Status Hider

A network security mod for Minecraft servers, meant to keep server crawlers out of your face and preventing them access
to your online players data, MotD, and such, all the while adding some neat features for you to use.

Why

As a server administrator myself, I was often seeing logs of connection attempts, or uncaught network errors
(e.g. the recurrent connection reset by peer message), that even mass IP-banning simply couldn't help with.

But I finally ticked and decided to act when I saw a log of a supposed connection attempt from a 'ServerSeekerV2' user,
which obviously linked to the ServerSeekerV2 software, proving to me
once and for all that there were people out there that had nothing better to do that have software scanning the net for
Minecraft servers, to know which ones are online and when, and who is playing on them at set times, storing and
cross-comparing the generated data to possibly dress up players profiles that could then be used for ill intents.

So I took upon myself to dive into the whole server ping and login network protocol, and made this mod to allow more
privacy to server owners and their players.

Let me get data in peace

No. Respect people's privacy.

How it works

Files

The mod stores some information about connection attempts and known players. As such, three additional files are created
in the server's main directory:

• player_ip_cache: this file stores some information about players that have properly joined the server at least once.
  Each entry (one line being one entry) holds the player name, UUID, and a list of the player's known IPs' hashes.
  It allows the mod to know if an incoming connection is from a known player, and thus determines most of the mod's
  overall behaviour. You may at will remove or modify an entry, but the mod will yell in the server's console if a line
  cannot be properly parsed in a valid entry.

• request_metrics: this file stores the mod's memory of connection attempts, ping requests, and alike, from various
  IP addresses. Each line (entry) is composed of the IP hash, the number of ping attempts from the IP, the number of
  login attempts from the IP, and the number of overall requests (login or ping alike) all the while the IP address has
  been banned - if it has been banned. This file is particularly useful for the auto-IP-ban feature.

• ip_whitelist: this file stores a list of RegEx expressions of any whitelisted IP that are allowed to ping the server
  regardless of registering a player or not. This is only truly relevant for server panels, most often provided by
  third-party hosting services, that regularly run server pings in order to provide some analytics to the server owners.
  Note that this does not impact players' ability to join the server, they do not need to be whitelisted!

• ip_limit_list: this file follows the same format as the ip_whitelist.
  It is only relevant if the appropriate gamerule is enabled.
  It determines a collection of patterns that any non-local source must match in order to establish a connection to the server.

Why IP hashes

The mod deal with IP hashes as much as it can, not only in order to reduce the processed data, but also what it may
expose to any potential third party that could get access to the server files. Obviously, considering servers can by
themselves store any and all IP in the logs, it may not be the most relevant, but in the event of a server getting
compromised, exposing the least player information directly remains a better standing point. Since hashing allows to
produce consistent results that will never change from a same initial value, but not easily allow for figuring out the
initial value from the result, it is a mean to somewhat obscure data from potentially malicious factors to some extent.

Gamerules

The mod additionally adds a set of custom gamerules, each allowing to control its various features:

• status_hider:reduced_ping_data: sets from whom to reduce ping data details, such as hiding the connected players
  list, providing fake max online/max player counts, and hiding the MotD. Set to unknown or banned IPs by default.
• status_hider:restrict_ping: toggles whether to cut short to any ping request coming from an
  unknown IP address (not linked to any player that has already joined the server). Enabled by default.
• status_hider:log_restricted_requests: toggles whether to log when the mod blocks out a ping request.
• status_hider:enable_fancy_motd: toggles the fancy motd feature. Enabled by default.
• status_hider:enforce_ip_ban: toggles the real IP-ban feature. Enabled by default.
• status_hider:auto_ban_unknown_ip_after_requests: sets how many requests can an unknown IP address can make before
  automatically getting IP-banned ; set it to 0 in order to disable the feature. Accepts values between 0 and 100, set
  to 10 by default.
• status_hider:log_banned_ip_requests: sets how often should requests from banned IPs be logged in the server's
  console. More specifically, indicates out of how many requests should it be logged (uses modulo) ;
  1 would mean every time, 20 would mean every one request out of 20 ; set it to 0 to disable the feature. Accepts
  values between 0 and 100, set to 10 by default.
• status_hider:limit_allowed_ip: toggles whether to restrict connections to sources matching the IP allow list
  patterns (defaults to false)

Real IP Ban

In the vanilla code, IP bans are only checked very late in the player login sequence, and completely ignored when it
comes to ping requests. All in all, it is a rather weak feature.

As such, this mod takes it to a whole other level, and makes it so that any request whatsoever, from a banned,
non-whitelisted (not matching any ip-whitelist entry) IP address, will purely and simply never be answered to.

Thus, any banned IP will be left hanging when making a request, as if the server was not running.
Additionally, every 10 request from a banned-ip, the server will mention it in the console, so as to let server
administrators know of the relevance of an IP ban.

Fancy MOTD

Since the mod already links up players and their IP adresses, I figured it also was an occasion to create a fancy way to
welcome players, using the MotD.

As such, any {username} in the server's MotD will be automatically replaced with a matching known player name, if any.

Additionally, knowing some basics of how IP addresses are used across the globe, I decided to include inside the mod a
file of per-country allocated IP ranges*, which enables the mod to guess and replace any {country}
in the MotD with a possibly matching country name, or unknown if none was found.

ip ranges file

This file is a rather minimalistic file, albeit still pretty big, which makes up for most of the mod jar's file size.

It is a bundled file in order to avoid using a third party API, which would go against two of this mod's goals:

• Not giving more data than required to third parties. Using a third party API would mean allowing them to know what IPs
  are joining the server, and thus, what are the players' IPs.
• Not manipulating or exposing more data than needed. Most third party APIs for IP address geolocation go far and beyond
  the needs of this mod, and would imply fetching data that other, potentially malicious, mods, could intercept.
  And while it is true that other mods could already get all these information by themselves, not exposing it even more
  is but only a good practice.

This file was produced from data provided free of use by ayra.ch, after simplification, for
both removing unusable values as well as for country name readability.

Command

This mod adds a custom command, that allows for some useful alternatives to manually editing files, besides also a way
to reload the cache or metrics file at runtime. (the ip whitelist file is only loaded at server startup, due to its
nature of not needing to be edited often). It has a permission level requirement of 4 (default vanilla OP level,
can be changed in the server.properties file, per-player values can be modified in the vanilla ops.json file)

/status_hider forget <profileOrIP allows server admins to remove an entry from the player IP cache at runtime.
The profile or IP can either be an IP address or a player's name. Any entry matching with either will be completely
removed from the IP cache.

/status_hider registerIP <ip> [<name>] allows server admins to register a specific IP under a specific or
auto-generated name. If the IP is already registered in an existing entry, the command will not do anything.
If an entry already exists for that name, then the provided IP will be added to it. Otherwise, a new entry with a
random UUID will be created with that IP listed for it.

/status_hider reload [cache|metrics|whitelist|limit_list] allows server admins to either reload the IP cache file,
the request metrics file, the whitelist file, the limit list file, or all if not specified.
(beware that depending on your server's activity, you may want to run the command quickly after modifying the file,
as any changes in the runtime cache or metrics will overwrite the file completely)

/status_hider whitelist <pattern> allows server admins to add a new RegEx entry to the IP whitelist without having
to restart the server.

/status_hider unwhitelist <pattern> allows server admins to remove a RegEx entry from the IP whitelist without
having to restart the server. (existing entries will be suggested for patter auto-completion)

/status_hider test <ip> allow server owners to know an IP's hash, as it is to be stored in the cache or metrics files.
This is especially relevant for minute modifications such as manually removing a specific IP from a player's entry.