please delete
- Thread starter ponktacology
- Start date
- Status
PebbleHost
High performance, consistent uptime and fast support. Minecraft hosting that just works.
2 questions,
1. when ever you (lets say) blacklist someone, will the color of the player's rank show like is there a placeholder for it (%color%)
2. what intelij theme is that[DOUBLEPOST=1580435844][/DOUBLEPOST]
and also glws
1. when ever you (lets say) blacklist someone, will the color of the player's rank show like is there a placeholder for it (%color%)
2. what intelij theme is that[DOUBLEPOST=1580435844][/DOUBLEPOST]
and also glws
What hashing algorithm are you proposing? It is very simple to brute force hashed IP addresses, let’s say you store them in bcrypt which is a smart choice as it is quite slow so is good for this explanation. 8x NVIDIA Tesla V100’s which I’m sure you can find on Google Cloud or AWS for fairly cheap (if not free if you take advantage of GCP’s free credit) will calculate 434,200 hashes a second (https://github.com/siseci/hashcat-b...r/8x Tesla V100 p3.16xlarge Hashcat Benchmark). There are 4 billion possible IPv4 addresses which means it will take 9212 seconds or about 2.5 hours to brute force every possible IPv4 address.
Last edited:
Hash + Salt + Pepper, prevents you being able to do this easily.[DOUBLEPOST=1580731072][/DOUBLEPOST]
In fact all you'll need is to pepper the raw ip with a value, that way he can still do relational IP checks.
Last edited:
All bcrypt hashes are salted. Salting an IP address will not prevent brute forcing as the salt will be stored alongside the IP address, if you do not store the salt you will be creating a new hash each time a player logs in which would be useless.
I also don’t know what you mean by “peppering”.
I also don’t know what you mean by “peppering”.
Last edited:
You've seemed to have failed to understand the point of salting, it's to prevent premade rainbow table lookups. Peppering appends/prepends a hardcoded or jar specific string to the IP address BEFORE HASHING, which is unknown to the attacker. This way, it can't be bruteforced easily.[DOUBLEPOST=1580744867][/DOUBLEPOST]https://en.wikipedia.org/wiki/Pepper_(cryptography)
Last edited:
I know what a salt is, and what I'm explaining is not a rainbow table, you would input your hashes and then calculate 4 billion hashes with the salts to compare them. If the pepper is included in the jar file what's to stop the bad actor from simply downloading the jar file and extracting the pepper? Note string obfuscation would do nothing here.
You're assuming here that the bad actor has access to the jar file, meaning they have full server access; by that point it's game over regardless as they can grab IPs much easier from log files. It's about maximising the amount of time it takes someone to accomplish their task, which, by salting and peppering and hashing, it will do.
You're basically arguing here that standard security practices when dealing with things such as passwords are pointless, it's just another barrier to jump over, not about total prevention.
Stop being pedantic ;p
Well, you shouldnt give access to such a command if you dont trust your staff member.
Altough, I can add option to hash ips.
Altough, I can add option to hash ips.
When did passwords come into the equation? Hashing passwords is a good idea and there is no feasible set amount of passwords that can be tried if you are using a random password and good length. There is however a set limit to the amount of IPv4 addresses making brute forcing feasible. In what scenario would a bad actor have access to the logs folder and not the plugins folder? Are we also just going to forget the fact that IP addresses are logged on join anyway by Spigot?
You can delay an attacker for 2.5 hours which is definitely better than plaintext IP addresses but it’s in no way as secure as you make it out to be.
Last edited:
# ADDED FILTER #
- Status
