[Suggestion] Ban system by Hardware ID/Serial

[Maik]

Ban system by Serial same as MTA (or similiar)



When i had a SAMP server Dayz, i was tired of many times had problems with cheaters and toxic players that comeback to the server everytime.

You ban a player or a toxic player, and a few minutes later, the same player comeback with a different nickname just to annoying and disturb. When i had my server on MTA (2012/2013) i never had that problem. Once the player was banned, he couldn't come back again, even reseting the IP or formatting the PC.

He has really banned from the server.



I hope that you have a system like that, its something that is missing on the other plataform, but could really help people with a server. (Including Dayz, where the number of cheaters is a lot)

[DTV]

I think this is something that server owners could make themselves but:

This is a good time to suggest a better gpci (or equivalent alternative) function that actually generates a unique serial that's, at least, much more resistant to collisions and uses a different method of generating a serial rather than using GTA San Andreas's installation path. ?It would make life a lot easier in dealing with ban evaders that use VPNs to ban evade.

[Deity]

I will personally donate 200euros for this feature.

[Gaudeamus271]

I was a server owner for a while and the ban evading was by far the worst thing to control on the script side. I also managed to make an anti account steal system based mostly on a gpci and IP combination, but i removed it because it could be bypassed. I would love some kind of uniqueness

[Logan]

Very important issue, cofounder of strongest and longest living Balkan RP server speaking... If there is something that can be done on that question, server owners and developers would be very happy

[Irelio]

UPPPPPPPPPPPP

[SimoSbara]

Banning by MAC address or other hardware information it isn't possible on SAMP. However you can ban by the GPCI that is derived from the installation path of GTA SA. I was thinking that maybe it is possible to code a client-side plugin that could take the MAC address from a banned player, and this plugin is connected to the server thanks to an algorithm.

[DTV]

Banning by MAC address or other hardware information it isn't possible on SAMP. However you can ban by the GPCI that is derived from the installation path of GTA SA.

Remember that this isn't SA:MP ;)



The reason why this is even suggested though is because of how gpci generates a serial currently.? Using the installation path isn't good enough because it's been known for years that multiple people can have the same serial assigned to them and thus would make a ban system reliant on it a bad idea.? However, since open.mp is still in the initial development phase, I imagine its very much possible to have the way gpci generate a serial use a different method that would prevent multiple people from getting the same serial (if not, make it very unlikely for it to happen).

[Sasino97]

Banning by MAC address or other hardware information it isn't possible on SAMP. However you can ban by the GPCI that is derived from the installation path of GTA SA.

Remember that this isn't SA:MP ;)



The reason why this is even suggested though is because of how gpci generates a serial currently.? Using the installation path isn't good enough because it's been known for years that multiple people can have the same serial assigned to them and thus would make a ban system reliant on it a bad idea.? However, since open.mp is still in the initial development phase, I imagine its very much possible to have the way gpci generate a serial use a different method that would prevent multiple people from getting the same serial (if not, make it very unlikely for it to happen).

The thing is that GPCI was never meant to be a unique identifier, I don't know why people started using it to ban people. That was a terrible idea.

The best use of GPCI was to detect whether the clients had mods installed.



Returning to the original topic, I believe?that it's nearly impossible to create a?100% working ban system. Whatever you may invent:?MAC address, Windows product key, hardware info... All of this information can be easily spoofed by a hacker to open.mp / SA-MP, so that SA-MP Servers will think that they're getting the actual MAC address, Windows product key, hardware info of a certain player,?but in reality they ain't. It's not hard to reverse-engineer the client, change stuff in order to make it bypass the checks and rebuild it.

Then said hacker will most likely upload the cheats to some cheating website, and here you are, lots of cheaters will know how to be unbannable.



The most efficient way to stop people from cheating is to have active moderators (or some kind of super artificially intelligent anticheat that continuously learns).

[DTV]

-snip-

-another snip-

The thing is that GPCI was never meant to be a unique identifier, I don't know why people started using it to ban people. That was a terrible idea.
The best use of GPCI was to detect whether the clients had mods installed.

