PermGuard 🔒

PermGuard is a Minecraft plugin designed to enhance server security by temporarily revoking admin permissions upon joining the server and sending security alerts to Telegram. Unlike traditional admin password plugins, which can often be bypassed through various exploits, PermGuard implements a fundamentally more secure approach by completely removing elevated permissions on join. This helps to prevent unauthorized access and potential security breaches, even if other security measures are compromised. When an admin with elevated permissions joins the server, their permissions are removed, and they are kicked from the server. The permissions can only be restored after the admin rejoins without the elevated permissions and manually re-grants them via the console using commands like lp user playernick permission set *.

✨ Features

• Automatic Permission Revoke: Revokes specified permissions when an admin joins.
• Kick on Elevated Permissions: Kicks the admin and logs the event if elevated permissions are detected.
• Telegram Alerts: Sends detailed security notifications to Telegram, including information about the player, their IP address, and country.
• Manual Permission Restoration: Admins must rejoin without elevated permissions and restore them manually via console commands.
• Customizable Kick Messages: You can personalize the message shown to admins when they are kicked.
• Logging: Logs all permission revocation events to both the console and a file for auditing.
• Reload Command: Allows reloading the configuration without restarting the server.
• Lightweight and Efficient: Designed to have minimal impact on server performance.
• Shutdown Protection: If the plugin is disabled (e.g., through Plugman), the server will automatically shut down to ensure no security gaps are left open.
• Auto-Update Check: On server start, the plugin checks for updates. If a new version is available, a notification is displayed in the console.

🛡️ Security Benefits

How PermGuard Protects Against Advanced Attacks:

1. Brute Force Attacks: By removing permissions upon login, it prevents unauthorized access even if someone gains temporary access to an admin account.
2. Account Compromise: If an admin's account is compromised, the attacker won't be able to abuse their permissions as they will be revoked upon joining.
3. Session Hijacking: Mitigates the risk of session hijacking by ensuring that permissions are not persistently available during a hijacked session.
4. Social Engineering: Reduces the risk of admins being tricked into giving away their permissions.
5. Unknown Vulnerabilities: Helps mitigate the risks associated with unknown vulnerabilities by limiting the potential damage an attacker can do, even if they find a way to bypass other security measures.
6. Port Exploitation / BungeeCord Hacks: By revoking admin permissions on entry, PermGuard minimizes the potential for attackers to exploit server ports or use BungeeCord-related hacks to gain elevated privileges.
7. AuthMe Bypass: Even if an attacker finds a way to bypass AuthMe authentication, they won't gain immediate access to admin permissions as PermGuard will revoke them upon entry.
8. Zero-Day Exploits: Provides a safety net against zero-day exploits by ensuring that even if a vulnerability is exploited, the attacker will not have sustained access to admin permissions.
9. Telegram Alerts: If a suspicious activity is detected, detailed notifications are sent to Telegram, including the player's IP and country, so you can take immediate action.
10. Shutdown Protection: Ensures that if the plugin is disabled , the server shuts down to prevent any security gaps from being exploited.

Compliance with Security Standards:

• Least Privilege Principle (ISO/IEC 15408): Ensures that users have only the minimum permissions necessary to perform their tasks, reducing the risk of privilege abuse.
• Audit Logging (ISO/IEC 27001): Provides detailed logs of all permission-related activities, facilitating compliance audits and forensic analysis.
• ISO/IEC 27001 Compliance: PermGuard helps servers adhere to information security management best practices by enforcing strict permission controls and audit logging.
• CIS Controls: Aligns with the Center for Internet Security (CIS) Controls for effective cyber defense by implementing strong access control measures.
• Secure Access Control: By requiring manual permission restoration via the console, PermGuard ensures that only authorized personnel can grant elevated privileges.

📥 Installation

1. Download: Download the latest version of PermGuard from the Releases page.
2. Install: Place the .jar file into your server's plugins folder.
3. Restart: Restart your server to load the plugin.

