Level Four RC
 

This is a note to every manager. And anyone who works on a PlayerWorld. Level Four RC should be for Managers and maybe Co-Managers only. No staff member other than managers should have Level Four. Its a security risk. And a foolish thing to do. The reason I have posted this now and not with the full security document is that I have recently found out that one PlayerWorld has about 6-10 Level Four RCs when it doesn't have more than 2 Managers. For the moment I'd like for all PWs to have sound rights, IP ranges and active small staff teams (Not like 20 on RC at a time) So.....

I'd like all Managers to go through every staff member they have working for them (List in the 'Staff=' server option) and check all of the rights and take away any rights that shouldn't be there. We all know staff want high rights to feel important and needed on a PW, but unless that right is needed or vital for the day-to-day work on the PW then there is no need for the staff member to have this right, it only creates security risks or problems in the future. While you are looking through the staff= please make sure everyone who is in that list is still active and works for you. While you do this also please add IP ranges. I have made a document about security which AfterShock has and he was doing something with it, so I wont post that all just yet.

Creating an IP range:

There are many ways to get your IP, such as IRC chat, AIM, tools and programs which display it etc... For dial-up users your IP endings will change, but the start should stay the same, or only have 2-3 startings. Once you have found a way to get your IP address, you need to write down all the IPs you have. Ideally you should get about 15-20. Note: IP Changes when Dial-Up users connect to their ISP servers. And it sometimes changed for always on connections, but you can get an IP range.

Lets say I have the following IPs (Which i do not}

64.124.42.44
64.124.88.52
64.74.963.25
64.123.67.32
78.642.96.34 [The first thing to do is put them in numerical order, so 64.*.*.* > 78.*.*.*]
78.642.46.34
78.642.45.32
64.124.85.32

Once you have put them in order, you need to look at what changes and what doesn't. In this case its the first and some of the second parts of the IP address. Which means this IP range for someone with those IPs would be:

64.124.*.*
64.74.*.*
64.123.*.*
78.642.*.*

Now many people will just do the following: 64.*.*.* (if the other numbers seem to change alot) Idealy if you can have a tighter IP range such as: 64.124.*.* then it will be more secure. The reason I suggest multiple recordings of IPs is to get the full range of what your IP could be. Ideally you should take IPs over 2-3days so that it is a greater IP range. REMEMBER: You can always edit or change the IP range, but you can't always get back the Levels and NPCs deleted by an intruder.

I will speak to AfterShock to see if its okay to post the whole document

That is funny.
What do you consider as a small team for say Level Makers and scripters?

Well it depends how big the PW is etc...
But I don't think each team needs to exceed over 3. So 3 Level Makers, 3 NPC Scripters etc.. Maybe 4 or 5 at a MAX for big servers that need alot of updates. But some PWs have team of like 8-10 and it gets stupid when they are all online or when we try and find out who screwed over the server.

You need to look at who work, and if that person is really needed or not. If you can do without them fine, then I suppose there isn't much of a reason to keep them. Some people are fine with 1-2staff on each team and they can work fine. The more you have the more complications you may have with communication.

I didn't know there were still levels for RC. To my understanding your rights are what are important. :p Only 'level's for RC would be Global and Non-Global. After that, your rights are what make up your abilities. :)

True. People tend to have rights from different 'levels'. So in that case only Managers/Co-Managers should have all rights available.

Manager only rights would be:
-Edit server options
-Edit Folder Configuration
-Set rights
-Set folder rights

If you are an active Manager, you won't need to give anyone else
these rights. -_- If I recall correctly, Nemesis posted Playerworld Rules for the Managers to follow. Such things to call to mind would be:
-Private Servers max of 2 weeks, than they are reviewed and either shut down or become an actual server.
-No more than two Manager changes or the server is shut down.

Things like that. How come they are not still being followed?

Spark people who set IPs like this 64.*.*.* need to be shot for the simple reason this gives the ENTIRE RANGE of the ISP and more than one person is on that ISP so you might as well put it *.*.*.* there is very little difference in the 2 as far as security goes. Npulse will not even give RC to anyone who has AOL or ISPs like them for the simple reason of security, its simply not safe to have someone on RC with a ever changing IP, how do you know the one requesting to change their IP (daily or every time they connect) is who they say they are? Problem is you don't and if someone else is on his or her account then you just gave him or her access to the server. This is not a risk we will take and why Npulse has the security rules we have in place.


