Bungee Additional Security Plugin

**wild1145** · January 17, 2021 at 12:43 AM

So this is something that I've come across and seems to be popular and I wanted to get peoples thoughts.

I know a lot of concerns have come up with removing IP auth because you can't 2FA Minecraft accounts. This is a plugin solution to that problem at the bungee level.

I'd appreciate what you guys think.

Plugin Link - https://www.spigotmc.org/resources/gsa-locklogin.75156/

Darth · January 17, 2021 at 1:21 AM

If it adds another step for regular players to join, then I object. Playing should be a simple click, and from experience, any servers with "extra" security plugins have a large number of people who join, see that, and immediately leave.

simplynick · January 17, 2021 at 6:45 AM

Making it harder for players to join, I doubt anyone would wanna do that. Object.

January 17, 2021 at 6:49 AM

I object if it's a requirement for players to join. Also, I object in general, since Minecraft accounts are about to migrate to a platform that is 2FA-enabled anyway.

**StevenNL2000** · January 17, 2021 at 1:02 PM

In my experience, 2FA within Minecraft has always been rather intrusive. If you want to do it properly, I suggest taking a look at this old thread of mine, which is unfortunately only visible to ProBoards admins right now. I don't believe there exists a plugin that implements the system I describe:
https://totalfreedom.boards.net/thread/46714/s…-admin-friendly

You! · January 17, 2021 at 2:24 PM

@StevenNL2000#5688

Could you copy that out for us, if it's allowed?

DragonSlayer2189 · January 17, 2021 at 5:53 PM

Object, I am all for security however, I do not think it is necessary for us to have any kind of 2fa on the mc server (unless its backend stuff, that can have 2fa), as mojang is now making accounts migrate to microsoft accounts so that way they have extra security, and I belive microsoft accounts also have 2fa, so i think its up to the player to have a secure account rather than doing something like this

You! · January 17, 2021 at 6:04 PM

In a way isn't this a security risk? If an admin runs /login ProtonNeutronElectron (ProtonNeutronElectron is the pass) and another admin sees it through /cmdspy this poses a security issue as that password could be the password for said admin's accounts..

DragonSlayer2189 · January 17, 2021 at 6:13 PM

@Ashaz#5720 I think the idea is that this would only be implemented in the hub, however if we are allowing direct connections to the other servers without needing to go through the hub you would be correct, either way, if its needed we can add an exception so that any /login command is not logged in cmd spy, however it would still be shown in telnet, and i have no clue if we can do anything about that

**videogamesm12** · January 17, 2021 at 6:38 PM

This should not be a requirement. Players should be given the option to enable 2FA but they shouldn't be required to have it to play on the server.

**StevenNL2000** · January 17, 2021 at 6:41 PM

@Ashaz#5691

The original suggestion was for admins, but there is no reason why it couldn't be applied to all players.

**wild1145** · January 17, 2021 at 6:45 PM

So for clarity, if I were to implement this sort of thing, it would be optional especially for players, and would be opt-in. It's possible we might want to make it a requirement for admins for good practice, but my suggestion here was more around an opt-in system.

These plugins also prevent such items from being picked up by command spy, and NetworkManagers command spy which we should end up moving people to have a list of excluded commands which we would make sure things like /login and /register are part of, but even if it did get picked up from cmdspy, a TOTP token value isn't something that is a major concern anyway on it's own, because anyone seeing it would see /login 123456 and those codes are generally valid for no more than 30 seconds anyway, It's a concern if you collated enough and back-engineered the TOTP Seed, but in reality that tends to be fairly rare and need a lot of skill and compute.

You! · January 17, 2021 at 6:48 PM

@StevenNL2000#5729 I wish every suggestion was suggested like yours.

ONT: Seems like a good idea, I vouch for that, if it's open to voting.

DragonSlayer2189 · January 17, 2021 at 7:41 PM

@wild1145#5730 my main question is would the "%player% issued server command: %command%" message appear with the login stuff, because anyone with telnet or console could then see that

**wild1145** · January 17, 2021 at 7:47 PM

@DragonSlayer2189#5737 Even if it did what information does that give that could be used? It'll give a 6 digit TOTP Code which has a 30 second life span... I don't think it would be logged anyway but would need to check, but it's all down to what risk we're trying to mitigate here... I'm struggling to see the risk in an admin occasionally seeing a 6 digit TOTP code in the logs?

**wild1145** · January 28, 2021 at 8:15 PM

The general feeling on this seems to be no, so I'll close this as declined.

Bungee Additional Security Plugin

wild1145 July 17, 2022 at 2:19 PM

wild1145 July 17, 2022 at 5:13 PM

Tags

Users Viewing This Thread