Returning to the original topic, I believe?that it's nearly impossible to create a?100% working ban system. Whatever you may invent:?MAC address, Windows product key, hardware info... All of this information can be easily spoofed by a hacker to open.mp / SA-MP, so that SA-MP Servers will think that they're getting the actual MAC address, Windows product key, hardware info of a certain player,?but in reality they ain't. It's not hard to reverse-engineer the client, change stuff in order to make it bypass the checks and rebuild it.
Then said hacker will most likely upload the cheats to some cheating website, and here you are, lots of cheaters will know how to be unbannable.

The most efficient way to stop people from cheating is to have active moderators (or some kind of super artificially intelligent anticheat that continuously learns).

Of course it won't be 100% secure, even if you had a way to check through a player's GTA SA installation for non-allowed files they could still figure a way to bypass it.? However, it would make life a lot easier when it comes to the average hacker who's looking to troll rather than someone who's actively attempting to attack a server by spoofing client information.? With how it is in SA-MP, it isn't hard at all to get around a ban when you can simply use a free VPN or simply restart your router to change your IP address.? I don't think anybody here would believe even having a unique serial that's tied to your PC would stop everyone from getting past it but it will stop most people who can get past currently used methods in SA-MP today.

[Jimmy]

What if its a shared computer?

[Jarnokai]

What if its a shared computer?

Nothing a little customer support won't fix. With many things like this there often can be false positives, but it is important to simply add a friendly reminder saying "If you aren't aware of having been banned from this server for a particular reason, please contact: " or something along those lines.

[Jimmy]

What if its a shared computer?

Nothing a little customer support won't fix. With many things like this there often can be false positives, but it is important to simply add a friendly reminder saying "If you aren't aware of having been banned from this server for a particular reason, please contact: " or something along those lines.

Okay, lets say 2 bros play on same PC. One got banned for hacking from MAC. So, now second bro will also not be able to play. What he does is, he contacts server staff to get him unbanned. So the staff unbans the MAC address. Now, even the first brother who hacked originally can play too! Its a never ending problem. Banning from MAC can never be a reality.

[SirAnxiousALot]

Returning to the original topic, I believe?that it's nearly impossible to create a?100% working ban system.?

Let's agree to disagree about this one.
Steam (for example) uses VAC Bans/Game Bans. Which basically disallows the account altogether from playing selected games.
Rainbow Six Siege uses BattleEye, iirc if you get banned for hacking on any game using BattleEye, The ban will cover any other game that also uses BattleEye.
Fortnite/Rust/Paladins all use EasyAntiCheat (afaik) which also bans by Hardware ID.

In the above examples (maybe other than CS:GO to be honest) I have met a handful of hackers on each of those games and have never seen anyone cheating as blatantly as I saw on SA-MP.
and in the case of CS:GO, It's justified since pieces of shits used to hack, get banned, purchase the game again then repeat the cycle (before the game went F2P) like they literally had nothing to do with their money other than ruining my god damn day.

Okay, lets say 2 bros play on same PC. One got banned for hacking from MAC. So, now second bro will also not be able to play. What he does is, he contacts server staff to get him unbanned. So the staff unbans the MAC address. Now, even the first brother who hacked originally can play too! Its a never ending problem. Banning from MAC can never be a reality.

A much simpler solution would be not to cheat in the first place.
If I'm a server owner and someone comes up saying "my brother used hacks, please unban me please please" I wouldn't give a damn.



P.S: Using MAC-Address to ban people isn't exactly optimal, You can literally change your MAC address using a couple of tools that can be found online and for Linux family, You can literally change it using a single command.

[gzxmx94]

Or you know, verify the account.. by twitter (they enforce SMS verification), SMS (e.g. using Twilio), gmail (they enforce SMS verification), facebook (they enforce SMS verification), whatsapp business (they enforce SMS verification), telegram (they enforce SMS verification), .. whatevs. You can also check dnsbl if the IP is blacklisted (for spam, being a VPN, tor node, etc). Additionally you can also ban specific ASN's like Google Cloud, Microsoft Azure and Amazon Web Services that allow to spin up vm's free of charge that can be used as a private VPN (you'll not be able to determine if it's a VPN or not). You can also link the accounts to their forum accounts and perform browser fingerprinting (and e.g. put your forum behind cloudflare). Or you know, you can create an invite system where people on the server can invite others, if someone is inviting a lot of cheaters just ban them too. Also limit your registrations per day then, e.g. 100? Many possibilities without the need to be invasive on the client side. We'll never be able to completely prevent ban evasion. Even paid games have the problem that the cheaters just buy a new copy of the game.. one would think that a paywall would work but even that won't work.

The only approach that could deal with most cheaters would be to emulate all interactions server side. I did work on a project that created a minimally working GTA-SA without textures, sounds etc that was around 340 MB. After a lot of tinkering it just wasn't viable or stable, not to mention the hassles of running it at 30 fps while emulating 1000 peds in the game, and on Linux.. a win32 binary. It's not impossible but it just wasn't viable. It's actually how games (e.g. MMO games, Counter Strike, Team Fortress 2) counter most of the cheats (ammo, weapons, speedhacks etc).

Your best bet is a good, large and fast admin team with good automated detection systems, and a very easy reporting system for players. For automated cheat detections just kick the cheater. In case of ammo / weapons cheats just "return 0" in shot/weapon sync for example. Hell I even measured the minimum times between shots as to prevent bullet spam that should be impossible [when I had my last server](https://github.com/grasmanek94/eXe/blob/....cxx#L1117).

[SirAnxiousALot]

Or you know, verify the account.. by twitter (they enforce SMS verification), SMS (e.g. using Twilio), gmail (they enforce SMS verification), facebook (they enforce SMS verification), whatsapp business (they enforce SMS verification), telegram (they enforce SMS verification), .. whatevs. You can also check dnsbl if the IP is blacklisted (for spam, being a VPN, tor node, etc).?

This is probably the most optimal way to face this.



Require users to sign-up on a website and then add levels of security

i.e: Level 1 is email confirmed, Level 2 is phone linked, etc.

[MR.GHOST]

As they guy above me said you can do it like discord lvls of security and the server owner can set up which lvl he likes

[Markski]

Agree 100% with Sasino97's view. Unique identifiers mean trusting data from the client. Trusting data from the client is a stupid thing to do. AAA games sort-of solve this by making clients generate extremely complex HID-like hashes and checking their legitimacy one way or the other, but then again AAA studios have resources that I reckon most of us puny mortals don't have. (And even then, those systems are not 100% perfect either). They also have the advantage of being able to link said hashes to stuff like game licenses, which, both future-openmp and current SA-MP not being a product which gets sold and/or related to a centralized user account, makes this even less feasible.

Automated BE systems are bound to hurt innocent players a lot more than cheaters/ban evaders on the long run. The only responsable way around this issue is taking people you trust and tasking them with moderation duties.

[Tama]

Ban system with gpci ip?

Double check, double fun LMAO XD





Why you need only hadware ID ban if you can ban someone with IP PLUS GPCI function, first you need to check their GPCI, then check their IP too.

Yeah it seems kinda waste of mem but..... :\

[Markski]

Ban system with gpci ip?

Double check, double fun LMAO XD





Why you need only hadware ID ban if you can ban someone with IP PLUS GPCI function, first you need to check their GPCI, then check their IP too.

Yeah it seems kinda waste of mem but..... :\

Both of these are easy to bypass.

[Tama]

Ban system with gpci ip?
Double check, double fun LMAO XD


Why you need only hadware ID ban if you can ban someone with IP PLUS GPCI function, first you need to check their GPCI, then check their IP too.
Yeah it seems kinda waste of mem but..... :\

Both of these are easy to bypass.

How?...

There is a plenty of security you can go with, lets try with udb hash.

PHP Code:

native gpci(playerid, serial[], len);

new 
? ? ? YourUDB_Hash;



stock?udb_hash(buf[])?{ 
????new?length=strlen(buf); 
????new?s1?=?1; 
????new?s2?=?0; 
????new?n; 
????for?(n=0;?n<length;?n) 
????{ 
???????s1?=?(s1??buf[n])?%?65521; 
???????s2?=?(s2??s1)?????%?65521; 
????} 
????return?(s2?<<?16)??s1; 
} 

public OnPlayerConnect(playerid) {
???? new MyUDB_Hash, MyGPCI[24], MyIP[16];
???? GetPlayerIp(playerid, MyIP, sizeof(MyIP));

???? gpci(playerid, MyGPCI, 24);

? ?? MyUDB_Hash = udb_hash(sprintf("%syour_secret_text_here%s", MyIP, MyGPCI));
?? 

? ?? if(YourUDB_Hash != MyUDB_Hash)
? ?? {
? ? ? ? ? SendClientMessage(playerid, -1, "Who are you!!, if you think this is a mistake then please contact an administrator bla bla bla");
? ? ?}
} 


[Markski]

Ban system with gpci ip?

Double check, double fun LMAO XD





Why you need only hadware ID ban if you can ban someone with IP PLUS GPCI function, first you need to check their GPCI, then check their IP too.

Yeah it seems kinda waste of mem but..... :\

Both of these are easy to bypass.

How?...



There is a plenty of security you can go with, lets try with udb hash.

PHP Code:

native gpci(playerid, serial[], len);



new 

? ? ? YourUDB_Hash;







stock?udb_hash(buf[])?{ 

????new?length=strlen(buf); 

????new?s1?=?1; 

????new?s2?=?0; 

????new?n; 

????for?(n=0;?n<length;?n) 

????{ 

???????s1?=?(s1??buf[n])?%?65521; 

???????s2?=?(s2??s1)?????%?65521; 

????} 

????return?(s2?<<?16)??s1; 

} 



public OnPlayerConnect(playerid) {

???? new MyUDB_Hash, MyGPCI[24], MyIP[16];

???? GetPlayerIp(playerid, MyIP, sizeof(MyIP));



???? gpci(playerid, MyGPCI, 24);



? ?? MyUDB_Hash = udb_hash(sprintf("%syour_secret_text_here%s", MyIP, MyGPCI));

?? 



? ?? if(YourUDB_Hash != MyUDB_Hash)

? ?? {

? ? ? ? ? SendClientMessage(playerid, -1, "Who are you!!, if you think this is a mistake then please contact an administrator bla bla bla");

? ? ?}

} 


This post is extremelly old but it feels important to make this clear: All client input can be manipulated. Creating such a way to identify hardware id in a non-manipulable way is borderline or outright impossible. Specially in open.mp's case, where the software will allegedly be open sourced, meaning many hands, good or malicious will be able to see the inner workings in detail.



I appreciate the usefulness in such a feature but I doubt something that works better than GPCI can be achievable at least for the time being.

[Y_Less]

You don't need to manipulate anything. The server requests a hardware ID, the client sends one back. Where that ID comes from is anyone's guess. The client COULD generate it based on a complex combination of hardware and system data, OR it could just lie and send a random number back. The cheaters won't bother to break the generation code, they'll just bypass it entirely.

[Markski]

By manipulated I meant manipulated by the client, which is essentially what you said.

[Woo]

Many programs are reading h.id when installing on windows. This should not be problem to read and forward it onplayerconnect?

[gzxmx94]

Many programs are reading h.id when installing on windows. This should not be problem to read and forward it onplayerconnect?

A hacker can change it very easily.

[Riddick]

The worst part about this topic is we still discuss it.



It's really annoying how everyone's like "but everything from the client can be modified and that doesn't make any sense to provide that feature". I'm sorry, but fuck off. If every single multiplayer game (let's take GTA:O here for instance) would follow the same attitude and rules as we are discussing here, just because "hypothetically" client-side thing can be modified - they would never provide any security.



Not all players are hackers, not all players know how to do it. Provide damn security without thinking "ugh, that can be modified by client, let's not provide that". Modifying client info isn't the easiest task for some people. 90% of SA-MP is just players I guess, that know nothing about software engineer.



