Validation/whitelist IP (Sovietgate)

Z

ZapicoGT

Active Member
Jun 8, 2016
15
13
90
Yes!

These game servers have a control panel which can add OVH failover IPs that can accommodate 18 users per IP.
 
Asphyxia

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
You are probably going to want to do something kind of like this:
r4p3.net

Locking Ubuntu to a web interface (SSH whitelist)

We are going to whitelist localhost (127.0.0.1) to our SSHD whitelist. This means only localhost is able to utilize SSH. This is especially useful if you only want the server itself to be logging in as root to make changes. This can be very powerful if you wrap the root user and SSH into a...
r4p3.net r4p3.net

Only main difference is you are going to make people pass through reCAPTCHA, then add their IP to a whitelist.

This could be done on a remote server, localhost, or perhaps even using an API.

Are you wanting someone to program this for you or what? :p
 
Z

ZapicoGT

Active Member
Jun 8, 2016
15
13
90
Asphyxia said:
You are probably going to want to do something kind of like this:
r4p3.net

Locking Ubuntu to a web interface (SSH whitelist)

We are going to whitelist localhost (127.0.0.1) to our SSHD whitelist. This means only localhost is able to utilize SSH. This is especially useful if you only want the server itself to be logging in as root to make changes. This can be very powerful if you wrap the root user and SSH into a...
r4p3.net r4p3.net

Only main difference is you are going to make people pass through reCAPTCHA, then add their IP to a whitelist.

This could be done on a remote server, localhost, or perhaps even using an API.

Are you wanting someone to program this for you or what? :p
Click to expand...

Yes, I'm looking for someone to program me that. If you know of someone, send me a private message or by discord.
 
Z

ZapicoGT

Active Member
Jun 8, 2016
15
13
90
And if you do it publicly so that we can all use it? I can give a donation for the inconvenience. 10 $ for example.
 
Asphyxia

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Sovietgate v1.0 is finished and should work, I just need you to edit human.php below (your SSH servers and credentials where firewall rules will be pushed) and Google reCAPTCHA site and private key. This solution supports both Cloudflare and non-Cloudflare web server environments.

Install a typical web server like Apache and get PHP working. We will be using phpseclib (mirror 1 / mirror 2). This is tested on Ubuntu, let me know if you have issues.

WARNING: If you use a different port than 7777, find and replace 7777 with for example 7780 (your SAMP port).

Keep in mind, this will work for just about all TCP/UDP services, just change the port from 7777 everywhere to 9987 (or 10011) for example.

Bash: 
apt update
apt upgrade -y
apt install iptables-persistent -y
netfilter-persistent save

Time for our chain (this should be run on every server listening port 7777)!
Bash: 
iptables -N SOVIET_GATE
iptables -A SOVIET_GATE -p tcp --destination-port 7777 -j DROP
iptables -A SOVIET_GATE -p udp --destination-port 7777 -j DROP
iptables -A INPUT -d 0.0.0.0/0 -j SOVIET_GATE

Now when someone verifies with Google's reCAPTCHA we are simply calling (via phpseclib):
Bash: 
iptables -I SOVIET_GATE 1 -p tcp -s USER_IP_PULLED_IN_FROM_PHP --destination-port 7777 -j ACCEPT
iptables -I SOVIET_GATE 1 -p udp -s USER_IP_PULLED_IN_FROM_PHP --destination-port 7777 -j ACCEPT
iptables-save | uniq | iptables-restore
netfilter-persistent save

---

Here is information on building the web server portion, similar to the SSH whitelist:
Bash: 
apt install php php-common apache2 unzip -y
cd /var/www/html
wget https://github.com/Sovietgate/R4P3/raw/master/phpseclib1.0.16.zip
unzip phpseclib1.0.16.zip
nano sickle.php

Alright, time to get into the Google reCAPTCHA bit, you have to go here and make sure to generate an API key:
https://www.google.com/recaptcha/intro/v3.html or simply click here and select reCAPTCHA v3? My test domain will be sickle.r4p3.net for the website we will place the website for users to whitelist their IP.

