Skip to content
This repository has been archived by the owner on Jul 25, 2024. It is now read-only.
SlimeDog edited this page Jul 25, 2024 · 60 revisions

NetworkInterceptor ▪ Monitor and block outgoing network connections

🛑 End Of Life for SlimeDog/NetworkInterceptor

⭐ Available for Spigot, Paper, BungeeCord, and Velocity

Version Support

See Version Support for a list of certified versions and platforms.


Take control of your network traffic

NetworkInterceptor detects and (optionally) blocks outgoing network connections that you might choose not to allow. Examples of the network connections it can detect:​

  • Generally required:
    • player authentication (Mojang)
  • Generally good:
    • server version check (Minecraft variants: Paper, Spigot, etc.)
    • plugin version check
    • bStats
    • PlaceholderAPI
  • Generally not so good:
    • plugin auto-download and install
    • plugin arbitrary code download and execute
    • plugin private data reporting

NetworkInterceptor installs a custom security manager and a custom proxy selector into the Java runtime environment which logs and (optionally) blocks outgoing network connections. This allows server administrators easily to monitor the nature of connections made by plugins, and if they desire, prevent them.

⚠️ The proxy-selector method does not detect as many connection attempts as the security-manager method. For best results, the security-manager method should be enabled.

Compatibility issues

⚠️ SecurityManager was terminally deprecated in Java 17. This affects NetworkInterceptor on all platforms. Fortunately, the issue is easily resolved, without change to NetworkInterceptor. Add the following specification to server/proxy start-up java -Djava.security.manager=allow. This specification was verified to be compatible with Java 17.0.1 (and later), Java 18, and Java 19, and Java 20.

⚠️ LagMonitor installs its own custom security manager, by default. Only one custom security manager may be enabled. The LagMonitor security manager can be disabled in plugins/LagMonitor/config.yml. NetworkInterceptor can run without the custom security manager enabled, but connection detection is greatly reduced.


Bonus script

This script summarizes log entries. As written, it must be run in the main server directory. Feel free to modify it to suit your needs.

Linux

INTERCEPT_LOG_FILE="plugins/NetworkInterceptor/intercept.log"
grep --text -e 'Current .* version:' ${INTERCEPT_LOG_FILE}
grep --text -e Intercepted -e Blocked ${INTERCEPT_LOG_FILE} | sed -e 's/.*Intercepted/Intercepted/' -e 's/.*Blocked/Blocked/' | sort -u

Windows

Please provide an equivalent script for Windows. We will publish it here, with thanks and credit.


And we'll never forget: NetworkInterceptor 1.0 was made with ❤️ by Luck. All credit for the original design and implementation belongs to him.