🛠️ Configuration

Edit the config.yml file in the plugin's folder to customize settings:

# PermGuard Configuration

# List of restricted permissions
restrictedPermissions:
  # Wildcard permission (Should always be first in the list if used)
  - permission: "*"
    # Command to execute when detected (use %player% and %permission% as placeholders)
    cmd: "lp user %player% permission unset %permission%"
    # Whether to log this violation
    log: true
    # Message to show player when kicked (use %permission% as placeholder)
    kickMessage: "Your %permission% permissions have been revoked. Please rejoin and restore them via console."

  # Admin group permission
  - permission: "group.admin"
    cmd: "lp user %player% permission unset %permission%"
    log: true
    kickMessage: "Your admin permissions have been revoked. Please rejoin and restore them via console."

  # Example if you use op instead of * in LuckPerms
  #- permission: "*"
  #  cmd: "deop %player%"
  #  log: true
  #  kickMessage: "Your op permissions have been revoked. Please rejoin and restore them via console."

# Telegram notification settings
telegram:
  # Enable or disable Telegram notifications
  enabled: false

  # Your Telegram bot token (get it from @BotFather)
  bot-token: "your_bot_token_here"

  # Chat IDs where notifications will be sent (separate multiple IDs with commas)
  # How to get chat ID:
  # 1. Send a message to your bot
  # 2. Visit https://api.telegram.org/bot<YourBOTToken>/getUpdates
  # 3. Find your chat ID in the response
  chat-ids: "123456789,987654321"

  # Number of retry attempts if sending fails
  # Set to 0 for dedicated hosting with stable network (recommended)
  # Increase this value (1-3) for shared hosting or unstable network
  # Note: Telegram API can sometimes return incorrect responses,
  # so it's better to keep this at 0 on stable connections
  max-retries: 0

  # Delay between retry attempts in milliseconds
  # Only used if max-retries > 0
  retry-delay: 1100

  # Notification message template
  # Available placeholders:
  # %player% - player name
  # %permission% - restricted permission
  # %ip% - player's IP address
  # %country% - player's country (based on IP)
  # %date% - date and time of the incident (Server time)
  message: "⚠️ Security Alert!\n\nPlayer %player% tried to join with restricted permission %permission% and was kicked\n\n📍 Details:\n👤 Player: %player%\n🔒 Permission: %permission%\n🌐 IP: %ip%\n🗺️ Country: %country%\n⏰ Time: %date% (Server time)\n\n❗If this wasn't authorized by you, please take immediate action to secure your server."

📜 Commands

• /permguard reload - Reloads the plugin configuration (requires permguard.reload permission)

🛠️ Compatibility

• Minecraft Versions: 1.16.5 to the latest release
• Server Software: Paper (1.16.5 and newer)

📦 Other Plugins

Also check out my other plugins for protecting your Minecraft server:

• LeverLock
  LeverLock - a plugin to prevent rapid lever interactions, which can cause lag or be exploited for unintended game mechanics. Works in conjunction with AntiRedstoneClock-Remastered, providing comprehensive protection from redstone-based lag and exploits.

• NoMoreTNTChainCrash
  NoMoreTNTChainCrash is a Minecraft plugin designed to prevent server crashes and lag caused by excessive TNT explosions. It achieves this by removing TNT before automated chain explosions can occur, while still allowing players to manually detonate TNT as desired.

🆘 Support

If you encounter any issues or have suggestions for improving the plugin, please create an issue in this repository.

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

👨‍💻 Author

[Alex] - [https://github.com/alex2276564]

We appreciate your contribution to the project! If you like this plugin, please give it a star on GitHub.

🤝 Contributing

Contributions, issues, and feature requests are welcome! Feel free to check the issues page.

How to Contribute

1. Fork the repository.
2. Create a new branch (git checkout -b feature/YourFeature).
3. Commit your changes (git commit -m 'Add some feature').
4. Push to the branch (git push origin feature/YourFeature).
5. Open a Pull Request.

---

Thank you for using PermGuard! We hope it enhances the security of your Minecraft server significantly, making unauthorized access and privilege abuse a thing of the past. 🎮🔒