[REL] Anti-Ban-Evade / NAIL Serial changers and Dynamic IP's!

[Dutchman101]

DOWNLOAD: https://community.multitheftauto.com/index.php?p=resources&s=details&id=14512

This script allows you to detect Ban evaders who change IP or serial to try evade bans, it can fight:

- Dynamic IP's (or static..)
- changed (new) serials

How? By resolving the IP hostname when they connect.
You can choose to 'log' the connections (flag option) when a player connects with a defined hostname, which means Internet Provider hostname, so you can investigate if they are who you think they might be.

VPN hostname: looks like; datacenter1.vpnworks.net (example; you would then block or log use of a specific proxy/VPN program if many ban evaders use it)

Home internet connection; looks like: (develop a sense for how they often look)
 customer17135.ippool.t-mobile.com (you can both list the customer-or pool specific hostname (before the first dot); this to avoid logging or blocking innocent unrelated players, OR if they are (almost) the only using that Internet provider or VPN software, log or block general hostname ('ippool.t-mobile.com' as for fictive example)

If you know one problematic ban evader uses one internet provider usually (ISP) you check the hostname of that IP and add it to the flag list, then when someone connects using this matching hostname, it will print a warning to server.log and you can investigate:

- Does the player behave as the banned player?
- Is he with the same friends or does he talk similarly, IS HE clearly the same person?

This resource basically give you usable leads in order to identify these ban evaders; it provides you with suspects, based on Internet provider or customer account hostname, so you can start analyzing if they are the same person. It can also block the connection automatically instead of only logging a warning of the suspicious player connecting.

Besides the lead-giving to investigate, if you got problematic ban evader(s) who mainly use the same VPN/proxy program that uses often specific hostnames of Datacenters/the VPN company, or the same Internet provider hostname or the evader himself has a Dynamic public IP, BUT.. a static hostname (like based upon f.e,  customer82423.pool.telecomalgeria.com) you can define and nail them on this static hostname that belongs to the ISP provider customer who has the internet/DSL account. (aka, the same person).

As said before, be careful by analyzing the specific use of hostnames to see how many potentially legit players you could hurt. It's the best choice to go for Flagging only and not refusing connections, so you can look on a case by case basis if the player seems to be the same as the ban evader; and then re-ban the new evading serial or IP's. This resource will prove to be a reliable tool.

IMPORTANT!! You MUST have a bit of experience with web-hosting in order to get this resource working!

It will NOT work straight out of the box, you'll need to host a resolver API (PHP) file on the web.

This .php file is included, together with extensive README (documentation) for you to understand why this is required, and assist in setting the resource up.

See below a copy of this documentation: (spoiler)

Spoiler

IMPORTANT (((DOCUMENTATION)) --SIDENOTE: RESOURCE NEEDS ACL ACCESS TO KICK PLAYERS AND USE FETCHREMOTE FOR API ETC!

The php script 'hostname.php' (in resource/PHPScript folder) MUST be hosted on your webhost, for this script to work AT ALL! This resource will NOT work out of the box!

Buy a webhosting and upload this script to www.domain.com/hostname.php or something like that. Then EDIT the .LUA script (hostname.lua) to include the new address for the hosted PHP script!

Like edit as following:

local function onJoin()

    fetchRemote("http://yourhost.com/hostname.php?ip="..source.ip,handleRequest,"",false,source)

end

addEventHandler("onPlayerJoin",root,onJoin)

The ending of .php script URL is the request format, the script will send a connecting player's IP to the webhosted PHP IP resolver.
Try this out, after setting up the .php with hosting or local webserver to test, enter your php script url like above and after the '?ip=' enter your own or a test IP, the only plain output on that webpage,
will be your hostname that belongs to the IP you tested with.

It will be something like this: ip26583b54.direct-adsl.nl (this example is from a Dutch internet provider..)

Now you should understand; if you want the anti hostname script to block or log (flag) players with this internet provider (ISP), define in LUA script 'direct-adsl.nl' or if you are sure
that player has a static IP or static provider-to-customer hostname, it would be something like: 'cust26583b54.direct-adsl.nl'

So from the 2 last examples, the LUA script would be defined as:

--if first is true, hostname will be banned
--If second is true, hostname will be flagged
--You can also set only first argument true if you just want to ban the hostname
local hostnames =
{
    ["direct-adsl.nl"] = {false,true},
    ["ip26583b54.direct-adsl.nl"] = {true,true},
}

This table example would mean anyone with the same PROVIDER (general hostname) would be FLAGGED (to server log, so you can investigate if it's a ban evader, like look at his behaviour etc) TO FIND LOGGED ENTRIES,
for example search your server.log for keyword: 'flagged hostname' (so you can investigate if its the ban evader from there on - it will show which player connected using the flagged suspicious hostnames)

and the SECOND entry, given you assume he has a static customer pool hostname (before the first dot), will BLOCK him from connecting your server (as it has value {true,true} which for script variable also means
block him from connecting

Recommendations for usage:

- You have a problem with ban evaders and one worst ban evader usually uses a dynamic IP from a single VPN software/company.
(Fictive as example) this company is called ''HideMyAss'' VPN program and as you look, it seems to have hostnames like this: 'datacenter1.vpnworks.net' (typical like or similar to that, for VPN IP's, you can usually recognize
that its not a normal home internet connection, by the hostname..)

So in order to block this guy for a good while, you can either block hostname completely: 'datacenter1.vpnworks.net (value true,true in LUA main script) and/or 'vpnworks.net' (if you think not many LEGIT players of your server
use this same, exact VPN software or tool, when they play without being that same ban evader) - if you are not careful you may also get real non-evader players in trouble. But ofcourse, in this world there's many VPN and proxy
softwares available, and the chance some players (different people) of your server use the SAME program from the SAME VPN/proxy company, is pretty low of a chance.

To further lower the chance of blocking legit players, as I described before you can easily toggle it to only FLAG the people connecting with that listed hostname.
This way, you can check them up separately and judge case by-case if they behave the same as old Ban evader, and you can get an image if you think it's the same person.
This script is very useful to nail ban evaders with a DYNAMIC IP, it's almost MAGIC

In history I personally had problems with a club of people using lag glitch to exploit and hurt my server, I flagged their hostnames and when someone connected with same, I would see warning in log and SPECTATE them
(watch them closely) and I would often see them performing the same malicious actions. This means they were the same ban evading people.
I also had flagged hostname of regular ban evader, and I checked behaviour; he TALKED to the same people, got same friends as old banned player, talked in the same characteristic way, and as I had a reason to translate
his foreign language I only discovered for this reason he was talking about being the same banned person ( saying 'Hey friends I am David, i was banned but now im back thanks to new serial )

I'm only sketching with the above last example: this script can give you some awesome leads to dive in things you otherwise wouldn't, and focussing on it, discover things you want to discover.
I would not be arsed to watch a player closely or translate their Arabic, without that player being deemed SUSPICIOUS. Once a hostname is flagged and warned to server log, I deem one suspicious and try to research about if they are
the banned person. After they get re-banned, they will never know how you pulled it off and managed to find them.. (uhh wtf, I got dynamic IP, how did admin find my new serial.. mehh)

 

[Dutchman101]

I would like to hear experiences using this script for who started using it.

The caveat for the average server owner would be knowing how to host the included .php resolver on a webhost, if anyone has unused hosting capacity and likes to volunteer and offer to host it for the default resource (so it can work on the go for anyone) please contact me, so I could change the source to use your mirror. (please note that depending on the amount of server owners who'll use it, it could result in hundreds of queries a second..)

[IIYAMA]

So I after reading everything, I do have to do this:

1. Add the website file to the server to detect the host of the player. (website server folder)
2. Add the resource to the server.
3. Grand the resource the fetchRemote function usage permission.
4. Change the url to the correct one.

• Optional: Search for VPN hostnames and add those to the list.

 

Am I missing something?

[Dutchman101]

3 hours ago, IIYAMA said:

1. Add the website file to the server to detect the host of the player. (website server folder)

Yes; add the included .php file, instructions: https://stackoverflow.com/questions/31538747/where-to-upload-my-php-files-on-web-hosting-server and for your question #4, correct: change the example URL to location of your hosted .php in the script.

3 hours ago, IIYAMA said:

3. Grant the resource the fetchRemote function usage permission.

yes, and if you want resource to not only flag/log listed hostname connections but also block them, also add kick ACL access.

3 hours ago, IIYAMA said:

* Optional: Search for VPN hostnames and add those to the list.

I would advise only blocking VPN services that are problematic to your server, like a few harsh evaders keep using them (the same VPN app with just 1 or a few select hostnames bound to its datacenter)

[IIYAMA]

Ah thx.

Everything is set up now.

 

After testing I noticed that when I used my browser it returns the correct hostname. But for mta it returned the 'Standaardgateway' address of my router.

That is obvious because I was testing it on a local server. (except for the API of course)

 

This fixed that for me while testing, but it wouldn't work at a default server because it retrieves the server ip/hostname instead.

<?php
	$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
	echo $hostname;
?>

 

 

[Malone.]

I would like to express my great, when I saw the script thanks you very much.

Edited September 16, 2017 by Malone.