server without disconnecting anyone
    reset -- Restarts the server, kicking all connections
    shutdown -- Stops the server cold without it auto-starting again
    py -- Executes raw Python code, allows for direct inspection of the database and account objects on the fly. For advanced users.

    Below are server setttings that may be of use. These are changed in mygame/server/conf/settings.py and require a server reload.

    LOCKDOWN_MODE = True -- This will turn the server into isolation mode, disabling all external connections. Useful if you need to run it to debug/test some security issue before letting others on.
    MAX_CONNECTION_RATE -- Limit how many connection attempts per second the portal should accept before starting to drop connections. This is a global value, for all IPs.
    MAX_COMMAND_RATE -- How many commands per second a Session may send. Note that this also includes Out-Of-Band messages between client<->server, so should not be set too low for games using OOB.
    MAX_CHAR_LIMIT -- Limit how many characters can be sent in one command.
    IN_GAME_ERRORS -- This will show tracebacks in the game when they happen rather than just log them and give a generic error message to the player. While very useful for development, this could be considered a vulnerability since it reveals a lot about the underlying code to the player.
    GUEST_ENABLED -- Turn on/off guest access.
    PERMISSION_GUEST_DEFAULT -- Which permission levels given to new guests.
    GUEST_HOME -- Change guests' home location.
    GUEST_START_LOCATION -- Change where guests start when logging in.
    DEBUG -- This mode will show full tracebacks in the browser on HTTP errors etc. Don't use this in production, it's leaking memory like crazy (by design it stores everything).


Log in to reply
 

Looks like your connection to MU Soapbox was lost, please wait while we try to reconnect.