|
You last visited: Today at 19:36
Advertisement
[Collection] Server Security
Discussion on [Collection] Server Security within the Rappelz Private Server forum part of the Rappelz category.
04/28/2013, 21:52
|
#16
|
elite*gold: 0 
Join Date: May 2011
Posts: 5,086
Received Thanks: 3,471
|
I could stick this as well, but I've added it into the collection, it should be fine.
I don't wanna have 1000 stickys again, :/
|
|
|
|
04/28/2013, 23:32
|
#17
|
elite*gold: 0
Join Date: Jun 2011
Posts: 124
Received Thanks: 5
|
@Xijezu With respect to the IIS 7 that it is not helpful to PHP to connect to MSSQL if there is a solution.
Also I would like to add something simple for protection, which determine the course of the program, which uses port through the firewall does not leave it to all.
Quote:
Originally Posted by c1ph3r
6. Disallow the get_env and set_env functions for every gm. You are able to get all .opt values like the database pw hash via get_env.
|
It is well known that the versions of rappelz there is authorized by a major = 100, or you can say that it gives you full powers and therefore secondary, which could determine the commands, and will face some problems in that because it is changing from version 7.4 to time such as the issuance of the 80, 70 and 60, but in the version 8.1, I don't know about.
|
|
|
|
|
04/29/2013, 09:52
|
#18
|
elite*gold: 0
Join Date: Oct 2011
Posts: 84
Received Thanks: 12
|
Quote:
Originally Posted by c1ph3r
6. Disallow the get_env and set_env functions for every gm. You are able to get all .opt values like the database pw hash via get_env.
|
thank you very much c1ph3r but about this
as far as i know that in epic 8.1 there is a permission bug that doesn't allow except the permission 100 so how can we Disallow it ?
|
|
|
|
|
04/29/2013, 10:12
|
#19
|
elite*gold: 0
Join Date: Sep 2008
Posts: 1,606
Received Thanks: 1,210
|
Quote:
Originally Posted by pprfds
thank you very much c1ph3r but about this
as far as i know that in epic 8.1 there is a permission bug that doesn't allow except the permission 100 so how can we Disallow it ?
|
Did anyone realised the AllowCommandsForPermission Table? Did anyone tried to use this table? C'mon guys...this is written down in about 100 Threads!
|
|
|
|
|
04/29/2013, 11:33
|
#20
|
elite*gold: 0
Join Date: Oct 2011
Posts: 84
Received Thanks: 12
|
Quote:
Originally Posted by c1ph3r
Did anyone realised the AllowCommandsForPermission Table? Did anyone tried to use this table? C'mon guys...this is written down in about 100 Threads!
|
did you try to use it?
well it doesn't work in epic 8
i have filled this table with the permissions in my 7.4 telecaster and none of the written permissions work
notice , insert_item , announce ............. etc
and here is a part of my allowed commands for permission
870 1 set_next_attackable_time
880 1 monster_skill_cast
890 1 respawn_near_monster
900 1 save
910 1 delete_block_account
920 1 shutdown
930 1 saveall
940 1 setspeed
950 1 get_siege_dungeon_id
960 1 get_own_dungeon_id
970 1 clear_dungeon_core_guardian
980 1 change_dungeon_owner
990 1 drop_dungeon_owner_ship
1000 1 enter_dungeon
1010 1 request_dungeon_raid
1020 1 change_tactical_position_owner
1030 1 show_dungeon_stone
1040 1 respawn_guardian_object
1050 1 is_in_siege_dungeon
1060 1 recall_player
1070 1 whisper
1080 1 kill_target
1090 1 kill
1100 1 raid_respawn_rare_mob
1110 1 raid_respawn
1120 1 respawn_roaming_mob
1130 1 respawn_rare_mob
1140 1 respawn_guardian
1150 1 respawn
1160 1 add_npc_to_world
1170 1 add_npc
1180 1 env
1190 1 force_unregister_account
1200 1 kick
1210 1 get_last_accept_quest
1220 1 get_quest_progress
1230 1 quest_info
1240 1 end_quest
1250 1 force_start_quest
1260 1 start_quest
1270 1 dlg_text_without_quest_menu
1280 1 quest_text_without_quest_menu
1290 1 dlg_show
1300 1 dlg_menu
1310 1 dlg_text
1320 1 dlg_title
1330 1 get_max_alliance_member_count
1350 1 is_alliance_leader
1360 1 set_pk_mode
1370 1 del_flag
1380 1 set_flag
1390 1 get_flag
1400 1 emcv
1410 1 gmcv
1420 1 gcv
1430 1 smcv
1440 1 scv
1450 1 change_creature_name
1460 1 get_creature_value
1470 1 set_creature_value
1480 1 get_all_value
1490 1 ev
1500 1 sv
1510 1 av
1520 1 gv
1530 1 echo_value
1540 1 set_value
1550 1 add_value
1560 1 get_value
1570 1 supply_event_item
