I could stick this as well, but I've added it into the collection, it should be fine.
I don't wanna have 1000 stickys again, :/
I don't wanna have 1000 stickys again, :/
[Collection] Server Security
04/28/2013 21:52
Xijezu#16
04/28/2013 23:32
abady100#17
@Xijezu With respect to the IIS 7 that it is not helpful to PHP to connect to MSSQL if there is a solution.
Also I would like to add something simple for protection, which determine the course of the program, which uses port through the firewall does not leave it to all.
Also I would like to add something simple for protection, which determine the course of the program, which uses port through the firewall does not leave it to all.
It is well known that the versions of rappelz there is authorized by a major = 100, or you can say that it gives you full powers and therefore secondary, which could determine the commands, and will face some problems in that because it is changing from version 7.4 to time such as the issuance of the 80, 70 and 60, but in the version 8.1, I don't know about.Quote:
6. Disallow the get_env and set_env functions for every gm. You are able to get all .opt values like the database pw hash via get_env.
04/29/2013 09:52
pprfds#18
thank you very much c1ph3r but about thisQuote:
6. Disallow the get_env and set_env functions for every gm. You are able to get all .opt values like the database pw hash via get_env.
as far as i know that in epic 8.1 there is a permission bug that doesn't allow except the permission 100 so how can we Disallow it ?
04/29/2013 10:12
c1ph3r#19
Did anyone realised the AllowCommandsForPermission Table? Did anyone tried to use this table? C'mon guys...this is written down in about 100 Threads!Quote:
as far as i know that in epic 8.1 there is a permission bug that doesn't allow except the permission 100 so how can we Disallow it ?
04/29/2013 11:33
pprfds#20
Quote:
did you try to use it?
well it doesn't work in epic 8
i have filled this table with the permissions in my 7.4 telecaster and none of the written permissions work
notice , insert_item , announce ............. etc
and here is a part of my allowed commands for permission
04/29/2013 12:25
c1ph3r#21
Yes i tried it and YES it is working otherwise my mods would be unable to warp around ;)
04/29/2013 13:16
ThunderNikk#22
@pprfds
You set all permissions at 1
You set all permissions at 1
04/30/2013 08:26
Xijezu#23
Bleibt bitte beim Thema. ;o
#cleared
#cleared
11/21/2013 15:05
mongreldogg#24
[Only registered and activated users can see links. Click Here To Register...]
gl to servers on XAMPP
gl to servers on XAMPP
11/21/2013 15:21
Ne0@NCarbon#25
If people read properly first page of xampp website they could find :
"The philosophy behind XAMPP is to build an easy to install distribution for developers to get into the world of Apache. To make it convenient for developers XAMPP is configured with all features turned on.
The default configuration is not good from a security point of view and it's not secure enough for a production environment - please don't use XAMPP in such environment."
So if they choose to publish it in the state it's at their own risk !
Otherwise, nice tuts ^^
"The philosophy behind XAMPP is to build an easy to install distribution for developers to get into the world of Apache. To make it convenient for developers XAMPP is configured with all features turned on.
The default configuration is not good from a security point of view and it's not secure enough for a production environment - please don't use XAMPP in such environment."
So if they choose to publish it in the state it's at their own risk !
Otherwise, nice tuts ^^
11/22/2013 01:16
mongreldogg#26
better to use combination of:
Apache 2.2.x
PHP 5.2.10 (supports MSSQL drivers as good as most of new website engines)
MySQL 5.x (if needed)
There are so much step-by-step tuts how to install this all. But if someone found IIS better then naked Apache, it maybe good. but tbh never used IIS as well, because had some problems with config. And installing just apache+php+mysql+perl manually was easier to me.
Apache 2.2.x
PHP 5.2.10 (supports MSSQL drivers as good as most of new website engines)
MySQL 5.x (if needed)
There are so much step-by-step tuts how to install this all. But if someone found IIS better then naked Apache, it maybe good. but tbh never used IIS as well, because had some problems with config. And installing just apache+php+mysql+perl manually was easier to me.
11/22/2013 02:17
ismokedrow#27
My vote will go to IIS every time and Mongrel next time try installing via Web-Platform installer it makes installing IIS + extra modules + PHP + PHP Driver 3.0+ (MSSQL_ API Replacement to SQLSRV_ API) a breeze mate.
