mirror of
https://git.huckle.dev/Huckles-Minecraft-Archive/LCE-Revelations.git
synced 2026-05-22 08:15:56 +00:00
ba3ebe666c
Comprehensive security system to protect against packet-sniffing attacks, XUID harvesting, privilege escalation, bot flooding, and XUID impersonation. - Stream cipher: per-session XOR cipher with 4-message handshake via CustomPayloadPacket (MC|CKey, MC|CAck, MC|COn). Negotiated per-connection, backwards compatible (old clients/servers fall back to plaintext). - Security gate: buffers all game data until cipher handshake completes, preventing unsecured clients from receiving any XUIDs or game state. - Cipher handshake enforcer: kicks clients that don't complete the handshake within 5 seconds (configurable via require-secure-client). - Identity tokens: persistent per-XUID tokens in identity-tokens.json, issued over the encrypted channel, verified on reconnect. Prevents XUID replay attacks. Client stores server-specific tokens. - PROXY protocol v1: parses real client IPs from playit.gg tunnel headers so rate limiting, IP bans, and XUID spoof detection work per-player. - Rate limiting: per-IP sliding window (default 5 connections/30s) with pending connection cap (default 10). - Privilege hardening: OP requires ops.json, live checks on every command and privilege packet. Host-only server settings changes. - XUID stripping: PreLoginPacket response sends INVALID_XUID placeholders. - Packet validation: readUtf global string cap, reduced max packet size, stream desync protection on oversized strings. - OpManager: persistent ops.json with XUID-based OP list. - Whitelist improvements: whitelist add accepts player names with ambiguity detection, XUID cache from login attempts. - revoketoken command: revoke identity tokens for players who lost theirs. - server.log: persistent log file written alongside console output with flush-per-write to survive crashes. - CLI security logging: consolidated per-join security summary with cipher status, token status, XUID, and real IP. Security warnings for kicks, spoofing, and unauthorized commands.
130 lines
3.7 KiB
C++
130 lines
3.7 KiB
C++
#pragma once
|
|
|
|
#include <string>
|
|
#include "ServerLogger.h"
|
|
|
|
namespace ServerRuntime
|
|
{
|
|
/**
|
|
* `server.properties`
|
|
*/
|
|
struct ServerPropertiesConfig
|
|
{
|
|
/** world name `level-name` */
|
|
std::wstring worldName;
|
|
/** world save id `level-id` */
|
|
std::string worldSaveId;
|
|
|
|
/** `server-port` */
|
|
int serverPort;
|
|
/** `server-ip` */
|
|
std::string serverIp;
|
|
/** `lan-advertise` */
|
|
bool lanAdvertise;
|
|
/** `white-list` */
|
|
bool whiteListEnabled;
|
|
/** `server-name` (max 16 chars at runtime) */
|
|
std::string serverName;
|
|
/** `max-players` */
|
|
int maxPlayers;
|
|
/** `level-seed` is explicitly set */
|
|
bool hasSeed;
|
|
/** `level-seed` */
|
|
__int64 seed;
|
|
/** `override-seed` replaces the seed for biome generation on existing worlds */
|
|
bool hasOverrideSeed;
|
|
__int64 overrideSeed;
|
|
/** `log-level` */
|
|
EServerLogLevel logLevel;
|
|
/** `autosave-interval` (seconds) */
|
|
int autosaveIntervalSeconds;
|
|
|
|
/** host options / game settings */
|
|
int difficulty;
|
|
int gameMode;
|
|
/** `world-size` preset (`classic` / `small` / `medium` / `large`) */
|
|
int worldSize;
|
|
/** Overworld chunk width derived from `world-size` */
|
|
int worldSizeChunks;
|
|
/** Nether scale derived from `world-size` */
|
|
int worldHellScale;
|
|
bool levelTypeFlat;
|
|
/** `spawn-protection` radius in blocks (0 disables protection) */
|
|
int spawnProtectionRadius;
|
|
bool generateStructures;
|
|
bool bonusChest;
|
|
bool pvp;
|
|
bool trustPlayers;
|
|
bool fireSpreads;
|
|
bool tnt;
|
|
bool spawnAnimals;
|
|
bool spawnNpcs;
|
|
bool spawnMonsters;
|
|
bool allowFlight;
|
|
bool allowNether;
|
|
bool friendsOfFriends;
|
|
bool gamertags;
|
|
bool bedrockFog;
|
|
bool hostCanFly;
|
|
bool hostCanChangeHunger;
|
|
bool hostCanBeInvisible;
|
|
bool disableSaving;
|
|
bool mobGriefing;
|
|
bool keepInventory;
|
|
bool doMobSpawning;
|
|
bool doMobLoot;
|
|
bool doTileDrops;
|
|
bool naturalRegeneration;
|
|
bool doDaylightCycle;
|
|
bool hardcore;
|
|
/** `hardcore-ban-ip` — whether hardcore death bans include IP bans */
|
|
bool hardcoreBanIp;
|
|
|
|
/** security settings */
|
|
/** `hide-player-list-prelogin` — strip XUIDs from PreLoginPacket response */
|
|
bool hidePlayerListPreLogin;
|
|
/** `rate-limit-connections-per-window` — max TCP connections per IP within the rate limit window */
|
|
int rateLimitConnectionsPerWindow;
|
|
/** `rate-limit-window-seconds` — sliding window duration for connection rate limiting */
|
|
int rateLimitWindowSeconds;
|
|
/** `max-pending-connections` — max simultaneous pending (pre-login) connections */
|
|
int maxPendingConnections;
|
|
/** `require-challenge-token` — reserved for future protocol extension (not yet enforced) */
|
|
bool requireChallengeToken;
|
|
/** `enable-stream-cipher` — enable XOR stream cipher for traffic obfuscation */
|
|
bool enableStreamCipher;
|
|
/** `require-secure-client` — kick clients that do not complete the cipher handshake */
|
|
bool requireSecureClient;
|
|
/** `proxy-protocol` — parse PROXY protocol v1 headers from TCP tunnel (e.g. playit.gg) */
|
|
bool proxyProtocol;
|
|
|
|
/** other MinecraftServer runtime settings */
|
|
int maxBuildHeight;
|
|
std::string levelType;
|
|
std::string motd;
|
|
};
|
|
|
|
/**
|
|
* server.properties loader
|
|
*
|
|
* - ファイル欠損時はデフォルト値で新規作成
|
|
* - 必須キー不足時は補完して再保存
|
|
* - `level-id` は保存先として安全な形式へ正規化
|
|
*
|
|
* @return `WorldManager` が利用するワールド設定
|
|
*/
|
|
ServerPropertiesConfig LoadServerPropertiesConfig();
|
|
|
|
/**
|
|
* server.properties saver
|
|
*
|
|
* - `level-name` と `level-id` を更新
|
|
* - `white-list` を更新
|
|
* - それ以外の既存キーは極力保持
|
|
*
|
|
* @param config 保存するワールド識別情報と永続化対象設定
|
|
* @return 書き込み成功時 `true`
|
|
*/
|
|
bool SaveServerPropertiesConfig(const ServerPropertiesConfig &config);
|
|
}
|