mirror of
https://github.com/BluTac10/Xbox-Neo.git
synced 2026-05-24 03:44:38 +00:00
ba3ebe666c
Comprehensive security system to protect against packet-sniffing attacks, XUID harvesting, privilege escalation, bot flooding, and XUID impersonation. - Stream cipher: per-session XOR cipher with 4-message handshake via CustomPayloadPacket (MC|CKey, MC|CAck, MC|COn). Negotiated per-connection, backwards compatible (old clients/servers fall back to plaintext). - Security gate: buffers all game data until cipher handshake completes, preventing unsecured clients from receiving any XUIDs or game state. - Cipher handshake enforcer: kicks clients that don't complete the handshake within 5 seconds (configurable via require-secure-client). - Identity tokens: persistent per-XUID tokens in identity-tokens.json, issued over the encrypted channel, verified on reconnect. Prevents XUID replay attacks. Client stores server-specific tokens. - PROXY protocol v1: parses real client IPs from playit.gg tunnel headers so rate limiting, IP bans, and XUID spoof detection work per-player. - Rate limiting: per-IP sliding window (default 5 connections/30s) with pending connection cap (default 10). - Privilege hardening: OP requires ops.json, live checks on every command and privilege packet. Host-only server settings changes. - XUID stripping: PreLoginPacket response sends INVALID_XUID placeholders. - Packet validation: readUtf global string cap, reduced max packet size, stream desync protection on oversized strings. - OpManager: persistent ops.json with XUID-based OP list. - Whitelist improvements: whitelist add accepts player names with ambiguity detection, XUID cache from login attempts. - revoketoken command: revoke identity tokens for players who lost theirs. - server.log: persistent log file written alongside console output with flush-per-write to survive crashes. - CLI security logging: consolidated per-join security summary with cipher status, token status, XUID, and real IP. Security warnings for kicks, spoofing, and unauthorized commands.
54 lines
1.8 KiB
C++
54 lines
1.8 KiB
C++
#pragma once
|
|
|
|
#include "BanManager.h"
|
|
#include "WhitelistManager.h"
|
|
#include "OpManager.h"
|
|
|
|
namespace ServerRuntime
|
|
{
|
|
/**
|
|
* A frontend that will be general-purpose, assuming the implementation of whitelists and ops in the future.
|
|
*/
|
|
namespace Access
|
|
{
|
|
bool Initialize(const std::string &baseDirectory = ".", bool whitelistEnabled = false);
|
|
void Shutdown();
|
|
bool Reload();
|
|
bool ReloadWhitelist();
|
|
bool ReloadOps();
|
|
bool IsInitialized();
|
|
bool IsWhitelistEnabled();
|
|
void SetWhitelistEnabled(bool enabled);
|
|
|
|
bool IsPlayerBanned(PlayerUID xuid);
|
|
bool IsIpBanned(const std::string &ip);
|
|
bool IsPlayerWhitelisted(PlayerUID xuid);
|
|
bool IsPlayerOp(PlayerUID xuid);
|
|
|
|
bool AddPlayerBan(PlayerUID xuid, const std::string &name, const BanMetadata &metadata);
|
|
bool AddIpBan(const std::string &ip, const BanMetadata &metadata);
|
|
bool RemovePlayerBan(PlayerUID xuid);
|
|
bool RemoveIpBan(const std::string &ip);
|
|
bool AddWhitelistedPlayer(PlayerUID xuid, const std::string &name, const WhitelistMetadata &metadata);
|
|
bool RemoveWhitelistedPlayer(PlayerUID xuid);
|
|
bool AddOp(PlayerUID xuid, const std::string &name, const OpMetadata &metadata);
|
|
bool RemoveOp(PlayerUID xuid);
|
|
|
|
/**
|
|
* Copies the current cached player bans for inspection or command output
|
|
* 現在のプレイヤーBAN一覧を複製取得
|
|
*/
|
|
bool SnapshotBannedPlayers(std::vector<BannedPlayerEntry> *outEntries);
|
|
/**
|
|
* Copies the current cached IP bans for inspection or command output
|
|
* 現在のIP BAN一覧を複製取得
|
|
*/
|
|
bool SnapshotBannedIps(std::vector<BannedIpEntry> *outEntries);
|
|
bool SnapshotWhitelistedPlayers(std::vector<WhitelistedPlayerEntry> *outEntries);
|
|
bool SnapshotOps(std::vector<OpPlayerEntry> *outEntries);
|
|
|
|
std::string FormatXuid(PlayerUID xuid);
|
|
bool TryParseXuid(const std::string &text, PlayerUID *outXuid);
|
|
}
|
|
}
|