Page 5 of 11

Re: BaseJKA Security Fix

Posted: Wed Aug 22, 2007 11:10 pm
by cybermaniac
under normal circumstances yes, but when you have about 30-40 logs to look through, and them being from different servers, things get slightly complicated.


feel free to contact me on xfire or msn and i can go through the details of this further:

msn: modem7@hotmail.com
xfire: modem7

Re: BaseJKA Security Fix

Posted: Wed Aug 22, 2007 11:28 pm
by Gamall
If you look daily at the logs of 30 to 40 servers to debunk lamers, then you are even more paranoid than I ever was :lol

I will add the IP to name change logs, but it will be optional (cvar).

Note that you can use tools such as *nix grep or variants of regex to make your daunting task much easier... judicious use of them can replace (and outshine) logs redundancy ;).

Re: BaseJKA Security Fix

Posted: Wed Aug 22, 2007 11:37 pm
by cybermaniac
Gamall wrote:If you look daily at the logs of 30 to 40 servers to debunk lamers, then you are even more paranoid than I ever was :lol

I will add the IP to name change logs, but it will be optional (cvar).

Note that you can use tools such as *nix grep or variants of regex to make your daunting task much easier... judicious use of them can replace (and outshine) logs redundancy ;).
i have a program already in the works that takes your logs, and sorts them out on IP vs Name.

however, the issue arises when people connect as "padawan" and change later on, thats where my program is currently failing :(

what can i say - im a paranoid little nerd :P

Re: BaseJKA Security Fix

Posted: Wed Aug 22, 2007 11:53 pm
by Gamall
cybermaniac wrote:i have a program already in the works that takes your logs, and sorts them out on IP vs Name.
That is Good :ouioui
cybermaniac wrote:however, the issue arises when people connect as "padawan" and change later on, thats where my program is currently failing
As a workaround before I add more redundancy, you can track these back through client number: for instance have your prog detect connect statements and extract the ip and client number (easy), and replace every subsequent occurence of ClientUserinfoChanged : N by the same plus the ip corresponding to client N. This will emulate the wanted redundancy.

I think that after the next release I shall make the thing open-source, that way everyone can make that kind of custom modifications to their liking :?
what can i say - im a paranoid little nerd :P
Now I'm really scared :fuite

Re: BaseJKA Security Fix

Posted: Sat Sep 08, 2007 12:58 pm
by Gamall
Ok, I am at last resuming work on this thing.

What I intend to do is
  • Clean some parts of my code.
  • Add as many of the requested features as I can and have time to, given my timetable.
  • Rewrite the documentation with GaTeX.
  • When I'm through, I'll make a final build and release the whole source code under the terms of the GNU General Public License, so you can add any other desired feature yourself.
After that, I won't be adding any feature any more, as I stopped playing JKA too long ago :?

I'll still support the mod though, and to some extent help with the code if need be.

Re: BaseJKA Security Fix

Posted: Sat Sep 08, 2007 3:17 pm
by Gamall
First off, the 1.0f version for Linux. Identical to 1.0f May 11 07, but for Linux ;)

Just replace the jampgame.so by this one. Test server: 213.251.186.99:29070

Re: BaseJKA Security Fix

Posted: Sat Sep 08, 2007 5:49 pm
by Gamall
Humm... I cannot reproduce the /model jedi_hm/head_a1|head_a1|head_1 bug you mentioned. It yields a seemingly normal human skin, which appears "silver" in the skin selection screen, but that is about it... No invisible skin :?

Re: BaseJKA Security Fix

Posted: Mon Sep 10, 2007 12:22 am
by John Preston
/model jedi_hm/head_a1|head_a1|head_1
Mistake - head_a1

Re: BaseJKA Security Fix

Posted: Mon Sep 10, 2007 12:28 am
by John Preston
also u can try
/model jedi_hm/model_siege|head_a1|torso_a1
Its more weird :)

btw, if u want to prevent new bugs & glitches, dont release source code :D It is not so needfull.
Just make a final version.

Re: BaseJKA Security Fix

Posted: Tue Sep 11, 2007 6:40 pm
by Gamall
Ok, I'll test that, I didn't notice the mistake :)

While I'm at it, here is what I've done so far:

Version 1.0f to 1.1 changelog:
  • fixed a false positive: bots were detected as a fake player attack ; although this had no real consequence, it was a source of confusion in the logs.
  • Logs now differentiate connexions from bots and from real players.
  • messages from the dedicated server have been made slightly more visible: the tag is now [SERVER], with colors.
  • :n on the other hand, the /svsay command can't be altered, as it is hard coded into jampded instead of jampgame.
  • The IP is now logged each time somebody changes their names.
  • Added the /(t)ime client command, displaying the local time of the server:
    servertime.PNG
    servertime.PNG (17.25 KiB) Viewed 11354 times
  • Added cvar ga_doNotAllowDualKataSpin, default 0, preventing anyone in a dual kata from spinning like a madman. (slightly buggy, as the screen seems to vibrate when moving the mouse, but it works. I'll improve that if I find a way)
  • Added cvar ga_nameLengthLimit: names will be truncated not to exceed that length. Note that color escape sequences, such as ^1, are not counted.
  • Some ga_* cvars are now marked as serverinfo (external tools can read them).
  • Added the /info client command and ga_serverInfo cvar. /info displays the contents of the cvar. Admins can put rules, etc in there, and any player can read it anytime.
  • Anti model/color change spam/lag: any player can now freely change their info only 50 times per map (unless they reconnect of course). After that, they need to wait three full seconds between each change.
left to do: connection log.
John Preston wrote:btw, if u want to prevent new bugs & glitches, dont release source code :D It is not so needfull.
Just make a final version.
The source code of that jampgame component is already out :D It is what I'm working on :huhu

Besides, security through obscurity (ie. puting your code in a vault hoping nobody will find anything without it) does not work ;)

Re: BaseJKA Security Fix

Posted: Tue Sep 11, 2007 10:28 pm
by cybermaniac
fantastic work so far

thx

Re: BaseJKA Security Fix

Posted: Thu Sep 13, 2007 8:33 am
by John Preston
Great job, thanx.
we'll be waiting...

Re: BaseJKA Security Fix

Posted: Sun Sep 16, 2007 10:15 pm
by Gamall
Hello :)

Changes made since last time:
  • Another log file, ga_ConnectLog.txt, listing every connection is now created by the server: for instance

    Code: Select all

    [Sun Sep 16 20:23:02 2007] [========================== SERVER START ==========================]
    
    [Sun Sep 16 20:23:11 2007] Connect :: name(num) = [^5G^7amall ^5W^7ednesday ^5I^7da]( 2) :: ip = [      127.0.0.1] :: userinfo = [COMPLETE USERINFO STRING LOGGED HERE]
    
  • The logs now use real time:

    Code: Select all

    [Sun Sep 16 20:24:03 2007]  Kill: 2 1 3: ^5G^7amall ^5W^7ednesday ^5I^7da killed Desann by MOD_SABER
    [Sun Sep 16 20:24:07 2007]  say: (1)Desann: Impressive, most impressive... but you are not a Jedi yet!
    [Sun Sep 16 20:24:11 2007]  Kill: 2 4 3: ^5G^7amall ^5W^7ednesday ^5I^7da killed Imperial Saboteur by MOD_SABER
Here is a windows build, so you can test the new features of v1.1 on your computer.

At the time, I cannot build it on linux (strange bug with the time functions).

Re: BaseJKA Security Fix

Posted: Sat Sep 22, 2007 9:07 pm
by John Preston
aha...
any news?

Re: BaseJKA Security Fix

Posted: Sat Sep 22, 2007 9:24 pm
by Gamall
John Preston wrote:aha...
any news?
Er, no, I'm waiting for feedback on the test version I have uploaded :?

Most of the changes since v1.0f are features you requested, you know, so I'm waiting for you to confirm that you have tested the thing and that they do work the way you wanted them to before moving on.