@Xijezu With respect to the IIS 7 that it is not helpful to PHP to connect to MSSQL if there is a solution.
Also I would like to add something simple for protection, which determine the course of the program, which uses port through the firewall does not leave it to all.
Quote:
Originally Posted by c1ph3r
6. Disallow the get_env and set_env functions for every gm. You are able to get all .opt values like the database pw hash via get_env.
It is well known that the versions of rappelz there is authorized by a major = 100, or you can say that it gives you full powers and therefore secondary, which could determine the commands, and will face some problems in that because it is changing from version 7.4 to time such as the issuance of the 80, 70 and 60, but in the version 8.1, I don't know about.
If people read properly first page of xampp website they could find :
"The philosophy behind XAMPP is to build an easy to install distribution for developers to get into the world of Apache. To make it convenient for developers XAMPP is configured with all features turned on.
The default configuration is not good from a security point of view and it's not secure enough for a production environment - please don't use XAMPP in such environment."
So if they choose to publish it in the state it's at their own risk !
better to use combination of:
Apache 2.2.x
PHP 5.2.10 (supports MSSQL drivers as good as most of new website engines)
MySQL 5.x (if needed)
There are so much step-by-step tuts how to install this all. But if someone found IIS better then naked Apache, it maybe good. but tbh never used IIS as well, because had some problems with config. And installing just apache+php+mysql+perl manually was easier to me.
My vote will go to IIS every time and Mongrel next time try installing via Web-Platform installer it makes installing IIS + extra modules + PHP + PHP Driver 3.0+ (MSSQL_ API Replacement to SQLSRV_ API) a breeze mate.
Needless to say, you definitely should rename the SA-Account and give it a really strong password. Unfortunately you can't disable the Windows-Login, so if someone has access to your server, then he basically is able to login to your database.
If your website needs connection to your database, it might be a good idea to create different login-user with one of these permissions: INSERT (needed for registration), SELECT (only if you want to show some stats, might also be used for registration [depends on your script]) and UPDATE (depends if you are using an User Control Panel). Take a look at the next point for more information.
2. Website
The first thing: Do not use XAMPP. Just don't. It isn't made for public hosting, you can easily get hacked because of that.
The most used web-server are Apache & IIS, I personally prefer IIS, since it already comes with Windows and it's easy to configure.
For the website itself, make sure that you are always checking the user-input in forms, because people love it to use SQL-Injections. To learn more about what SQL-Injections are and how they work, take a look at .
If you are using a database-connection on some part of your website, make sure that you only open the connection when you need it. When you finished your query, make sure to close the connection.
Once I had the problem that someone was able to get access to our server through our forums, since we enabled PHP-uploading. Make sure to deactivate such features, it's easy to use this as exploit. If you are planning to use a forum-software, make sure that it is up to date.
The best thing you basically could do is:
Move your website to a different server. If someone is able to use an exploit on your website and gets access to the server, he isn't able to do much, because he doesn't has access to the "main-server".
3. Firewall
Just open ports if you need them. Usually your Firewall should only have these ports opened:
4500 (standard Authserver-port)
4514 (standard Gameserver-port)
4615 (standard Uploadserver-port)
*3389 (standard RDP-Port)
Deactivate the other ones, they aren't necessary.
*A little tip here: If your provider gives you a static IP, just allow connections from this one. This might prevent people to bruteforce (or whatever) to get access to your server.
If you don't care for money, this might also be an idea:
When DarknessFight moved to a private host, we had 3 server: A database-server, a Gameserver for the Main-GS (including the website and Authserver) and a Gameserver for our low-rate server. The database-server and Main-Gameserver only allowed RDP-connections from our LowRate-Gameserver, so when I was planning to connect to the database, I always had to connect to the LowRate-Server first.
If those 2 options aren't possible for you, then just leave it opened.
4. Auth- and Gameserver
Well, since 7.4V2 (or was it 8.1?) this point is basically useless, but still:
Make sure that you have set a password for the telnet-function.
5. General things:
This point usually should be obvious, but there are some people out there which don't really care for it, so here again:
Never give someone else access to your server. You can't trust anyone on the web.
Use for everything a different password. Always a long one, including upper-/lowercase-letters, special chars and numbers. A good one could look like this: U$w[_Ux[;zxtxofP-0I=;DÄBL?ö,LÜ
Only use Up 2 Date-Software, in this case SQL & PHP. Sure, the newest PHP doesn't support the mssql-class, but you can still use the SQL Server Driver for PHP from Microsoft.
Note:
I am not a specialist when it comes to server security, I am writing this on own experience, also this topic will not tell you how to secure your server for everything.
This topic lives on your information and experience. I will always update it if you got new and helpful tips.
If you think I made a mistake somewhere or I'm missing something, feel free to correct me. I'm always happy to learn something new.
I will add a FAQ for other things (e.g. "What to do on DDOS?") later, kinda tired yet.
If you have any questions, feel free to ask. I'm trying to answer them if it's possible. If not, maybe someone else can answer it.
Note for some persons out there:
Yes, I know that you hate me now because I'm giving out some of your most obvious methods. I know that some of you think that the community doesn't deserve it (long story, for those which don't know), but I am happy if I even helped 1 person with that. So: I really don't care about your hate.
That's it for today.
Sincerely yours,
Xijezu
Even though it's old, your post is still helping me, thanks!
[Guide][Security] Securing Your Server * 1x Game Server * 02/22/2017 - SRO PServer Guides & Releases - 18 Replies Summary:
Alright, i know i haven't been around here releasing lately, been very distracted and have been resenting the ******** community, sorry i am back now and i will be writing some seriously amazing guides here! Noob friendly guides and other things too!
Objective
* We going to be managing the TCP connections and blocking the following ports -> 32000, 15880, 15882, 15885, 15883, 8080, 1433, 3306 <-
* Set mssql to local
* Set odbc to local
Result
^^ Server security 04/15/2012 - Metin2 Private Server - 2 Replies how to install the hack shield, or how to install cheat on the server. protection against interference with the client
Security Server 10/22/2010 - Metin2 Private Server - 2 Replies bitte helft mir .. wie man einen Sicherheits-Server zu erstellen metin2 nicht kontrollieren meinem Server nicht, um eine Verbindung meine navicatul tun, was er will die GM-MNU machen
HELP Security server .. how to crate security server a Metin2 1 hacker to connect to my database and do gm .. I do not know exactly what he did.
and Crashed server
[HELP]Better Security for dk server 03/10/2010 - Dekaron Private Server - 13 Replies hey guys this is my first post asking for help, and yes ive used the search alot. your not gonna see this alot from me because im trying to learn like the old dev's...but wanna try and avoid SQL injects and get an adminpanel working..for ipbanning. ive tried OSDS but ive been sql injected through that before thats why im asking for just alittle bit of help this time. if anyone has any tips for me to help make a better secure server then please by all means help me out just alittle bit.
props...
![[Collection] Server Security](https://www.elitepvpers.com/forum/iconimages/rappelz-private-server/collection-server-security_ltr.gif){kind=small}
