[Vortrex]

Hackers ... we all hate them. Teleporting, god mode, and the arrogance. Some even have the ability to block being kicked, which makes things increasingly difficult for server owners when they decide to wreak havoc upon the servers.

I thought of a couple of ways for server owners to fire back at them, but I need some thoughts. If you have any other methods, feel free to post in this topic.


First, what about sync? The onPlayerUpdate isn't perfect, but it could potentially work. If a player is designated as a hacker, then deny their sync packets with a return 0;

How about trapping them in a different virtual world? All vehicles, players, scripted objects and more will be completely invisible and inaccessible to them. This would be my preferred method.


What do you think? Shout out some ideas!
I can already foresee some flaming and arguing, so please keep this thread civil and on topic.

[Motley]

Well I to have been working with weird options. I will attempt to correctly share them

First I should add is your fix “Vortex” with “S19” additions

//client scripts

Code: [Select]

SecretFunction <- CallServerFunc;
CallServerFunc <- null;
dofile <- null;//thanks to Ankris [CREDITS]

function onPlayerConnect( player )
{
CallClientFunc( player , null , "setroottable" , null );
}
Next I will attempt to paste a code I just threw together.


[some of the codes moved around and could be incorrect due to I just threw it together but you get the idea]
CMD

Code: [Select]

else if ( cmd == "banluid" )
{
        local Admin = hsh_Admin.Get( player.LUID );
        if ( Admin )
{
if ( !text ) MessagePlayer( "Error - Invalid Format. /c ban <player> <reason>", player );
else
{
if ( i < 2 ) MessagePlayer( "Error - Invalid Format. /c ban <player> <reason>", player );
else
{
local plr = GetPlayer( GetTok( text, " ", 1 ) ), reason = GetTok( text, " ", 2, i );
if ( !plr ) MessagePlayer( "Error - Invalid Nick/ID.", player );
else if ( plr.ID == player.ID ) MessagePlayer( "Error - You can't /c ban yourself.", player );
else
{
Message( "* Admin " + player + " has Fully banned:[ " + plr + " ] LUID/ Reason:[ " + reason + " ]" );
hsh_BanInfo.Add( plr.LUID , plr.IP );
BigMessage(plr, "~r~BANNED", 999999, 3);
//SetCameraMatrix( player, Vector(0, 2000, 0), Vector(0, 0, 0) );//thanks S19[crash plr]
                                                KickPlayer( plr );
}
}
}
}
}
[function]

Code: [Select]

function Banned( player )
{
   local Banned = hsh_BanInfo.Get( player.LUID );
   
   if ( Banned )
   {
  MessagePlayer ( "[#c60000]You are Permnetly BANNED!! from the server", player ); 
  BigMessage(player, "~r~BANNED", 999999, 3);
  //SetCameraMatrix( player, Vector(0, 2000, 0), Vector(0, 0, 0) );//thanks S19[crash plr]
          KickPlayer( player );
   }
}
[onplayerconnect]

Code: [Select]

function onPlayerConnect(player)
{

  Banned( player );
 
  return true;
}

I hope you understand the code, what i am aiming for,. My scripting is weak but i can do majority of things.

I like your idea's some of the ideas you have will work. My scripting is not complex enough to understand. Unless i see the scripts and understand them.Kudos to you for attempting this as your scripting is strong.

[rwwpl]

Block sending messages or commands from "Player" nickname.

Code: [Select]

function onPlayerAction(player,text)
{
if (player.Name.tolower() == "player") KickPlayer(player);
else //(the rest of script)
}


Code: [Select]

function onPlayerChat(player,text)
{
if (player.Name.tolower() == "player") KickPlayer(player);
else //(the rest of script)
}


Code: [Select]

function onPlayerCommand(player,cmd,text)
{
if (player.Name.tolower() == "player") KickPlayer(player);
else //(the rest of script)
}


[Theremin]

I'd share my thoughts in the long run, some caused by the frustration of not being able to eradicate some spoilsports:

I think the first thing to do would be creating an anticheat, maybe with some help from the community, cause I think no server has a great security in LU, maybe some have a decent anticheat, but still full of flaws and false positives, I'm still not sure you can prevent every "cheat" to be used though, client exploit being an example.

The second step would be dealing with those players who manage to constantly evade bans, In my opinion it's better not to use UID bans on those players, this is because if we don't ban their UID, there is a chance they probably won't change it, so we still can recognize them and trolling them accordingly, even this method isn't 100% perfect, because cheaters could spoof both their IP and their UID and we won't be able to recognize them, or detect they are multiaccounting in case they changed their name as well.

So here comes the third point, kinda extreme in my opinion, subnet banning major VPNs? I know VPNs have a lot of IPs, but few subnets, so this would make the job faster, you can even retrieve a list of some VPN IPs by googling as well.

[Motley]

The second step would be dealing with those players who manage to constantly evade bans, In my opinion it's better not to use UID bans on those players, this is because if we don't ban their UID, there is a chance they probably won't change it, so we still can recognize them and trolling them accordingly, even this method isn't 100% perfect, because cheaters could spoof both their IP and their UID and we won't be able to recognize them, or detect they are multiaccounting in case they changed their name as well.

I have to worried this theremin. But i have also notice those players with the hack the actual real LUID stays the same in the server log. even after ensuring that LUID ban is active STRANGE? YES I personally think the ban method i listed is helpful due to there hacks could be, running client scripts/turning off the ban. as well as if they are injecting random LUIDS, Because as i said there LUIDS have stayed the same on my server even after injecting there LUID hack.

So the logic behind  my ban is to bypass any hack they have and get the original LUID and add it to a file and if that file becomes a possitive on connect/KICK.

