Plan
Plan copied to clipboard
plan-player-analytics
[Suggestion] Request for the registration function in the analytics panel.
I would like to be able to..
I need a user registration panel with the login and authorization of the player, as well as it is implemented in the "Dynmap" plugin. The fact that there is no possibility of such registration now does not allow me to safely view information about the server and puts players' data under certain threats.
Is your feature request related to a problem? Please describe.
As I described above, this is an increase in the security of server data from anyone who can possibly search for online analytics with any server port search program.
Installing certificates for me is an inaccessible function that my hosting provider does not allow me to implement.
I am not able to somehow protect my analytics in this way, and there is no information on Wikipedia on how to enable registration with login and password input in your plugin.
I am sure this function will become popular and in demand if the chief administrator needs to provide access to server analytics only to administrators, and not to everyone, and at the same time he tries to hide the IP addresses that his server uses through an alternative one as much as possible.
I would also like to store the data of registered users in a database where the following formatting will be supported:
[Code] [uuid] [nickname] [date] [Password] [latest change] [Registration date] [Who registered] [Luckperms Role]
The password in the database can be stored in a hash. Or set up a cryptosystem for encoding.
Login and registration is implemented in Plan, but requires HTTPS. Passwords are stored in Plan database with hash+salt
Login and registration is enabled when HTTPS is set up https://github.com/plan-player-analytics/Plan/wiki/SSL-Certificate-%28HTTPS%29-Set-Up
If you are unable to use your host machine for certbot you can install certbot on your local PC and run the commands there.
The dns-challenge is good for this purpose
certbot --manual --preferred-challenges dns <domain>
If you are unable to set up HTTPS you can use the IP whitelist settings in Plan.
Note that enabling registration and login without HTTPS would give you a false sense of security since HTTP transfers everything in cleartext and anyone snooping on the connection can read it.
As I wrote above, I do not have the opportunity to take advantage of any of the presented opportunities.
Login over HTTP is a non-option for security. Do you have any other ideas?
In my country, the IP addresses from which people connect to the Internet change every day. When using the whitelist, I will not be able to access my analytics in a day and I will have to change the plugin configuration again, and I will have to do this every day. This is very inconvenient, and I will also need to do this for each of my administrators every day after midnight.
Login over HTTP is a non-option for security. Do you have any other ideas?
It is possible to use cryptographic encryption using a formula that can be configured in the plugin configuration. This will be the way out in our case to secure the database.
There is an option that, when logging in to the WEB interface, the plugin will poll the list of server players who play on it, look for a match of login and password among the players, check for registration and login permissions, and only then open analytics.
Login over HTTP is a non-option for security. Do you have any other ideas?
Most often, the IP address with the port that are used on the host is kept secret from the players, thanks to an alternative IP address.
This makes it difficult to determine the target for hacking. Cryptographic encryption with the possibility of using a modifiable formula will make it impossible for those who gain access to the database to decrypt the password, and they will also not be able to find out what data is stored in the database, since they will also be encrypted on the plugin side.
In total, we have that only the plugin and the owner of the config can find out by what principle the data is encrypted.
I can also say that the use of HTTP in itself is not a threat if the source data is encrypted and decrypted before it is directly shown to the user.
Login over HTTP is a non-option for security. Do you have any other ideas?
To steal the data that is stored in analytics or "password + login" - any attacker will first have to find an accomplice among the administrators. Among those who already have access to analytics, send them a virus or keylogger, or force them to take a screenshot and send.
Login over HTTP is a non-option for security. Do you have any other ideas?
I suggest using this setting:
crypto-key-method: "SHA-512/224 + random_symbol"
Where random_symbol is its generated code, which was created by itself when the plugin was first loaded thanks to the matrix algorithm, or any other number that the user can enter here.
I studied information security, and I can safely say that there are a huge number of ways to protect something. The main problem then is how to decipher. But if the plugin knows how it encrypted, then it will have no problems doing the reverse conversion.
Take a ready-made dynmap solution as a basis, and then edit it to fit our problem, and I'm sure everything will be fine.
The suggestions fail to consider that when transmitting over HTTP the password the user gives will be visible to snooping. (Even if you hash it on the frontend the hash will be visible)
I'm not going to implement a cipher key exchange algorithm on top of HTTP when HTTPS already exists to do that for us.
If you don't have a domain, you can create a self-signed certificate with openssl installed on your PC (Notice: not on your server) and upload that for Plan to use via FTP or SFTP. https://www.misterpki.com/pkcs12/
I have a domain: waffcarui.ru . But it is not possible for me to install a certificate on it. Errors come out when trying to generate a certificate.
https://www.misterpki.com/pkcs12/ - I didn't understand what it was about. I speak English at the level of an online translator.
Why did the creator of Dynmap make a simple stub with registration without certificates and everything works? What prevents you from being able to register via HTTP?