Rights we give are very limited on who gets what and what makes us one of the most secure and PW with the least amount of problems with the server from Staff who go on a rampage. Very little or no damage is done because someone who has a lot of rights have been on the server for at least a year and has proven their trust with the rights. Ask some Staff about this; sure we get complaints from Staff wanting more rights when it is not required to do their job and they are always denied this. A tight reign always needs to be put on the rights given out for obvious reasons, as demonstrated by those who end up with their server deleted by immature people who should not have had them in the first place regardless of talent. Talent is no replacement for wisdom and maturity; this is what causes PWs to get into trouble. They put people with rights because of a talent and not because of wisdom and maturity, this in itself has deadly consequences.

And anyone who has 172.*.*.* needs to go through hours of torture. While I'm not staff, and have never been staff on a server, I think you should bug Stefan/Unixmad about adding the ability to add RC right and bans using hosts, such as *hkry.nc.charter.com, *66-*.hkry.nc.charter.com, ect. I'm an admin on an IRC network, and would hate having to use only IPs for bans and opers (staff).

Problem with banning entire host is that innocent people are then blocked also , although we do things like this on Npulse by not letting members of AOL or ISPs like them from being RC Staff , they can be Staff but are limited to a non-RC postion because of security risk.

You can add multiple IP ranges, so what is the risk?

But with aol thats hard. The ip is 172.*.*.* and the 172 is the only sure number. The rest change so having multiple ranges for an AOL person mean for him/her to have to reconnect to the internet until they match that IP range set. Which would probably take a lot of trys.

1- That was when they were put online from baing offline. The reason we still have some UC pws is that some of the work they are doing is REALLY good so they are given more time. But these reviewis will decide what happened there on.

2-Yes that was said, but sometimes some have to quit after a while or cant come back etc.. But if the Managers are changing ever month or so, then there is a problem, yes.

64.*.*.* is better than *.*.*.* as then it lmits it to ISPs. I am aware of that. And managers shouuld have 3-4 tight IP ranges.

Nobody should have 64.*.*.* I'm on dialup an dI have 6 different IP's listed for RC. They are all something like. 64.126.*.* 201.36.*.* etc.. It ranges but even dialup has boundries with which it will stay in. So any one says I can thave a range I have dialup is full of it. Because with my Dialup I have my ranges set and havn't had a problem since with logging on. Althought here are some rare cases with extremly poor service where a brazilian guy I knew his IP kept changing every single time he logged on to something new. (Really bad ISP service where he was) That is how ever extremely rare. In this case if it was some one we really needed I just wouldnt give them access to any sensitive information/rights so no damage could be done.

Well if I was a manager I'd disable RCs without IP ranges until they are fixed up. And if they could not give a tight enough IP range, then I would take away any very dangerous rights.

If you had read my post we will NOT hire people for RC with AOL because of that , it is a security risk and something we will not do.

One would need to ban an entire host, for people with ISPs that have several IP ranges, but decently named hosts, like randomnumbers/letters.exchangenumbers.city.state.isp.com one could can up to a certain point with limited inocent people getting banned. With IPs, when you ban a range you tend to get a lot more people, and sometimes have to go through multible ranges, and people not even from the ISP may be affected.

I think your all too lazy to find out the different IPs. I mean, did any of you think yet? Just call your ISP. -_-

Lol... There is of course another issue you must come to attention. Some people have more then one house, with more then one computer. They are all going to be really tired of having them get on an instant messenger and wait for an admin to get on and change thier ip ranges so they can get on their RC and get some work done.

Making an IP range too large would cause anyone to get on within that ip range. The only true way of making sure no one gets on your account is too... Never tell them your account and hide the RC client lol. Maybe stefan or unix could delete the auto-save password on the RC client, so the problem wouldn't be as serious to fix.

You have no idea what your talking about. This is to ensure that if someone has your password, they cannot logon your RC on a particular playerworld. Why? Because your ip is the only one that can access it. You can add multiple ip ranges, so if your thing changes just do something like:
64.50.50.45,64.50.45.50,64.50.45.45

whatever.

Proxies are good =)
I don't use a proxy for my global RC, but that's b/c I have 2 cable modems with the same IP range, luckily. And there is also such thing as a DNS prog. If one wanted, they could instead of doing an IP, have it be like: graalrc.no-ip.org or something. I suppose a DNS would be accepted, it does the same thing, it just resolves the IP address, and that way instead of the RC looking for your IP, it'll look for the resolved RC. Dunno, just a thought.
---Shifter

For some reason we have never gotten multible IPs to work.:(

Not good, because all these dynamic DNS things I know require no more than a password to set the DNS entry to a certain IP. And the point of IP ranges is to protect the access even though passwords are leaked.