After realizing this, as well as talking with Vortex with the built in ban option i feel this way is best. as you could add if IP = true kick on playerconnect as well, also as well as just add it to your normal ban.
I WOULD BE PISSED IF I WAS A HACKER AND COULD NOT BYPASS THIS


This only leaves Reinstalling &*((^%#[Some may know what im talking about]. Eventually they will give up  .

Also they may run client scripts to turn off hashes due to this. If so you will need to switch things around as well, .hsh to .elf etc,. they may even attempt to steel your scripts to understand the ban system so i suggest creating another script folder and compile it if you feel that is best. so they cant view it but only work with it even though there not admin( switch up hash directories as well as function names),. I may create an admin script as a release for others wanting to take over full control of the ban system in general. [Please let me know what you guys think]

Block sending messages or commands from "Player" nickname.

Code: [Select]

function onPlayerAction(player,text)
{
if (player.Name.tolower() == "player") KickPlayer(player);
else //(the rest of script)
}


Code: [Select]

function onPlayerChat(player,text)
{
if (player.Name.tolower() == "player") KickPlayer(player);
else //(the rest of script)
}


Code: [Select]

function onPlayerCommand(player,cmd,text)
{
if (player.Name.tolower() == "player") KickPlayer(player);
else //(the rest of script)
}


Question rwwpl?

I had a player show me how he obtained capabilities to get the value of nicknames
[His nicknames and change it].
He also said it will unblock Player hack in these options.
What would you suggest. Only thing i can oppose is a timer but if value is changed fast enough it wont work..
But, there is also the option that Player never connects all the way So.. a connection timeout would be nice as well if someone has a screen image of the message {Something like this}
" Your client failed a crc check "
with the color etc. We could ban that option officially with our own update.

Other than these options I have listed thats it that i can do. I can work on obtaining health values and client shots but..

[Theremin]

I WOULD BE PISSED IF I WAS A HACKER AND COULD NOT BYPASS THIS

This only leaves Reinstalling &*((^%#[Some may know what im talking about]. Eventually they will give up  .

Not at all, I could change my LUID in two minutes and change nickname and IP in other two, in less than five I'm totally a new player with a clean history, now I dare you to recognize me. The positive thing could be that since I struggled to gain access to the server again now I'm gonna be quietly playing my game and won't cheat or get banned again, or also that it could be enough of a hustle already to do all that several times, but yeah welcome to LU (Kewun anyone?)... Nah I'd rather keep showing off my skills in evading the bans and wrecking havoc and annoyance by flooding the chat and flying around crashing with car mods with my uber airbreak (though some of this stuff I mentioned can be avoided by scripts)

I think a way to avoid this is creating one of those gamemodes that include grinding, so that when one really needs to be permanently removed from a server, you may delete the account, losing all the stats should be enough for a player from refraining to starting from zero again

Now that the topic was totally derailed (sorry Vortrex ) I'll actually write something on topic: I like the idea of trapping in a different virtual world, has always been my first thought, even better after I discovered the Bad Pools system of GTA Online, why not creating something similar? Another idea could be creating a script which ultra annoys the player and forces him to leave, and there one may unleash the true power of Liberty Unleashed (excessive explosions, custom ear-raping sounds, auto killing the player on spawn, teleporting him high in the sky, forcing him in a tiny object, crashing upon connecting, setting him a prostitute skin etc.) the possibilities are just infinite, but yeah my worry remains that there is not a 100% efficient way of auto detecting the known cheaters, for the reasons I previously stated in this topic.

[Vortrex]

This is a bit offtopic, but since the topic is fucked, I figured now is the best time as any:

If I remember right, there was a hack that could block packets being sent to a player's client. This is why I thought a solution that happens more on the server side (sync related?) would be more effective. I don't know if setting a virtual world is like this, but it's worth a try anyway.

But yeah, like I said before, server whitelisting is the only failsafe solution that I am seeing right now. Problem is, what server owner would want to have to "allow" players to connect? It only seems counterproductive to block players until they prove their legitimacy.

What about some other form of authentication? Maybe a two step solution, where a player has to enter an email, and put a valid code sent to the email into an in-game verification process in order to play? Allow a certain amount of LUID's per email or account and possibly make the registration process lengthy so hackers won't keep making new accounts.

Another way is to see if the LU developers will add a CRC check to make sure the LUID is valid upon connecting. I don't know if the LUID is generated randomly but if it isn't, this would be a good idea. To the LU developer team: Is there a possibility you could generate the LUID based on hardware or something so it can be a constant value that is verified upon server connection?

Just some ideas. What do you all think?

[Motley]

So in another method are you attempting to use the method of hellbanning?

what about getting the region with GEOIP functions and set some restriction for bad region user xD but worthless..

I like the email ideas But there is some security issues. what if we connect the players accounts with facebook acc and allow the players to play after getting facebook_id and the account is viewed and marked as legitimate by server owner or administration? depending on the owner allow players to play in a virtual world, as well as maybe messing with their packets as well as muting them. this only opens up crashing a players server etc.

It's pretty easy to ban user by facebook_id and hard to continue evading due to the fact you view the players account and how old it is. it slow to create accounts for every ban you give. but this would only work well with modules?, correct?

This would also be more efficient to do this with
 http://liberty-unleashed.co.uk
as Administration like SugarD could help aid. as well as if this website stores ip changes who knows what the website is capable of could open up a strong ban method and can aid us. i like the idea and would like to see some type of example scripts or possibly pm me an example script..

looking forward to your reply 

[rwwpl]

Register with email request code is a good idea.

[Vortrex]

@Motley ... the facebook idea sounds horrible. I use mine for my personal life and would prefer not mixing it with LU if possible.