User somehow set rank
Closed this issue ยท 3 comments
Hello. I run a tiny network, have ip_forward set to true in the config.yml file, as well as bungeecord set to true in the spigot.yml file. If it makes any difference, I'm using Waterfall as the proxy. LP is not on Waterfall and is only on one other server. I'm using JSON storage as well.
So, here's what happened. 2 days ago, there was a vote from some IP. That's odd because I don't have anything set up on votifier, no site knows that voting is enabled on this IP. After that, a user called Revch logged in and disconnected a few times. After that, they logged in with an account with the same user as my main account's nickname which is Zack. That threw this error:
[12:58:44] [User Authenticator #3/WARN]: [LuckPerms] 'Revch' has previously used the unique ids [3f5b1be0-220d-4c8e-8dff-6cf3d28dea57] but is now connecting with '19c5fb3b-a411-4e76-bb1f-24d0d880fc90'
[12:58:44] [User Authenticator #3/WARN]: [LuckPerms] The UUID the player is connecting with now is Mojang-assigned (type 4). This implies that one of the other servers in your network is not authenticating correctly.
[12:58:44] [User Authenticator #3/WARN]: [LuckPerms] If you're using BungeeCord/Velocity, please ensure that IP-Forwarding is setup correctly on all of your backend servers!
[12:58:44] [User Authenticator #3/WARN]: [LuckPerms] See here for more info: https://github.com/lucko/LuckPerms/wiki/Network-Installation#pre-setup
All of the servers on the network are using offline mode with bungeecord set to true. After they logged in as "Zack", they ran one command /lp and left. They then logged back in with their Revch account (throwing the same error as above) and left and joined once, on rejoin it threw this error (which I know isn't a LP thing):
com.mojang.authlib.exceptions.AuthenticationException: The client has sent too many requests within a certain amount of time
at com.mojang.authlib.yggdrasil.YggdrasilAuthenticationService.makeRequest(YggdrasilAuthenticationService.java:79) ~[patched_1.14.4.jar:git-Paper-177]
at com.mojang.authlib.yggdrasil.YggdrasilMinecraftSessionService.fillGameProfile(YggdrasilMinecraftSessionService.java:180) ~[patched_1.14.4.jar:git-Paper-177]
at com.destroystokyo.paper.profile.PaperMinecraftSessionService.fillGameProfile(PaperMinecraftSessionService.java:37) ~[patched_1.14.4.jar:git-Paper-177]
at com.mojang.authlib.yggdrasil.YggdrasilMinecraftSessionService.fillProfileProperties(YggdrasilMinecraftSessionService.java:173) ~[patched_1.14.4.jar:git-Paper-177]
at com.destroystokyo.paper.profile.PaperMinecraftSessionService.fillProfileProperties(PaperMinecraftSessionService.java:30) ~[patched_1.14.4.jar:git-Paper-177]
at com.destroystokyo.paper.profile.CraftPlayerProfile.complete(CraftPlayerProfile.java:177) ~[patched_1.14.4.jar:git-Paper-177]
at net.minecraft.server.v1_14_R1.LoginListener$LoginHandler.fireEvents(LoginListener.java:313) ~[patched_1.14.4.jar:git-Paper-177]
at net.minecraft.server.v1_14_R1.LoginListener$1.run(LoginListener.java:212) ~[patched_1.14.4.jar:git-Paper-177]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_222]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_222]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222]
They then ran a few commands and started to world edit away my spawn.
My question is, how did they do this? I seem to have everything configured correctly, but I'm at a complete loss here. The full log is linked below of their time on the server (sorry for the insane amount of AWE errors).
Any help would be appreciated.
You most likely didn't configure Spigot to only accept connections from a specific IP.
This allows people to bypass the bungee and directly join your server (spigot warns about this when running the server in offline mode).
The solution would be to add the IP to the server.properties. When the servrr is on the same VPS as the bungee, set it to 127.0.0.1
Spigot has a guide on how to properly protect your server:
http://www.spigotmc.org/wiki/firewall-guide/
You most likely didn't configure Spigot to only accept connections from a specific IP.
This allows people to bypass the bungee and directly join your server (spigot warns about this when running the server in offline mode).The solution would be to add the IP to the server.properties. When the servrr is on the same VPS as the bungee, set it to 127.0.0.1
Spigot has a guide on how to properly protect your server:
http://www.spigotmc.org/wiki/firewall-guide/
Ok, yeah I think I've got this figured out now. I've always run single servers all in online mode, first time in about 3 years running any form of network and when I did it wasn't really public. Never crossed my mind that I'd need to set up firewall rules for this since I thought that was the goal of the ipforward option within bungee. Thanks for the help!