v4.0.0-pre | Huge update!

-- Read in Russian / Прочитать на русском

The download button is below the changelog.

This update brings many changes to Keiko's concept and capabilities. Please see the updated Wiki and the updated overview page on SpigotMC to get started with the new Keiko. Below is a quick summary of what's changed in 4.0.0.

Keiko is no longer a plugin

Keiko is now a launcher, or a proxy for your server JAR. This ensures Keiko will load before any plugins or modules, and significantly increases the number of possibilities by removing the limits Keiko previously had as a plugin. For example, Keiko can now inject/modify particular code in your server JAR and/or in your plugins and modules, thus enabling the development of more advanced and deep protection techniques. For details, see these Wiki pages:

• Installation Instructions
• Getting Started

Keiko is now interactive

Keiko will now ask you about certain stuff right at run-time (before starting your server), making it much easier to use and understand. For example, if you're running a non-release (experimental) version of Keiko, you will be explicitly asked something like "Do you want to continue anyway? [y/n]". And, of course, you can still make the process of responding to Keiko's "questions" automatic using startup properties (use with caution, though).

Plugins integrity check

The idea of ensuring the integrity of plugins before letting them load seems nice, but the old implementation was terrible. This update brings a completely different way of checking plugins for integrity violation: instead of manually specifying all hashes in a configuration file, Keiko will now be doing everything automatically, and will be asking you explicitly about any changes it detects (like "Did you update plugin X? If you answer 'no' I'm gonna panic!"). See Wiki for details.

Static inspections

Several new static inspections have been added, and some of the old ones have been renovated. The exclusions system now allows excluding plugins by file name, plugin name, class name, and class name + method name. See Wiki for details.

Domain Access Control

Several new checks have been added to Keiko's DAC, including some Minecraft-specific operations (such as "set op" and "execute Minecraft server command"). The rules system has been improved: there are no more default rules, but rules are now prioritized by order, making the system much more flexible than before. You can now also configure the exact log level for each particular operation. See Wiki for details.

Keiko Megane: run-time heuristics

This update introduces Keiko Megane, a run-time background plugin behavior analysis system. It can detect suspicious activity of certain plugins while your server is running, and sometimes even remediate the damage malicious plugins have done (for example, it can de-op players that have been Force-OP'ped). See Wiki for details.

Localizations

Keiko now supports localization! Almost everything that Keiko prints is now read from file instead of being hardcoded. This makes it possible to translate Keiko in many languages so that it's easier to use and understand. Currently, there are three built-in languages — English, Russian, and Simplified Chinese. By default, Keiko uses your system (machine) language, but this behavior is configurable. See Wiki for details.

Improved logging

My sight of logging changed dramatically. Keiko will no longer flood your console with unnecessary (for most users) debug information. Instead, Keiko will attempt to have all its messages as clean and concise as possible, and will generally emit much less information in console than before. Log levels are now configurable separately for files and for console/display. Finally, console logging is now colorized, so that it's easier to understand the priority ("importance") of the messages Keiko shows you. Logged messages are now much easier to understand and are much more comfortable to read.

Optimized disk usage

Keiko now stores most its files in compressed form, resulting in much smaller disk usage. See Wiki for details.

Keiko Tools

Keiko Tools are no longer running in interactive mode. It's now even simpler: just provide the necessary arguments to Keiko when executing its JAR! Some old tools have been removed, and some new have been added (such as a built-in JAR-file disassembler). See Wiki for details.

Maintainability

(Did I spell this right?)

Keiko's code has been almost entirely renovated. Most things are now implemented better: more stable, reliable, and easier to maintain (fix and expand). Although there are still some parts that need to be done better, I'd say the new Keiko's code is better than that of the old versions. This is going to be one of the reasons Keiko will be updated more regularly since now.

New license

Keiko changed its license from Apache License 2.0 to GNU GPLv3.

Final words

I enjoyed working on Keiko 4.0.0, and really hope you'll enjoy using it! But please note that this build is still pre-release, and may not be 100% ready for use in production, although I did a lot of testing myself. If there's anything you'd like to be fixed or improved, please join Keiko's Discord server or open an issue on GitHub. Any feedback is welcome!

So this wraps up the short summary of the update :)

If you'd like to learn more, make sure to visit the Wiki!

v3.2.0

• Improved Windows compatibility by automatically handling backslashes \ in static inspections' exclusions.
• Added placeholder {java_folder} in DAC rules.
• JVM actions "shutdownHooks" and "setIO" are now blocked for all plugins by default (DAC/miscellaneous).
• Slightly optimized keiko-tools.

