RSS[ANY?] SourceMod Re-Banner - combat ban evasion through client-side "cookies"!

[MYGO.pl]

SourceMod Re-Banner
GitHub | Download

Fights ban evasion through client-side "fingerprinting". Relies on security through obscurity.

Sometimes, a ban isn't enough to stop them from trying to play on your servers.
This solution tries to combat such players by leaving tiny unique files in download folders to recognize players.
Supports Basebans and SourceBans++.

I release this in hope to help the community fight ban evasion, as I personally know how annoying it can be.
Nothing can be ideal, and there are loopholes that can easily make players immune to this.

Designed to run autonomously without admin intervention.

Dependencies:

• SourceMod 1.11+
• File Network by Batfoxkid (my fork for now, as the changes required for this to work are not upstream yet)
• (Optional) SourceBans++

What does it do?

The plugin forces all clients to download a unique file to their download folder, heavily relying on security through obscurity (file name and path disguised to look as similar to genuine server content as possible).
Each file is unique for each client, containing a random string of numbers. This "fingerprint" is then stored in a database and gets associated with the player's IP address and SteamID.

Every time a player connects, the system tries to recognize them either by requesting their local fingerprint file and reading it's value, or by SteamID, or by IP address.
If at least one of the three matches with a known fingerprint, the client is recognized and any missing information (for example a new IP address or new alt account SteamID) is associated with the same fingerprint.
If the player does not have the fingerprint file locally(different PC, or re-install), the system will re-send the fingerprint file (as long as they are recognized and an association is possible) to them.

What happens if someone gets banned?

When a player gets banned, their unique fingerprint gets marked as banned in the internal database. Any subsequent attempts to join the server from another IP address/account/PC (any combination of the 3) will lead to a re-ban if any of the conditions are met:

• Client SteamID is associated with a banned fingerprint (if the account sent the same local fingerprint value as another account at any point in time).
• Client IP address is associated with a banned fingerprint.
• Clientside fingerprint is recognized.

Checks are ran in the same order as shown above. If player SteamID/IP address is matched to a known fingerprint, current client fingerprint value is discarded and not taken into account.
In an event that the alt account player is missing their fingerprint client-side (and they are recognized), the fingerprint file is re-sent before they get re-banned.

Tampering prevention?

If the plugin is unable to identify the client via SteamID and IP address, but the client has a fingerprint locally which we can use for identification, this will make sure that the fingerprint is not tampered with.

Well, "tampered with" is a rather big word, it checks whether the file only contains numbers (the fingerprint is numeric only) (and) if the fingerprint is known by the server.
If the file has anything else (say, SQL commands, etc), or it's not recognized by the plugin, Anti-tamper will raise a red flag and, if configured, will kick the client.
The fingerprint won't ever reach the database to prevent SQL injection.

Setup:

1. Install the latest version of File Network by Batfoxkid
2. Install this plugin, either by downloading it from GitHub Releases HERE or by compiling it manually.
3. Add the following database record to addons/sourcemod/configs/databases.cfg:
   
   
   Code:

   ---

     "rebanner"
  {
      "driver"    "sqlite"
      "host"    "localhost"
      "database"    "rebanner"
      "user"    "root"
      "pass"    ""
  }

   ---

4. Load the plugin
5. It's recommended to have rb_log_level set to 3 for some time to ensure that the plugin is working properly

By default, Re-Banner will scan your existing downloads table, pick a random file from it and use that as the fingerprint path and name (appending "1" to the filename).
If the downloads table is empty or small enough, Re-Banner will fall-back to the default path, though it's recommended to change it.

If you wish to use a different path or use custom kick/ban reasons, you may edit them in addons/sourcemod/configs/rebanner.log:

Code:

---

"Settings"
{
        "fingerprint path"                "materials/models/texture.vmt"
        "ban reason"                        "Alternative account detected. Re-applying ban"
        "tampering kick reason"                "File tampering detected! Please download server files from scratch"
}

---

Make sure that the path actually exists on the server (you cannot point to non-existent directories). Modify the next two keys with your desired ban/kick reasons.

ConVars:

rb_log_level (0|1|2|3) - Logging level. 0 - off, 1 - log alt bans, 2 - log new associations, 3 - debug (SPAM).

rb_check_ip (0|1) - Whether Rebanner should take IP addresses into account. 0 - disable, 1 - enable (RECOMMENDED)

rb_antitamper_mode (0|1|2) - Antitamper subsystem mode. 0 - Disable, 1 - check client fingerprints for tampering, 2 - also check whether the fingerprint is known by the server (RECOMMENDED)

rb_antitamper_action (0|1) - Antitamper subsystem action when it detects tampering. 0 - do nothing, 1 - kick the client

rb_reban_type (0|1) - 0 - Re-ban detected alts for the same duration as original ban, 1 - re-ban for remaining ban duration

Commands:

Code:

---

rb_unbansteam <SteamID2> - remove the ban flag from a fingerprint by SteamID match

---

Code:

---

rb_unbanip <IP> - remove the ban flag from a fingerprint by IP address match

---

Known issues:

1. Setting cl_allowupload to 0 renders this system useless, though the default value is 1.
2. SourceBans++ bans applied via Web UI are not taken into account - a SourceBans design limitation that I'm unable to work around yet.
3. Banned alt. accounts will not be un-banned if the master account is un-banned earlier than expected.
4. ...?

If you happen to stumble upon a bug/error message, please make sure to post it here or in GitHub Issues. Much appreciated!

To-Do:

• Natives and forwards for easy integration
• Command to completely remove a given player from the system to re-scan them
• Whitelisting
• Unban banned alt. accounts when master account is unbanned early
• ...

Credits:

• Batfoxkid, Artvin and the Zombie Riot team for help with File Network
• Samm-Cheese for being my test subject and providing fresh ideas
• Naydef for QA, IP address check suggestion, de-bugging Source file queues and generally being a legend
• The AlliedMods Discord members for help with various code-related questions

Attached Files

ReBanner 1.0.zip (28.9 KB)

Wyświetl pełny artykuł