Reasoning
Most donation scam servers use software from 2008 and log passwords in plain text. If you're a server owner and actually care about your players, then update your software and secure your server. This is a small guide on how to do that, and how not to be immediately labeled as a "garbage server with an owner who has no idea what they're doing".
Software
Update your damn software. AppServ from over a decade ago is not secure. A decade old pirated version of Navicat is not how people connect to MySQL. Here is a list of supported and frequently updated downloads for common software required by servers:
Account Security
Stop saving your players passwords in plain text. Stop returning their passwords to them via emails. It's scummy and shady as all hell. Want to protect your players? Hash their passwords. Hashes are one-direction, meaning you cannot get passwords back from a hash. Use a secure hash algorithm such as SHA-256 ([Only registered and activated users can see links. Click Here To Register...]). If you really want to protect players from things like dictionary attacks, use a salt (random string appended to the password before hashing). Did someone forget their password? Then send them a token to reset it. Don't send them their bloody password... geezus.
Protect your website
[Only registered and activated users can see links. Click Here To Register...] is free, and helps protect your website from a wide range of attacks. You can encrypt connections to your website using SSL for free, create a firewall, auto-minify JavaScript, CSS, and HTML, cache your website to reduce load, etc. Sign up and follow their step-by-step guide for setting up your account there.
Also, protect yourself: when you buy a new domain for your website, purchase "Whois Privacy". If you don't purchase that, then literally anybody can look up your full name, address, phone number, email address, etc. using a website like [Only registered and activated users can see links. Click Here To Register...]. Also, make sure your website's domain is non-transferable after you're done setting up your host.
What's the risk?
Don't want to update your software? Here's the risk:
Have fun, and be safe about it.
Most donation scam servers use software from 2008 and log passwords in plain text. If you're a server owner and actually care about your players, then update your software and secure your server. This is a small guide on how to do that, and how not to be immediately labeled as a "garbage server with an owner who has no idea what they're doing".
Software
Update your damn software. AppServ from over a decade ago is not secure. A decade old pirated version of Navicat is not how people connect to MySQL. Here is a list of supported and frequently updated downloads for common software required by servers:
- [Only registered and activated users can see links. Click Here To Register...]: A more secure drop-in replacement for MySQL. Or just use MySQL.
- [Only registered and activated users can see links. Click Here To Register...]: Stop using MySQL 5.0.51 Beta from AppServ.
- [Only registered and activated users can see links. Click Here To Register...]: Stop using a decade old pirated version of Navicat.
- [Only registered and activated users can see links. Click Here To Register...]: Stop using Apache 2.2.8 from AppServ ([Only registered and activated users can see links. Click Here To Register...]).
- [Only registered and activated users can see links. Click Here To Register...]: Stop using PHP 5.2.6 from AppServ (and ideally stop using PHP).
- [Only registered and activated users can see links. Click Here To Register...]: Stop using Visual Studio 2010 Express for C# ([Only registered and activated users can see links. Click Here To Register...]).
- [Only registered and activated users can see links. Click Here To Register...]: A maintained packaged all-in-one solution if you must have one.
Account Security
Stop saving your players passwords in plain text. Stop returning their passwords to them via emails. It's scummy and shady as all hell. Want to protect your players? Hash their passwords. Hashes are one-direction, meaning you cannot get passwords back from a hash. Use a secure hash algorithm such as SHA-256 ([Only registered and activated users can see links. Click Here To Register...]). If you really want to protect players from things like dictionary attacks, use a salt (random string appended to the password before hashing). Did someone forget their password? Then send them a token to reset it. Don't send them their bloody password... geezus.
Protect your website
[Only registered and activated users can see links. Click Here To Register...] is free, and helps protect your website from a wide range of attacks. You can encrypt connections to your website using SSL for free, create a firewall, auto-minify JavaScript, CSS, and HTML, cache your website to reduce load, etc. Sign up and follow their step-by-step guide for setting up your account there.
Also, protect yourself: when you buy a new domain for your website, purchase "Whois Privacy". If you don't purchase that, then literally anybody can look up your full name, address, phone number, email address, etc. using a website like [Only registered and activated users can see links. Click Here To Register...]. Also, make sure your website's domain is non-transferable after you're done setting up your host.
What's the risk?
Don't want to update your software? Here's the risk:
- [Only registered and activated users can see links. Click Here To Register...]
- [Only registered and activated users can see links. Click Here To Register...]
- [Only registered and activated users can see links. Click Here To Register...]
- [Only registered and activated users can see links. Click Here To Register...]
Have fun, and be safe about it.