Thanks for using Keiko! If you enjoy your experience please help to share Keiko with others and leave a positive review <3

v3.1.0

Please update your configuration: 6c4f94c#diff-b39ca91734c04e2e8e8d6d9496287306

• Expanded Keiko Domain Access Control configuration with operation "miscellaneous". It allows customizing explicit access to specific JVM permissions: https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
• Improved regex handling: ordinary dots are now automatically escaped, * is changed to .*, ? is changed to .?, and + is changed to .+.
• keiko-tools will now check for Keiko updates on startup.
• Various slight improvements to the default configuration files.

Thanks for using Keiko! If you enjoy your experience please help to share Keiko with others and leave a positive review <3

v3.0.0

• New static inspection. Keiko will now detect some types of pirated ("leaked") plugins and report them. Because "cracked" software copies are often infected.
• Standalone mode.
  • You can now run static inspections without starting your server using the new inspect [jar] command of keiko-tools. This also allows you to scan just one specific file and not the whole plugins folder.
  • Starting keiko-tools will now be treated almost like an ordinary Keiko startup. One of the consequences of this is that starting keiko-tools will now automatically delete old Keiko logs (configurable). Another one, also related to logging, is that the output of keiko-tools will now be saved in log files as well.
  • The output format of commands in keiko-tools now matches that of Keiko itself. In other words, it's now more readable and informative.
• Minor code optimizations.

Thanks for using Keiko! If you enjoy your experience please help to share Keiko with others and leave a positive review <3

v2.1.0

• [CRITICAL] The process of JAR file decompilation was made a lot safer. Before, Keiko was skipping the whole JAR file from analysis if it fails to decompile at least one of its classes. This was allowing hackers to hide their malware from Keiko simply by creating an invalid class that is never used. This update patches this by only skipping particular "broken" classes, and still analyzing the "correct" ones.
• Updated ASM to 8.0.1.
• Added port placeholders tips in the default RuntimeProtect config (like "you can use HTTP instead of 80").

Thanks for using Keiko! If you enjoy your experience please help to share Keiko with others and leave a positive review <3

v2.0.1

• Fixed StackOverflowError on startup on some JVMs.

• Improved compatibility of Keiko with other plugins by relocating its internal libraries upon build (use shadeJar now).

Thanks for using Keiko! If you enjoy your experience please help to share Keiko with others and leave a positive review <3

v2.0.0

THIS BUILD IS EXPERIMENTAL

• Featuring barely tested BungeeCord support. You can now install Keiko on your Bungee as well, thus letting it monitor and control your Bungee plugins. Please note that installing Keiko just on your Bungee will not allow it to inspect plugins on its "child" (Bukkit/Spigot) servers. In order to protect your network fully make sure to install Keiko both on your Bungee and on all the endpoints.

• Reworked the ABORT_SERVER_STARTUP mechanism. In older versions, Keiko was instantly shutting the server down when it was finding a malicious plugin. Now, it inspects all the plugins first, prints information and warnings about all of them, and only after that shuts the server down (if needed).

• Added a new runtime check — RestrictedActions. It extends Keiko's Domain Access Control with more JVM-related actions, and protects your server more aggressively. This check, for example, forbids other plugins to overwrite Keiko's security manager.

• Corrected several minor configuration typos.

• The output of Static.SystemProcess is now more transparent.

Thanks for using Keiko! If you enjoy your experience please help to share Keiko with others and leave a positive review <3

v1.4.0

• Keiko will now automatically check for its own updates so that you're always aware of new releases as soon as possible.

• Added placeholder {plugins_folder} in static analyses' exclusions in inspections.yml (this placeholder, as its name supposes, denotes the absolute (full) path to your server's plugins/ folder).

Thanks for using Keiko! If you enjoy your experience please help to share Keiko with others and leave a positive review <3

v1.3.0

• Automatic old logs deletion. Keiko will now delete old log files from .../plugins/Keiko/logs/ automatically. You can configure the number of days after which logs will expire in configuration global.yml (default: 7).

• Added clear-caches command in keiko-tools that allows you to delete all caches currently stored by Keiko for its static inspections (although Keiko usually deletes those caches automatically when necessary).

• Changed the way Keiko warns you about invalid Domain Access Control rules to make it more user-friendly and to prevent your server console from being spammed with cumbersome errors.

• Replaced all Bukkit#shutdown usages with rageQuit by default (ordinary server shutdown is still used if rageQuit is disabled in config).

Thanks for using Keiko! If you enjoy your experience please help to share Keiko with others and leave a positive review <3

v1.2.1

The Static.ForceOp inspection will now detect blatant setOp method usages in HumanEntity, OfflinePlayer, and CommandSender as well, which will cover some of the possible bypasses.

Thanks for using Keiko! If you enjoy your experience please help to share Keiko with others and leave a positive review <3