2184

Now we must paste source into the sickle.php file (Soviet Union theme - Hammer and sickle).
sickle.php:
HTML: 
<!DOCTYPE html>
<html>

<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>Sovietgate</title>
    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bulma/0.7.2/css/bulma.min.css">
    <script src="https://www.google.com/recaptcha/api.js?render=6LcgR64UAAAAAXXX_YOUR_GOOGLE_SITE_KEY_GOES_HERE"></script>
    <script>
        grecaptcha.ready(function () {
            grecaptcha.execute('6LcgR64UAAAAAXXX_YOUR_GOOGLE_SITE_KEY_GOES_HERE', { action: 'contact' }).then(function (token) {
                var recaptchaResponse = document.getElementById('recaptchaResponse');
                recaptchaResponse.value = token;
            });
        });
    </script>
</head>

<body>

    <section class="section">
        <div class="container">
            <div class="columns">
                <div class="column is-half">

                    <form method="POST" action="human.php">

                        <h1 class="title">
                            Welcome to Sovietgate protection, click below to join our SAMP server.
                        </h1>

                        <div class="field is-grouped">
                            <div class="control">
                                <button type="submit" class="button is-link">I am human</button>
                            </div>
                        </div>

                        <input type="hidden" name="recaptcha_response" id="recaptchaResponse">

                    </form>

                </div>
            </div>
        </div>
    </section>

</body>

</html>

Now we need a back-end script to handle adding the firewall rules to our server(s). Keep in mind you may need to make the SSH connections to multiple servers e.g.
Bash: 
$ssh = new Net_SSH2('10.0.0.1'); //... then .2 and so on in the human.php below!

human.php:
PHP: 
<?php // Check if form was submitted:
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['recaptcha_response'])) {

    // Build POST request:
    $recaptcha_url = 'https://www.google.com/recaptcha/api/siteverify';
    $recaptcha_secret = '6LcgR64UAAAXXX_YOUR_GOOGLE_SECRET_KEY_GOES_HERE';
    $recaptcha_response = $_POST['recaptcha_response'];

    // Make and decode POST request:
    $recaptcha = file_get_contents($recaptcha_url . '?secret=' . $recaptcha_secret . '&response=' . $recaptcha_response);
    $recaptcha = json_decode($recaptcha);

    // Take action based on the score returned:
    if ($recaptcha->score >= 0.5) {
        // Verified - send email

if (isset($_SERVER["HTTP_CF_CONNECTING_IP"])) {
  $_SERVER['REMOTE_ADDR'] = $_SERVER["HTTP_CF_CONNECTING_IP"]; //If you are behind Cloudflare we will take care of you.
//WARNING: If you have a more complex configuration e.g. various reverse proxying web servers, figure this out yourself.
//OR: Visit https://r4p3.net and request support at https://r4p3.net/threads/validation-whitelist-ip.8046/post-72020
}

include('Net/SSH2.php');

$ssh = new Net_SSH2('localhost');
if (!$ssh->login('root', 'rootPassword')) {
    exit('Login Failed');
}

$ssh->exec('iptables -I SOVIET_GATE 1 -p tcp -s '.$_SERVER['REMOTE_ADDR'].' --destination-port 7777 -j ACCEPT');
$ssh->exec('iptables -I SOVIET_GATE 1 -p udp -s '.$_SERVER['REMOTE_ADDR'].' --destination-port 7777 -j ACCEPT');
$ssh->exec('iptables-save | uniq | iptables-restore');
$ssh->exec('netfilter-persistent save');

?>
<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>Sovietgate</title>
    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bulma/0.7.2/css/bulma.min.css">
</head>
<body>
    <section class="section">
        <div class="container">
            <div class="columns">
                <div class="column is-half">
                        <h1 class="title">
                            Thank you, join our server now!
                        </h1>
                </div>
            </div>
        </div>
    </section>
</body>
</html>
<?php
    } else {
        // Not verified - show form error
    }

} ?>

I have a feeling someone is going to have questions on setting this up, so please go ahead and ask. There are no stupid questions. Lastly, I am not responsible for your server getting hacked if your web server is insecure, gets hacked, and someone steals your root password. It is your responsibility to keep your passwords safe and if you wanted you could configure a separate user that only has access to the iptables commands used.
 
Last edited:
Asphyxia

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
@ZapicoGT

Rather than make a database to clear the IP list every 24 hours per user (as requested), just setup a cron to do something like:
Code: 
/sbin/iptables -F SOVIET_GATE
/sbin/iptables -A SOVIET_GATE -p tcp --destination-port 7777 -j DROP
/sbin/iptables -A SOVIET_GATE -p udp --destination-port 7777 -j DROP

If you need help setting up a cron, read here:
Why we call /sbin/iptables
Setting up the cron script

This shows you midnight for the time.


Untested example:
Code: 
00 00 * * * ruby path/to/your/clearWhitelist.sh
 
You must log in or register to reply here.
Top