Using all 4? That's the dumbest thing I've ever heard. If your ip changes every time you reconnect, whose to say it will be the same as one of the three you already listed. I truely don't think IP ranges are even needed if the person would just not be stupid enough to get hacked or whatever.

By the way guys, IP numbers are from 0 to 255, there is no IP number higher than 255... Spark, you put 642, lol. :p

About the whole AOL ordeal... you have to understand something. The person would not only have to get their pass stolen, but also the person that stole it, would have to be using AOL. Just because the person has the name and pass doesn't mean they are using AOL to access the net. so a simple one number ip range block would work fine.

I think anyone that uses AOL doesn't have common sense in the first place, because it's a piece of crap ISP. Sorry if I offend those that don't have a choice in their ISP's.

I think he was just making an example koni, don't get mad. :)
Anyway, whats the deal with the gateway ip, why couldn't that be added, it looks stable to me. o.o

I wonder if RC would ever support IPv6...

I wasn't mad, that's why I had the laughing face there. :) For my oasis rc, I had my one constant IP as the range, since I was using a cable modem that had a static IP. (meaning it never changes)

But I moved houses recently and have a different ISP and had no way to get back on my RC, so I really just prefer to have *.*.*.* and just be careful and not get "hacked". If I didn't have good contact to Stefan, it could have taken a week or more to get my IP range set to nothing so I could get on it again. That would be a problem if my playerworld was public because I wouldn't be able to administrate anything on it for a week straight.

My advice is, use *.*.*.*, get a good firewall and trojan detector, and change your password every 1-2 weeks. The chances of your RC being accessed by someone else would be less than if you were to even use the IP range blocker.

Yes, but it is very easy for someone to place a trojan on a levels, graphic or in any file on the file browser, and then when you go to use it, you get infected. Therefor revealing your password to the corrupt nub and he uses your account to delete everything and take over the server, then add *.*.*.* to the ipbanned.txt so only Unixmad and Stefan can fix it (accessing the FTP while the server is shutdown).

Nemesis has forbid the use of an IP like that and has made it clear that any PW setting IPs like this will be shut down, I believe this came from Stefan and Unixmad , so I would STRONGLY discourage the use of *.*.*.*. I use Norton Professional System Works 2003 with Norton Internet Security (Firewall)2003 and I still won't set my IP in this manner for obvious reasons of what we are told.

Run>cmd>ipconfig=IP ADDRESS *fireworks*
Ask your staff for their IPs, dont give out RC if they cant handle a secure IP range, dont give out level 4 RC for people who dont need it. Simple? Accept it. This is common sense, and what Moon God has running, is beyond some Managers grasp.

Agreed. Just be really careful with your account and password.

I did that with Mithica and if they had a dynamic ip, I'd just stay with them for about 20 minutes and tell them to record their ip changes and i'd add them.

how many class b address does aol own and is their a system to asigning your specific ip in your area I mean are there like several class bs used in your area or can you get any of the class bs that aol owns.....I mean couldnt you ask aol what possible class b networks you could end up on in your area if they have certain class bs for areas....for those of you who dont know your networking please dont respond with wtf is a class b.....


also I dont know if this is possible or not but it might be possible for RC to be coded to restict access by MAC address since there are no 2 alike mac address and every ones network interface device has a differnt one.... but I dont know if this is possible or not.... still taking cisco.....

Well, you would need to use RARP I believe to retrieve the node's MAC address. So theoretically I suppose when you log into RC, the system could send a RARP request to your system, your system would reply with the MAC address, and if it doesn't match the MAC address that has been set by the administrator, it could deny access. This would work well I think, but unless you added multiple MACs you could only use RC from one node. But here's the problem...it's not feasible to do this because I don't believe dialup users have MAC addresses for their modems. I could be wrong, but I'm pretty sure modems lack MAC addresses.

stop using AOL please, unless you get paid

__

make everyone who has level 4 + RC get a mobile phone, then have the server send the mobile phone a unique, second password every time the account is trying to be logged in

give the person 2 chances to type the correct password, and then deny access for a period of time

yeah, I know.. this won't happen