[HOW TO] Basic server security, TO ALL P*SERVER OWNER

• A decent host
  
  
• If possible, having 2 servers would be better (one for your WEB server, and the other one for your GAME & sql server)
  
  
• I would recomand you to use lastest Windows Server OS & lastest SQL Server (so Windows Server 2012 R2 & [Only registered and activated users can see links. Click Here To Register...] nowdays). In fact, almost every one are still using windows server 2008 R2 or SQL Server 2005....
  

• The first one "Login & Game Shaiya Server" simply open 30800 & 30810 port (TCP only) others shaiya ports HAVE TO BE CLOSED, or we will be able to close your server remotly and so on

• The second one "RDP && SSH" will allow you to use windows RDP to access to your server, I mean this tool:
  [Only registered and activated users can see links. Click Here To Register...]
  For this rule, please set "remote adress" to your own home adress. Why ? Because if someone know your password, he won't be able to use it.
  Note: I'm using custom RDP port, mine is 15000 but change it if you want. default one is TCP port 3389.

• The lastest rule is for SQL Server. if you have 2 VPS, set "remote adress" to you web server adress, else delete this rule if you are running your web server & your sql server on the same VPS. In fact, no one will be able to connect to your SQL Server, no matter if your password is Shaiya123 or a secure one.

• The first one allow TCP HTTP && HTTPS (80 & 443 ports)

• The second one is, once again, for RDP. with, once again "remote adress" set to my home adress.

Trayne01'; DELETE FROM PS_UserData.dbo.Users_Master;--

• If you are using a weird database, [Only registered and activated users can see links. Click Here To Register...]

Quote:

Originally Posted by Trayne01 No I don't. They are all useless imo

Quote:

Originally Posted by tkminh How do u protect ur server , to anti ddos ? :confused:

Quote:

Originally Posted by Trayne01 Hello E*PvP, As a a lot of servers closed recently, I'll teach you how to make a fucking decent server, because some servers here are just open to every kind of hacks... Seriously, please close your server now if you can't follow this tut.... So lets go (this tut is fine for all shaiya server files) I / System Requirements A decent host (for my part, i'm using [Only registered and activated users can see links. Click Here To Register...], what I mean by decent host ? High connexion speed, high RAM & CPU VPS, almost 24h/24h support, DDoS protection included for free, lastest windows server OS, twin server rooms, they are using [Only registered and activated users can see links. Click Here To Register...] network and so on) VPS = Virtual Private Server, best shaiya hosting solution (cheaper than dedicated server) If possible, having 2 VPS would be better (one for your WEB server, and the other one for your GAME & sql server) An unique server, I won't allow you to read bellow if your are making a multi-colour server or something that already exists I would recomand you to use lastest Windows Server OS & lastest SQL Server (so Windows Server 2012 R2 & [Only registered and activated users can see links. Click Here To Register...] nowdays). In fact, almost every one is still using windows server 2008 R2 & SQL Server 2005 LOL.... guys please don't be stupid by doing only what our old tuts are saying, because in fact this [Only registered and activated users can see links. Click Here To Register...] is now 7 years old.... There is no advantages at all to use out-dated softwares (RAM is often managed better now, security is much more guaranteed and so on) A normal brain (we'll need to use it) II / Basic game-server protection So, now we'll see how to setup decent firewall rules. My firewall looks like that (please zoom and see the 3 rules that I made): [Only registered and activated users can see links. Click Here To Register...] (to open your windows firewall, simply type "fire" in your search windows bar, and clic on the first result, i mean this one: [Only registered and activated users can see links. Click Here To Register...]) Now lets see the 3 rules that I made. The first one "Login & Game Shaiya Server" simply open 30800 & 30810 port (TCP only) others shaiya ports HAVE TO BE CLOSED, or we will be able to close your server remotly and so on The second one "RDP && SSH" will allow you to use windows RDP to access to your server, I mean this tool: [Only registered and activated users can see links. Click Here To Register...] For this rule, please set "remote adress" to your own home adress. Why ? Because if someone know your password, he won't be able to use it. Note: I'm using custom RDP port, mine is 15000 but change it if you want. default one is TCP port 3389. The lastest rule is for SQL Server. if you have 2 VPS, set "remote adress" to you web server adress, else delete this rule if you are running your web server & your sql server on the same VPS. In fact, no one will be able to connect to your SQL Server, no matter if your password is Shaiya123 or a secure one. Okay well... now we have a secure game server, basic issues are patched. III / Basic Web server protection * - PHP & Appache installation Please, setup your web server your self! download [Only registered and activated users can see links. Click Here To Register...] here and [Only registered and activated users can see links. Click Here To Register...] here. Why ? Because some softwares "all in one" might contain obvious security issues in the panel that they give. So please delete (or secure) this panel.In fact these software are mainly made for local development, not for public website. And, almost all of these softwares will run a MySQL DB.. but we don't need it, and it will use your RAM. a - web firewall Here is the firewall rules for the second machine (or the web-related rules if you are using only one VPS) ignore this step if you are using a classic web-host (with cpanel and so on) [Only registered and activated users can see links. Click Here To Register...] Okay and now lets see the 2 rules that I made: The first one allow TCP HTTP && HTTPS (80 & 443 ports) The second one is, once again, for RDP. with, once again "remote adress" set to my home adress. Okay... now we have a decent firewall protection, lets see the web-releated issues. b - SQL Injections A lot of shaiya PHP scripts are using GET or POST and then a SQL query, with the wished variables. The problem is, if you are not using the pdo bind functions, or any other function that make put a variable in your query with a decent way, any kid will be able to drop your databases. Now lets see 3 exemples: 1 - file: exemple_odbc_unsafe.php  Spoiler PHP Code: <html> <h2>Checking if user exists</h2> <form method="POST" action="./exemple.php"> Username: <input type="text" name="username" /> </form> <?php if (isset($_POST["username"])){     $conn = odbc_connect("Driver={SQL Server Native Client 11.0};Server=127.0.0.1;Database=PS_UserData;", "Shaiya", "Shaiya123");     $rs = odbc_exec($conn, "SELECT Count(*) AS counter FROM PS_UserData.dbo.Users_Master WHERE UserID='" . $_POST["username"] . "';");     $arr = odbc_fetch_array($rs);     echo ("There is ".$arr['counter']." account(s) called ".$_POST["username"]);     } ?> </html> So this script is unsecure, because we can inject any SQL code. for exemple, lets try with this username: Code: Trayne01'; DELETE FROM PS_UserData.dbo.Users_Master;-- in fact, if we put this "username", we will delete all our accounts. SO PLS DONT DO THIS (if you just deleted your accounts, because you didn't use your brain no matter if I put it in the requirements, you can still resotre your accounts by using [Only registered and activated users can see links. Click Here To Register...].) 2 - file: exemple_odbc_safe.php  Spoiler PHP Code: <html> <h2>Checking if user exists</h2> <form method="POST" action="./exemple.php"> Username: <input type="text" name="username" /> </form> <?php if (isset($_POST["username"])){     $conn = odbc_connect("Driver={SQL Server Native Client 11.0};Server=127.0.0.1;Database=PS_UserData;", "Shaiya", "Shaiya123");     $rs = odbc_prepare($conn, "SELECT Count(*) AS counter FROM PS_UserData.dbo.Users_Master WHERE UserID= ? ;");     $rs = odbc_execute($rs,array($_POST["username"]));     $arr = odbc_fetch_array($rs);     echo ("There is ".$arr['counter']." account(s) called ".$_POST["username"]);     } ?> </html> This script is safe, because we are using a funcntion that make our $_POST vars secure, and we can't inject SQL code. 3 - file: exemple_pdo_sqlsrv.php  Spoiler PHP Code: <html> <h2>Checking if user exists</h2> <form method="POST" action="./exemple.php"> Username: <input type="text" name="username" /> </form> <?php if (isset($_POST["username"])){     $dsn = "sqlsrv:Server=127.0.0.1;Database=PS_UserData";     $user = 'Shaiya';     $password = 'Shaiya123';          try {         $dbh = new PDO($dsn, $user, $password);     } catch (PDOException $e) {         echo 'Connection failed: ' . $e->getMessage();     }          $res = $dbh->prepare("SELECT Count(*) AS counter FROM PS_UserData.dbo.Users_Master WHERE UserID = :userid ;");     $res->bindPram('::userid',$_POST["username"],PDO::PARAM_STR,32)     $arr = $res->fetchAll();     echo ("There is ".$arr['counter']." account(s) called ".$_POST["username"]); }     ?> </html> This script is safe, because we are using PDO::BindParam function, so we can't inject SQL code. So Now lets see an last exemple, lets check if [Only registered and activated users can see links. Click Here To Register...] is secure: proc.php line 19 PHP Code: if (isset($_POST['Var1']))  {     $DisplayItemName=$_POST['Var1'];         $replace = array(              "'" => "_",             "é" => "e",             "è" => "e",             "ê" => "e",             "î" => "i",             //"ï" => "i",             "à" => "a",             "û" => "u",             "ô" => "o"             );      //$newstr = utf8_encode(str_replace_assoc($replace,$_POST['Var1']));     $newstr = str_replace_assoc($replace,$_POST['Var1']);     $ItemName=$newstr;  The vars $ItemName will be used later in our sql vars PHP Code:     $CheckItemNumber="SELECT Grade from dbo.Items WHERE ItemName like '$ItemName'";  So its not secure at all to put this script in your public website. (I made it for my admin panel months ago) So how to secure this script, and make it usable for your public area? Lets secure this script, at each time you'll have a variable declared as a query, it should be like: PHP Code:     $CheckItemNumber=odbc_prepare("SELECT Grade from dbo.Items WHERE ItemName like ? ;");  And so, at each odbc_exec(), we should use odbc_execute() instead proc.php line 40 PHP Code: $retour=odbc_execute($CheckItemNumber,array($ItemName));  Yeah, in fact, its really simple! IV / Others basics exploits & issues The secure ps_login.exe can be found [Only registered and activated users can see links. Click Here To Register...]. OTHER DOWNLOADS The secure ps_dbagent episode 4 can be found here. (patched item dupe) The secure ps_dbagent episode 5.4 can be found here. (patched item dupe) And secure ps_dbagent episode 6.3 (for Juuf's or Shen's files) can be found here. (patched item dupe) As I inveted you to use lastest SQL Server versions, here is some edited dll that I made to help you to upgrade your SQL server. In fact, with these modification you won't be able to use SQL Server 2012 and greater. Edited 5.4 itemmall dll can be found here. Edited Juuf's EP 6 dll can be found here. Edited lastest Shen's dll can be found here. Edited Shen's dll (with wings) can be found here. I'm still uploading these files, pls wait. If you are using a weird database, [Only registered and activated users can see links. Click Here To Register...] none? Now you have a decent server, so your server should stay online for a long time. So please make it serious, make a nice website and make nice custom features. I love our servers, but I don't like when unorignal servers come and close after couple of weeks... So I only wanted to help you to keep your server online as long as possible. Have fun!