So please, stop that nonsense, because what we are having here is the same discussion I've seen on sa-mp's forum back 10 years ago.



In short:

Provide internal natives that are unique for each client, without overthinking

[Jarnokai]

The worst part about this topic is we still discuss it.



It's really annoying how everyone's like "but everything from the client can be modified and that doesn't make any sense to provide that feature". I'm sorry, but fuck off. If every single multiplayer game (let's take GTA:O here for instance) would follow the same attitude and rules as we are discussing here, just because "hypothetically" client-side thing can be modified - they would never provide any security.



Not all players are hackers, not all players know how to do it. Provide damn security without thinking "ugh, that can be modified by client, let's not provide that". Modifying client info isn't the easiest task for some people. 90% of SA-MP is just players I guess, that know nothing about software engineer.



So please, stop that nonsense, because what we are having here is the same discussion I've seen on sa-mp's forum back 10 years ago.



In short:

Provide internal natives that are unique for each client, without overthinking

Even though this post is a bit harsher than needed in my opinion, I do still support the thinking. Not providing a good, hardware-specific code for the server to use just because a hacker might bypass it sounds a bit silly. As he said, even if this ID system wouldn't block hackers (Who, at the point of using some gameplay hacks, will obviously also use one that spoofs the ID) it will block badly behaving players with unmodified games. Often the reason for banning someone isn't that they are blatantly hacking. People get banned for not following server rules, and hacking is only one of often many rules enforced by servers. Maybe someone was spamming, teamkilling, doing something non-RP in a heavy RP server, advertising other servers, or otherwise causing grief to other players. Keep in mind that this ID could not only be used for permanent bans, but also for temporary ones!

[Logan]

The worst part about this topic is we still discuss it.



It's really annoying how everyone's like "but everything from the client can be modified and that doesn't make any sense to provide that feature". I'm sorry, but fuck off. If every single multiplayer game (let's take GTA:O here for instance) would follow the same attitude and rules as we are discussing here, just because "hypothetically" client-side thing can be modified - they would never provide any security.



Not all players are hackers, not all players know how to do it. Provide damn security without thinking "ugh, that can be modified by client, let's not provide that". Modifying client info isn't the easiest task for some people. 90% of SA-MP is just players I guess, that know nothing about software engineer.



So please, stop that nonsense, because what we are having here is the same discussion I've seen on sa-mp's forum back 10 years ago.



In short:

Provide internal natives that are unique for each client, without overthinking

Exactly. Although, I am pretty sure current devs can come up with some kind of unique client parameters, which can't be easily tampered

[Banditul]

The worst part about this topic is we still discuss it.



It's really annoying how everyone's like "but everything from the client can be modified and that doesn't make any sense to provide that feature". I'm sorry, but fuck off. If every single multiplayer game (let's take GTA:O here for instance) would follow the same attitude and rules as we are discussing here, just because "hypothetically" client-side thing can be modified - they would never provide any security.



Not all players are hackers, not all players know how to do it. Provide damn security without thinking "ugh, that can be modified by client, let's not provide that". Modifying client info isn't the easiest task for some people. 90% of SA-MP is just players I guess, that know nothing about software engineer.



So please, stop that nonsense, because what we are having here is the same discussion I've seen on sa-mp's forum back 10 years ago.



In short:

Provide internal natives that are unique for each client, without overthinking

Exactly. Although, I am pretty sure current devs can come up with some kind of unique client parameters, which can't be easily tampered

Project will be open source, making something like can be seen in code and bypassed

[CJ101]

I see this possible, but in a different way.



The first time someone installs this, they are given a unique identifier that is attached to the mac address of their PC (this can be done with a backend web server).



The identifier can't be changed.

Code:

GetPlayerUniqueID

[Pinch]

I'm playing since 0.3.7 but wasn't there something like Client Auth back in the days when AntiCheat was built-in into the SAMP server?



My suggestion is create mail:password auth (in the client) style and make the web server(closed source) handle everything (including alts of that account) related to ban evasion n stuff, idk...