07/03/2020 21:17
VonStrucker#28
Even though it's old, your post is still helping me, thanks!Quote:
Based on [Only registered and activated users can see links. Click Here To Register...] discussion, I decided to create a little "collection" about how to protect your server.
SQL-Server
Website
Firewall
Auth-/Gameserver
General Things
Note
Special Note
1. SQL ServerNeedless to say, you definitely should rename the SA-Account and give it a really strong password. Unfortunately you can't disable the Windows-Login, so if someone has access to your server, then he basically is able to login to your database.
If your website needs connection to your database, it might be a good idea to create different login-user with one of these permissions: INSERT (needed for registration), SELECT (only if you want to show some stats, might also be used for registration [depends on your script]) and UPDATE (depends if you are using an User Control Panel). Take a look at the next point for more information.
2. WebsiteThe first thing: Do not use XAMPP. Just don't. It isn't made for public hosting, you can easily get hacked because of that.
The most used web-server are Apache & IIS, I personally prefer IIS, since it already comes with Windows and it's easy to configure.
For the website itself, make sure that you are always checking the user-input in forms, because people love it to use SQL-Injections. To learn more about what SQL-Injections are and how they work, take a look at [Only registered and activated users can see links. Click Here To Register...].
If you are using a database-connection on some part of your website, make sure that you only open the connection when you need it. When you finished your query, make sure to close the connection.
Once I had the problem that someone was able to get access to our server through our forums, since we enabled PHP-uploading. Make sure to deactivate such features, it's easy to use this as exploit. If you are planning to use a forum-software, make sure that it is up to date.
The best thing you basically could do is:
Move your website to a different server. If someone is able to use an exploit on your website and gets access to the server, he isn't able to do much, because he doesn't has access to the "main-server".
3. FirewallJust open ports if you need them. Usually your Firewall should only have these ports opened:
- 4500 (standard Authserver-port)
- 4514 (standard Gameserver-port)
- 4615 (standard Uploadserver-port)
- *3389 (standard RDP-Port)
Deactivate the other ones, they aren't necessary.
*A little tip here: If your provider gives you a static IP, just allow connections from this one. This might prevent people to bruteforce (or whatever) to get access to your server.
If you don't care for money, this might also be an idea:
When DarknessFight moved to a private host, we had 3 server: A database-server, a Gameserver for the Main-GS (including the website and Authserver) and a Gameserver for our low-rate server. The database-server and Main-Gameserver only allowed RDP-connections from our LowRate-Gameserver, so when I was planning to connect to the database, I always had to connect to the LowRate-Server first.
If those 2 options aren't possible for you, then just leave it opened.
4. Auth- and GameserverWell, since 7.4V2 (or was it 8.1?) this point is basically useless, but still:
Make sure that you have set a password for the telnet-function.
5. General things:This point usually should be obvious, but there are some people out there which don't really care for it, so here again:
- Never give someone else access to your server. You can't trust anyone on the web.
- Use for everything a different password. Always a long one, including upper-/lowercase-letters, special chars and numbers. A good one could look like this: U$w[_Ux[;zxtxofP-0I=;DÄBL?ö,LÜ
- Only use Up 2 Date-Software, in this case SQL & PHP. Sure, the newest PHP doesn't support the mssql-class, but you can still use the SQL Server Driver for PHP from Microsoft.
Note:I am not a specialist when it comes to server security, I am writing this on own experience, also this topic will not tell you how to secure your server for everything.
This topic lives on your information and experience. I will always update it if you got new and helpful tips.
If you think I made a mistake somewhere or I'm missing something, feel free to correct me. I'm always happy to learn something new.
I will add a FAQ for other things (e.g. "What to do on DDOS?") later, kinda tired yet.
If you have any questions, feel free to ask. I'm trying to answer them if it's possible. If not, maybe someone else can answer it.
Note for some persons out there:Yes, I know that you hate me now because I'm giving out some of your most obvious methods. I know that some of you think that the community doesn't deserve it (long story, for those which don't know), but I am happy if I even helped 1 person with that. So: I really don't care about your hate. :)That's it for today.
Sincerely yours,
Xijezu