I have a domain: waffcarui.ru . But it is not possible for me to install a certificate on it. Errors come out when trying to generate a certificate.
It is possible that sanctions affect your country due to the war in Ukraine. You may need to use a Russian certificate provider.
https://www.misterpki.com/pkcs12/ - I didn't understand what it was about. I speak English at the level of an online translator.
OK try this instead, it has step by step instructions. Install Openssl on your PC beforehand. https://stackoverflow.com/a/20445432
What prevents you from being able to register via HTTP?
- Passwords over HTTP are not secure. Anyone can read them. Leaking password is worse than showing the minecraft data - as passwords are often reused elsewhere.
- Logged in users can be impersonated, as any access token is also readable by anyone, they can add the token to their browser and appear as that person.
What I will do for this ticket
I'm going to implement an alternative for HTTP users. It will work like this:
- Instead of password, user enters their Minecraft name
- They are given a command to run, something like /plan accept
- When they run that in game they are given access if they have permission in game.
- Their access token is revoked when they logout in game.
Why this way?
- No password is transmitted over HTTP
Limitations
- The user can not be trusted to change settings, since anyone can still read the access token, and impersonate someone who logged in
What prevents you from creating a permission that allows you to change settings in the web interface if you are a server operator?
After all, if a player has entered the panel, then he already has configured access rights to it, as well as, accordingly, a role. If the plugin checks that the player logged in to the panel has the rights of the server operator, then he is clearly someone from the server management.
What prevents you from creating a permission that allows you to change settings in the web interface if you are a server operator?
Here's an analogy:
- The server owner uses that command, and they are given a "key" to get in through a door.
- Since it is HTTP, anyone can take a photo of that key.
- Someone else can use the photo of the key and get in.
What prevents you from creating a permission that allows you to change settings in the web interface if you are a server operator?
Here's an analogy:
- The server owner uses that command, and they are given a "key" to get in through a door.
- Since it is HTTP, anyone can take a photo of that key.
- Someone else can use the photo of the key and get in.
Create one-time passwords. So that each request has its own password, and in the case of generating a new password, the login of someone who has already logged in with the old password is canceled. It is also possible to make sure that the player who needs to be authorized is required to be on the server online. You can also make DiscordSRV support.
What I meant with the analogy:
- The server needs to know who is making the request and that is what Session Cookies are for.
- When user logs in even with one-time-use passwords the cookies need to be used to know who is requesting things
- With HTTP, Those cookies can be read and then used to say "I'm this other person who just logged in, look"
- You can't use a per request cookie because otherwise the user would need to login for every single request to the server. There are like 10+ different requests to Plan webserver just to load the player page
How many hackers will bother so much to look at such basic information about some Minecraft server, especially first calculate the digital ip, then track, then intercept "cookies", then make a forgery for the sake of 1 session in the panel, where there are no passwords, but only dry data? For example, my server has a letter IP and this IP does not have a port, and the entrance to the server itself goes through a VPS repeater. To get the original IP, you will have to try very hard.
Hi, im sorry but i have the next chain Internet → CloudFlare (SSL 443) → nginx (SSL 443) → Plan localhost:8888 (bold - my dedicated server). Can you add the section in the config.yml "auth_by_80_port" or other else. I dont need to user SSL cert in plugin, i already have it in cloudflare and my nginx proxy. Please god, add this feature
I don't want to give them the opportunity.
It looks like I'm not the only one who needs authorization without an SSL certificate.
I'm not the only one
yeap, because i have it in level higher, like a nginx/apache/etc
I'm not the only one
yeap, because i have it in level higher, like a nginx/apache/etc
It doesn't matter at what level. But the ability to access the "Plan" panel without the need for SSL gives you more opportunities to turn around.
Hi, im sorry but i have the next chain Internet → CloudFlare (SSL 443) → nginx (SSL 443) → Plan localhost:8888 (bold - my dedicated server). Can you add the section in the config.yml "auth_by_80_port" or other else. I dont need to user SSL cert in plugin, i already have it in cloudflare and my nginx proxy. Please god, add this feature
@ostermine If you're using a reverse proxy with SSL, just set KeyStore_path: proxy in Plan's config.yml so Plan knows you're behind a reverse proxy.
For the future, please create a separate issue for questions or join the Discord server: https://discordapp.com/invite/yXKmjzT
Just as an alternative solution for a login, if you're using Cloudflare, you could use Access as login.
Here is the Demo video --> https://www.youtube.com/watch?v=eshlmtPh4m4
With cloudflare you can also use their https if proxying traffic in a similar way that Kopo mentioned above
IP Whitelist now supports dynamic DNS IPs, if your IP changes every day you can configure a domain to track it and place the domain in the whitelist so that Plan will resolve it when needed.
I'll consider this ticket closed.