🛡 HuskySecurity [API 5-8] [v0.2.0 Beta] - A 2FA login plugin for your Sponge Server!


#1

:shield: HuskySecurity


If you’re like me and have run a server before, you know that if one of your admins gets hacked, somehow your account gets hacked or similar, your server is basically screwed and there isn’t much you can do until the damage is done, since they like to do it when you’re not on. That’s not necessarily true, though.

:star: This isn’t your traditional login system


Instead of annoyingly requiring admins to enter a password every time they join, we only check to see if they’re on an IP that seems suspicious to us. Then we require them to log in before they continue. Also, if somehow they get past the login, the plugin won’t let them give anyone else operator or admin permissions without banning them, since they need to still enter a passphrase before managing the server.

:crossed_swords: Protective Features


  • “2factor authentication” for /op and player upranks
  • Automatic banning of compromised administration accounts acting suspiciously.
  • Monitoring of user IPs to watch for sudden changes in location via geoip and flagging users that have strangely different locations.
  • Accounts that refuse to verify with the server will be banned and server administration will be notified.

:lock: How is this 2FA?


2FA simply means authentication with two factors involved. In this version of 2FA, we check against the players location via GeoIP and then watch for malicious activity (running bad commands!)

HuskySecurity is rather basic at the moment, but if the location check fails it will ask for your password.

:calendar: Upcoming Features


  • /verify traveltrust - Temporarily trust this location for up to 3 days after it’s stopped being used.
  • /verify trust - “Permanently” trust this location, adding it to your trusted locations where you won’t be prompted to verify.
  • /verify revoketrust - Immediately revoke other trusted locations. This action is logged.

:video_camera: Media


Demonstrational video (Up to date!)



:compression: Commands & Permissions


  • /verify - This is for basically everything in this plugin.
  • /verify < set/password/setpassword > - Updating your password if you don’t like / can’t remember it.
    • huskysecurity.verify This permission is for activating the verification check for a specified user. Use this wisely.

:money_with_wings: Donate


Support my code addiction, my projects and other random stuff I decide to waste money on to keep my sanity!
PayPal

:arrow_down: Download


GitHub Releases
Sourcecode

:grey_question: Questions & Suggestions


Feel free to ask support questions here, or preferably on GitHub Issues if it’s an error. Suggestions are always welcome!


#2

It looks neat, although protip.

Try to avoid posting WIP plugins until you have something to show for.

Otherwise it'll get lost to the eons.

I've seen a lot of posts go that way xD


#3

Haha, yeah. Well don't worry about it, this is mostly just for me. I'm planning on updating this once I've got something release worthy.


#4

This looks pretty cool. :slight_smile:

We could always use more security-oriented plugins.


#5

While I like this idea initially, I leave a couple comments (note I think the fact you are making a security oriented plugin is awesome! and I mainly am just grumpy about security, basically please don't take anything personally!)

  • As Shown Here It looks like your "compromise" detection is /op.
    • Maybe the admin can specify a list of commands to watch for, with a point based system? e.g. running op makes you 50 points more suspicious, and it requires 100 points to ban? Since this is using location on an geominddb, it might not be best to just auto assume people are bad if they're in a different location (People travel sometimes!).
    • Side note: Nice job having a decently recent maxminddb. I see these things super out of date all the time.
  • Seen Here, it looks like every time a player executes a command, they're required to have ServerDefender and be verified.
    • For having the benefits of not always having to enter your password, it'd be nice if this good also be optional in certain situations? E.g. Maybe it's only required if a certain permission is set?
  • This Whole File, is basically a "good first try, but really is meeting a minimally viable security setup, and even then it's iffy".
    • Using a hardcoded salt instead of a random salt per-user. There are tons of articles talking about really what a salt should be. This isn't even a salt, this is what's known as a "pepper" which although useful, doesn't nearly come close to providing the same security benefits as a salt based system. I'll leave the follwoing: Article 1, Article 2, Article 3. However really looking at any reputable source for salts recommend the following basic things:
      • A salt is randomized.
      • Each salt is unique per "user".
      • Stored in a seperate plain text source.
    • Although your using a work based hash (which is a huge step up from using a fast-hash based algorithm MD5/SHA(1/2/256/512)/etc, PBKDF2 is generally considered "the least viable of these". Some better options might be something like BCrypt, or SCrypt. Both are stronger work based hashes which also are more optimized than PBKDF2 for running on modern day hardware.


#6

Thanks for the feedback!

It certainly is at the moment, and that is pretty disappointing, really.

That certainly is a good idea. I didn't think of a points based system at first, but I definitely planned on allowing server owners to appoint their own commands / do some funky stuff with permissions managers that detects what commands are "admin level" commands and restricts them.

That might've been an oversight on my part. This system is supposed to only be for Users who have the permission, and nobody else. Additionally, you aren't required to re-enter your password if your location is "trusted" (aka similar location)

I was planning on something like /verify traveltrust that would temporarily trust a location for 3 days after the location is no longer being used. /verify trust would be for permanent trust updates.

I will, for sure, update my code to use a better crypt and actual salting. I used a simple hardcoded salt mostly because I was unsure that it was safe to use individual user salt, but...

the salts certainly will be stored somewhere else, so no worries!

But yeah, at least it's a hash and I wasn't lazy and went "lol plain text passwords"
:stuck_out_tongue_winking_eye:

Finally, thanks for the informative post. I'll make sure to put up an issue on GitHub with a snippet of this so I remember to do it.


#7

@SecurityInsanity I've recently updated ServerDefender to version 0.1.5-beta. Take a look and let me know where [if] I messed up.


#8

Taking a look, looks like it fixed by whole PBKDF2 complaint, as well as the everytime a command is executed. (I assume the list of commands is just down the pipeline).

The last note I'll leave is:

  • Seen Here it seems you're doing new SecureRandom(), which is usually "good enough". However it's recommend to do: SecureRandom.getInstanceStrong(). It should note using a different instance may cause different effects (e.g. wait for a full pool of randomness, instead of re-reading the same pool), but in most cases it'll give you a much better instance.

#9

Great, thanks again. I'll make sure to do the get instance strong thing, just as an added percaution.


#10

A new version has been released! v0.1.5-beta

Changes
- Fixed prompting regular users to verify their passwords
- Implemented jBCrypt, stronger hashing :+1:

Upcoming
- Config-Defined blacklisted commands
- Point-Based suspicion profile

Downloads

Forgot to post this update notice :stuck_out_tongue:


#11

Will this be updated to current SF?


#12

Hoping to, yeah.


#13

id prefer to use this instead of flexiblelogin. Do you have a possible time frame? :smiley:


#14

Believe that this is working, pushing out a release.

EDIT: Just use the latest avail on Github Releases <3


#15

Can I move this plug-in to the MCBBS forum in China?
I will show the original author and the original page.
If you like, I will send you the link of the web page after the successful removal.
I will not provide other download addresses.:smiling_face_with_three_hearts: