Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Question] Rate limit password entry for multiplayer #8339

Open
TinCanTech opened this issue Nov 10, 2020 · 9 comments
Open

[Question] Rate limit password entry for multiplayer #8339

TinCanTech opened this issue Nov 10, 2020 · 9 comments

Comments

@TinCanTech
Copy link

@TinCanTech TinCanTech commented Nov 10, 2020

Version of OpenTTD

1.9.3

Expected result

Actual result

Steps to reproduce

I have four 520 year old trains which i keep for posterity. Upon restarting from a full system reboot these four trains had been restarted on their original orders. One was subsequently auto-upgraded. Some kind of initial variable maybe.

@Eddi-z
Copy link
Contributor

@Eddi-z Eddi-z commented Nov 10, 2020

If you restart a network server, the company passwords are reset. make sure to give new ones, or someone else may log in and mess with your company.

@TinCanTech
Copy link
Author

@TinCanTech TinCanTech commented Nov 10, 2020

Thanks. I did issue a new password.

@TinCanTech
Copy link
Author

@TinCanTech TinCanTech commented Nov 10, 2020

Does OpenTTd rate limit password attacks ?

@James103
Copy link
Contributor

@James103 James103 commented Nov 12, 2020

I don't think OpenTTD rate limits password entry, but I think it would be a good idea to start rate-limiting password entry. The rate limit should be able to be configured at least in openttd.cfg.

@TinCanTech
Copy link
Author

@TinCanTech TinCanTech commented Nov 13, 2020

I tested further but now cannot figure out how my old trains get restarted, it does not seem to be from loading a save game into multiplayer mode.

@TinCanTech TinCanTech changed the title [Game-play] Stopped vehicles started after reloading network game [Question] Rate limit password entry for multiplayer Nov 18, 2020
@TinCanTech
Copy link
Author

@TinCanTech TinCanTech commented Nov 18, 2020

Changed topic.

@James103
Copy link
Contributor

@James103 James103 commented Nov 23, 2020

Should there be a new message when a client tries to join, but has exceeded the rate limit in doing so? For example, "You have attempted to join [the game] too many times. Please wait …"

@btzy
Copy link
Contributor

@btzy btzy commented Jan 3, 2021

Is there a point in doing so though? If they are typing passwords by hand, then they will never be fast enough to be a threat to anything. If they are using some automated script, they would be able to circumvent this by starting a new client (or writing the packets so that it looks like it's from a new client), and you'd have to resort to rate limits based on the client IP address.

@TrueBrain
Copy link
Member

@TrueBrain TrueBrain commented Jan 3, 2021

We are in the process of replacing passwords with something more secure: #8420

This would resolve this ticket, I think.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants