[Collection] Server Security

Hey,

Based on [Only registered and activated users can see links. Click Here To Register...] discussion, I decided to create a little "collection" about how to protect your server.

SQL-Server
Website
Firewall
Auth-/Gameserver
General Things
Note
Special Note


1. SQL Server

Needless to say, you definitely should rename the SA-Account and give it a really strong password. Unfortunately you can't disable the Windows-Login, so if someone has access to your server, then he basically is able to login to your database.
If your website needs connection to your database, it might be a good idea to create different login-user with one of these permissions: INSERT (needed for registration), SELECT (only if you want to show some stats, might also be used for registration [depends on your script]) and UPDATE (depends if you are using an User Control Panel). Take a look at the next point for more information.

2. Website

The first thing: Do not use XAMPP. Just don't. It isn't made for public hosting, you can easily get hacked because of that.
The most used web-server are Apache & IIS, I personally prefer IIS, since it already comes with Windows and it's easy to configure.
For the website itself, make sure that you are always checking the user-input in forms, because people love it to use SQL-Injections. To learn more about what SQL-Injections are and how they work, take a look at [Only registered and activated users can see links. Click Here To Register...].
If you are using a database-connection on some part of your website, make sure that you only open the connection when you need it. When you finished your query, make sure to close the connection.
Once I had the problem that someone was able to get access to our server through our forums, since we enabled PHP-uploading. Make sure to deactivate such features, it's easy to use this as exploit. If you are planning to use a forum-software, make sure that it is up to date.
The best thing you basically could do is:
Move your website to a different server. If someone is able to use an exploit on your website and gets access to the server, he isn't able to do much, because he doesn't has access to the "main-server".

3. Firewall

Just open ports if you need them. Usually your Firewall should only have these ports opened:

• 4500 (standard Authserver-port)
• 4514 (standard Gameserver-port)
• 4615 (standard Uploadserver-port)
• *3389 (standard RDP-Port)

Deactivate the other ones, they aren't necessary.

*A little tip here: If your provider gives you a static IP, just allow connections from this one. This might prevent people to bruteforce (or whatever) to get access to your server.
If you don't care for money, this might also be an idea:
When DarknessFight moved to a private host, we had 3 server: A database-server, a Gameserver for the Main-GS (including the website and Authserver) and a Gameserver for our low-rate server. The database-server and Main-Gameserver only allowed RDP-connections from our LowRate-Gameserver, so when I was planning to connect to the database, I always had to connect to the LowRate-Server first.
If those 2 options aren't possible for you, then just leave it opened.

4. Auth- and Gameserver

Well, since 7.4V2 (or was it 8.1?) this point is basically useless, but still:
Make sure that you have set a password for the telnet-function.

5. General things:

This point usually should be obvious, but there are some people out there which don't really care for it, so here again:

1. Never give someone else access to your server. You can't trust anyone on the web.
2. Use for everything a different password. Always a long one, including upper-/lowercase-letters, special chars and numbers. A good one could look like this: U$w[_Ux[;zxtxofP-0I=;DÄBL?ö,LÜ
3. Only use Up 2 Date-Software, in this case SQL & PHP. Sure, the newest PHP doesn't support the mssql-class, but you can still use the SQL Server Driver for PHP from Microsoft.

Note:

I am not a specialist when it comes to server security, I am writing this on own experience, also this topic will not tell you how to secure your server for everything.
This topic lives on your information and experience. I will always update it if you got new and helpful tips.
If you think I made a mistake somewhere or I'm missing something, feel free to correct me. I'm always happy to learn something new.

I will add a FAQ for other things (e.g. "What to do on DDOS?") later, kinda tired yet.

If you have any questions, feel free to ask. I'm trying to answer them if it's possible. If not, maybe someone else can answer it.

Note for some persons out there:

Yes, I know that you hate me now because I'm giving out some of your most obvious methods. I know that some of you think that the community doesn't deserve it (long story, for those which don't know), but I am happy if I even helped 1 person with that. So: I really don't care about your hate. :)

That's it for today.

Sincerely yours,

Xijezu

Quote:

Originally Posted by Xijezu 3. Firewall[INDENT]Just open ports if you need them. Usually your Firewall should only have these ports opened: 4500 (standard Authserver-port) 4518 (standard Gameserver-port) *3389 (standard RDP-Port)

Personnaly many hack are made by Gameserver or AuthServer I really recommend to closed these port and to change de default RDP-port ^^

For the website don't use old SQL... PHP5 exist and PDO too... Now only use them like that no-injection !!! If you don't know them, go learn ^^

wow, tyvm.

i do thank you for your helpful hints, i actually asked that question myself, but am uneducated in sql, so i simply backed out of putting mine online for now lol.

Quote:

Originally Posted by gr4ph0s If you don't know them, go learn ^^

this part however isnt really in the spirit of this thread is it? :D

Quote:

Originally Posted by gr4ph0s Personnaly many hack are made by Gameserver or AuthServer I really recommend to closed these port and to change de default RDP-port ^^

Well, if you close 4500 and 4518, how should people connect to the server then? :)

Quote:

Originally Posted by gr4ph0s For the website don't use old SQL... PHP5 exist and PDO too... Now only use them like that no-injection !!! If you don't know them, go learn ^^

Almost forgot that. I'll add it, thanks. :)

A little bit of information from one of my friends who's a Network Admin:

If you decide to build your own server, first off use Windows Server 2008 or 2012, do not use Windows 7 or 8 or XP or whatever.

Secondly, make sure you have adequate Antivirus and Firewall security. The best Antivirus to use is Microsoft Security Essentials.

And lastly, and I quote: "... security is a balancing act between usability and security." ; "... it boils down to using secure protocols. SFTP or SCP for file transfer, SSH and RDP over VPN for management, strong pass phrases, etc..."

And when setting up your server, insure that the OS and any and all, non-necessary, network ports are CLOSED and locked down. The only information that should be transferring between your server and the user is data pertaining to the game and only the game.

Much of this also pertains to a hosted dedicated server as well.

Quote:

Originally Posted by HeavenOnlyWishes If you decide to build your own server, first off use Windows Server 2008 or 2012, do not use Windows 7 or 8 or XP or whatever.

If you're using a server from a hosting-company, they usually install Windows Server on it.

Quote:

Originally Posted by HeavenOnlyWishes Secondly, make sure you have adequate Antivirus and Firewall security. The best Antivirus to use is Microsoft Security Essentials.

I'm not sure about this part, at the very beginning I was trying this on DF, but it seems that Microsoft Security Essentials caused some problems with the server. I wasn't able to connect to the RDP again. Same for the Firewall (that's why I prefer Windows Firewall).

Quote:

Originally Posted by HeavenOnlyWishes The only information that should be transferring between your server and the user is data pertaining to the game and only the game.

I'm not sure here either, but wouldn't this require a special tool which checks for the packet-structure and either forward it or not?

Quote:

Originally Posted by Xijezu If you're using a server from a hosting-company, they usually install Windows Server on it.

True, but not everyone knows what OS to use when building their own, which is why I mentioned it... ;)

Quote:

Originally Posted by Xijezu I'm not sure about this part, at the very beginning I was trying this on DF, but it seems that Microsoft Security Essentials caused some problems with the server. I wasn't able to connect to the RDP again. Same for the Firewall (that's why I prefer Windows Firewall).

Not sure about the issues with MSE, I've never had any... As for the firewall it depends on what firewall you use. My friend hosts several servers across multiple platforms and OSs, he swears by MSE, and he has a pretty beefy firewall to compliment it. Not sure what he uses though.

Quote:

Originally Posted by Xijezu I'm not sure here either, but wouldn't this require a special tool which checks for the packet-structure and either forward it or not?

As far as I know you should be able to set WS2008/2012 up to prevent unwanted access and data transfer on it's own, but using a utility to back this up wouldn't be a bad idea. I can ask.... ok we're just using names at this point cause "my friend" is getting old.... his names Pat, I can ask Pat about it.

Disable Webdav in xampp 1.7.3 or older and xampp will be alot more secure webdav has a default password and username on all installations on these versions and will let anyone upload a file to your web server and run any command they wish on your computer ive seen alot of people on here say your server security is horrible look in your web documents for a file i left you this is a very easy thing to do only takes 5 seconds to accomplish

you can just delete the folder webdav and remove all webdav lines in xampp/apache/conf/httpd.conf then restart apache and this backdoor will be gone

Quote:

Originally Posted by hackfever Disable Webdav in xampp 1.7.3 or older and xampp will be alot more secure webdav has a default password and username on all installations on these versions and will let anyone upload a file to your web server and run any command they wish on your computer ive seen alot of people on here say your server security is horrible look in your web documents for a file i left you this is a very easy thing to do only takes 5 seconds to accomplish you can just delete the folder webdav and remove all webdav lines in xampp/apache/conf/httpd.conf then restart apache and this backdoor will be gone

There would be still some security holes opened, also, like I said, XAMPP isn't for public hosting, so I personally don't recommend XAMPP. :)

1. MSF the best AntiVirus? Okay i wouldn't say that but hey AntiVirus isn't the important thing because normally you do not use your Root to download a lot of shit from the internet and you should test the files you are transferring to your root on your own pc. But it's allways better to have a antivirus software because nobody knows...but normally this won't happen very often if you won't use your root as a download server ;).

2. I wouldn't use port 3389 switch it to something else that attackers have to search for it.

3. DON'T FORGET TO CHANGE YOUR AUTH SERVER TELNET PW (About 80% of the "new" pservers didn't do that)

4. For the 8.1 GS use console.allow_ip to configure the ip's that are allowed to connect via telnet. Example: S console.allow_ip:127.0.0.1
(Notice: Since 8.1 the console PW is hashed)

5. Test your root on your own: [Only registered and activated users can see links. Click Here To Register...] or check for exploits.

6. Disallow the get_env and set_env functions for every gm. You are able to get all .opt values like the database pw hash via get_env.

7. Don't use the official cs. (I'm not sure about it but as far as i know there is a known security whole in the cs)

8. If you are using the upload server don't forget that there is a telnet client in the upload server too.

9. If you use an apache/tomcat on a windows machine...make sure that this server isn't running on the administrator account!

10. If you are using mysql for your website don't forget to close the mysql port!

@Xijezu perhaps you should say a few words about the upload server. You have to open the upload server ports if you want to get the guildicons running. They should be open too ;)

Is there a way for the full protection of the father DOS Attack

Quote:

Originally Posted by Black.Berry Is there a way for the full protection of the father DOS Attack

As far as I know: No. As (maybe a bad one) example, see Anonymous.
A real DDOS-attack can take down almost everything.
The problem is:
Windows just has 2 ways to handle packets: Allow or Drop.
Linux has 3 ways to handle the packets due the IPTable: Allow, Drop and ignore.
If you use a Linux-server as some kind of "router" and disable incoming connections to your Windows-server (except from the Linux-server), you are able to handle a lot of those DDoS-attacks.

If someone knows a different (or even better way) way or if I'm wrong here, feel free to tell me. :)

Quote:

Originally Posted by c1ph3r 2. I wouldn't use port 3389 switch it to something else that attackers have to search for it.

Well, ... If it takes 2 minutes more doesn't matter, just use a Portscanner and you've got the new port. :/

Quote:

Originally Posted by c1ph3r 6. Disallow the get_env and set_env functions for every gm. You are able to get all .opt values like the database pw hash via get_env.

Will add this, thanks.

Quote:

Originally Posted by c1ph3r 8. If you are using the upload server don't forget that there is a telnet client in the upload server too.

Everything GALA made has a telnet-client, even their patch-server on retail. Guess how I was able to took the patch-server down for a day? ;p

Quote:

Originally Posted by c1ph3r 10. If you are using mysql for your website don't forget to close the mysql port!

Why using MySQL if you've got swa... eh.. MSSQL?
Well, okay, if you are using a forum-software, but in this case you really should move the website on a different server.

Quote:

Originally Posted by c1ph3r @Xijezu perhaps you should say a few words about the upload server. You have to open the upload server ports if you want to get the guildicons running. They should be open too ;)

Damnit, I forgot about this. Thanks.

Quote:

Originally Posted by Xijezu Well, ... If it takes 2 minutes more doesn't matter, just use a Portscanner and you've got the new port. :/

There are firewalls available with portscanning detection that will make this a little bit harder ;)

I would like to ask that this post be Stickied.....

agreed

edit : rest was null ^^