1580 1 stop_event_supply
1590 1 start_event_supply
1600 1 refresh_event_supply
1610 1 event_supply
1620 1 stop_event_drop
1630 1 start_event_drop
1640 1 refresh_event_drop
1650 1 event_drop
1660 1 show_soulstone_repair_window
1670 1 get_max_item_soulstone_endurance
1680 1 get_item_soulstone_endurance
1690 1 show_soulstone_craft_window
1700 1 get_wear_item_handle
1710 1 get_item_name_id
1720 1 get_item_name_by_code
1730 1 set_socket_info
1740 1 get_socket_info
1750 1 set_item_endurance
1760 1 get_item_endurance
1770 1 get_item_price
1780 1 get_item_rank
1790 1 get_item_enhance
1800 1 set_item_enhance
1810 1 set_item_level
1820 1 get_item_level
1830 1 get_item_code
1840 1 get_item_name
1850 1 get_item_handle
1860 1 has_item
1870 1 insert_gold
1880 1 drop_gold
1890 1 drop_item
1900 1 find_item
1910 1 is_erasable_item
1920 1 delete_item
1930 1 insert_item
1940 1 notice
1950 1 warp
|
|
|
|
|
04/29/2013, 12:25
|
#21
|
elite*gold: 0
Join Date: Sep 2008
Posts: 1,606
Received Thanks: 1,210
|
Yes i tried it and YES it is working otherwise my mods would be unable to warp around 
|
|
|
|
|
04/29/2013, 13:16
|
#22
|
Moderator
elite*gold: 1
Join Date: Dec 2012
Posts: 4,912
Received Thanks: 1,490
|
@pprfds
You set all permissions at 1
|
|
|
|
|
04/30/2013, 08:26
|
#23
|
elite*gold: 0
Join Date: May 2011
Posts: 5,086
Received Thanks: 3,471
|
Bleibt bitte beim Thema. ;o
#cleared
|
|
|
|
|
11/21/2013, 15:05
|
#24
|
elite*gold: 30
Join Date: Mar 2012
Posts: 634
Received Thanks: 297
|
gl to servers on XAMPP
|
|
|
|
|
11/21/2013, 15:21
|
#25
|
elite*gold: 0
Join Date: Jul 2011
Posts: 113
Received Thanks: 87
|
If people read properly first page of xampp website they could find :
"The philosophy behind XAMPP is to build an easy to install distribution for developers to get into the world of Apache. To make it convenient for developers XAMPP is configured with all features turned on.
The default configuration is not good from a security point of view and it's not secure enough for a production environment - please don't use XAMPP in such environment."
So if they choose to publish it in the state it's at their own risk !
Otherwise, nice tuts ^^
|
|
|
|
|
11/22/2013, 01:16
|
#26
|
elite*gold: 30
Join Date: Mar 2012
Posts: 634
Received Thanks: 297
|
better to use combination of:
Apache 2.2.x
PHP 5.2.10 (supports MSSQL drivers as good as most of new website engines)
MySQL 5.x (if needed)
There are so much step-by-step tuts how to install this all. But if someone found IIS better then naked Apache, it maybe good. but tbh never used IIS as well, because had some problems with config. And installing just apache+php+mysql+perl manually was easier to me.
|
|
|
|
|
11/22/2013, 02:17
|
#27
|
elite*gold: 0
Join Date: Oct 2010
Posts: 2,555
Received Thanks: 2,460
|
My vote will go to IIS every time and Mongrel next time try installing via Web-Platform installer it makes installing IIS + extra modules + PHP + PHP Driver 3.0+ (MSSQL_ API Replacement to SQLSRV_ API) a breeze mate.
|
|
|
|
|
07/03/2020, 21:17
|
#28
|
elite*gold: 0
Join Date: Jul 2020
Posts: 22
Received Thanks: 7
|
Even though it's old, your post is still helping me, thanks!
Quote:
Originally Posted by Xijezu
Hey,
Based on discussion, I decided to create a little "collection" about how to protect your server.
SQL-Server
Website
Firewall
Auth-/Gameserver
General Things
Note
Special Note
1. SQL ServerNeedless to say, you definitely should rename the SA-Account and give it a really strong password. Unfortunately you can't disable the Windows-Login, so if someone has access to your server, then he basically is able to login to your database.
If your website needs connection to your database, it might be a good idea to create different login-user with one of these permissions: INSERT (needed for registration), SELECT (only if you want to show some stats, might also be used for registration [depends on your script]) and UPDATE (depends if you are using an User Control Panel). Take a look at the next point for more information.
2. WebsiteThe first thing: Do not use XAMPP. Just don't. It isn't made for public hosting, you can easily get hacked because of that.
The most used web-server are Apache & IIS, I personally prefer IIS, since it already comes with Windows and it's easy to configure.
For the website itself, make sure that you are always checking the user-input in forms, because people love it to use SQL-Injections. To learn more about what SQL-Injections are and how they work, take a look at .
If you are using a database-connection on some part of your website, make sure that you only open the connection when you need it. When you finished your query, make sure to close the connection.
Once I had the problem that someone was able to get access to our server through our forums, since we enabled PHP-uploading. Make sure to deactivate such features, it's easy to use this as exploit. If you are planning to use a forum-software, make sure that it is up to date.
The best thing you basically could do is:
Move your website to a different server. If someone is able to use an exploit on your website and gets access to the server, he isn't able to do much, because he doesn't has access to the "main-server".
3. FirewallJust open ports if you need them. Usually your Firewall should only have these ports opened: - 4500 (standard Authserver-port)
- 4514 (standard Gameserver-port)
- 4615 (standard Uploadserver-port)
- *3389 (standard RDP-Port)
Deactivate the other ones, they aren't necessary.
*A little tip here: If your provider gives you a static IP, just allow connections from this one. This might prevent people to bruteforce (or whatever) to get access to your server.
If you don't care for money, this might also be an idea:
When DarknessFight moved to a private host, we had 3 server: A database-server, a Gameserver for the Main-GS (including the website and Authserver) and a Gameserver for our low-rate server. The database-server and Main-Gameserver only allowed RDP-connections from our LowRate-Gameserver, so when I was planning to connect to the database, I always had to connect to the LowRate-Server first.
If those 2 options aren't possible for you, then just leave it opened.
4. Auth- and GameserverWell, since 7.4V2 (or was it 8.1?) this point is basically useless, but still:
Make sure that you have set a password for the telnet-function.
5. General things: This point usually should be obvious, but there are some people out there which don't really care for it, so here again: - Never give someone else access to your server. You can't trust anyone on the web.
- Use for everything a different password. Always a long one, including upper-/lowercase-letters, special chars and numbers. A good one could look like this: U$w[_Ux[;zxtxofP-0I=;DÄBL?ö,LÜ
- Only use Up 2 Date-Software, in this case SQL & PHP. Sure, the newest PHP doesn't support the mssql-class, but you can still use the SQL Server Driver for PHP from Microsoft.
Note: I am not a specialist when it comes to server security, I am writing this on own experience, also this topic will not tell you how to secure your server for everything.
This topic lives on your information and experience. I will always update it if you got new and helpful tips.
If you think I made a mistake somewhere or I'm missing something, feel free to correct me. I'm always happy to learn something new.
I will add a FAQ for other things (e.g. "What to do on DDOS?") later, kinda tired yet.
If you have any questions, feel free to ask. I'm trying to answer them if it's possible. If not, maybe someone else can answer it.
Note for some persons out there:Yes, I know that you hate me now because I'm giving out some of your most obvious methods. I know that some of you think that the community doesn't deserve it (long story, for those which don't know), but I am happy if I even helped 1 person with that. So: I really don't care about your hate. 
That's it for today.
Sincerely yours,
Xijezu |
Even though it's old, your post is still helping me, thanks!
|
|
|
|
 |
|
Similar Threads
|
[Guide][Security] Securing Your Server * 1x Game Server *
02/22/2017 - SRO PServer Guides & Releases - 18 Replies
Summary:
Alright, i know i haven't been around here releasing lately, been very distracted and have been resenting the ******** community, sorry i am back now and i will be writing some seriously amazing guides here! Noob friendly guides and other things too!
Objective
* We going to be managing the TCP connections and blocking the following ports -> 32000, 15880, 15882, 15885, 15883, 8080, 1433, 3306 <-
* Set mssql to local
* Set odbc to local
Result
|
^^ Server security
04/15/2012 - Metin2 Private Server - 2 Replies
how to install the hack shield, or how to install cheat on the server. protection against interference with the client
|
Security Server
10/22/2010 - Metin2 Private Server - 2 Replies
bitte helft mir .. wie man einen Sicherheits-Server zu erstellen metin2 nicht kontrollieren meinem Server nicht, um eine Verbindung meine navicatul tun, was er will die GM-MNU machen
HELP Security server .. how to crate security server a Metin2 1 hacker to connect to my database and do gm .. I do not know exactly what he did.
and Crashed server
|
[HELP]Better Security for dk server
03/10/2010 - Dekaron Private Server - 13 Replies
hey guys this is my first post asking for help, and yes ive used the search alot. your not gonna see this alot from me because im trying to learn like the old dev's...but wanna try and avoid SQL injects and get an adminpanel working..for ipbanning. ive tried OSDS but ive been sql injected through that before thats why im asking for just alittle bit of help this time. if anyone has any tips for me to help make a better secure server then please by all means help me out just alittle bit.
props...
|
All times are GMT +1. The time now is 19:36.
|
|
![[Collection] Server Security](https://www.elitepvpers.com/forum/iconimages/rappelz-private-server/collection-server-security_ltr.gif){kind=small}
