Register for your free account! | Forgot your password?

Go Back   elitepvpers > MMORPGs > Rappelz > Rappelz Private Server
You last visited: Today at 07:51

  • Please register to post and access all features, it's quick, easy and FREE!

 

[Collection] Server Security

Reply
 
Old   #1


 
elite*gold: 30
Join Date: May 2011
Posts: 4,795
Received Thanks: 3,179
[Collection] Server Security

Hey,

Based on discussion, I decided to create a little "collection" about how to protect your server.

SQL-Server
Website
Firewall
Auth-/Gameserver
General Things
Note
Special Note


1. SQL Server
Needless to say, you definitely should rename the SA-Account and give it a really strong password. Unfortunately you can't disable the Windows-Login, so if someone has access to your server, then he basically is able to login to your database.
If your website needs connection to your database, it might be a good idea to create different login-user with one of these permissions: INSERT (needed for registration), SELECT (only if you want to show some stats, might also be used for registration [depends on your script]) and UPDATE (depends if you are using an User Control Panel). Take a look at the next point for more information.

2. Website
The first thing: Do not use XAMPP. Just don't. It isn't made for public hosting, you can easily get hacked because of that.
The most used web-server are Apache & IIS, I personally prefer IIS, since it already comes with Windows and it's easy to configure.
For the website itself, make sure that you are always checking the user-input in forms, because people love it to use SQL-Injections. To learn more about what SQL-Injections are and how they work, take a look at .
If you are using a database-connection on some part of your website, make sure that you only open the connection when you need it. When you finished your query, make sure to close the connection.
Once I had the problem that someone was able to get access to our server through our forums, since we enabled PHP-uploading. Make sure to deactivate such features, it's easy to use this as exploit. If you are planning to use a forum-software, make sure that it is up to date.
The best thing you basically could do is:
Move your website to a different server. If someone is able to use an exploit on your website and gets access to the server, he isn't able to do much, because he doesn't has access to the "main-server".

3. Firewall
Just open ports if you need them. Usually your Firewall should only have these ports opened:
  • 4500 (standard Authserver-port)
  • 4514 (standard Gameserver-port)
  • 4615 (standard Uploadserver-port)
  • *3389 (standard RDP-Port)

Deactivate the other ones, they aren't necessary.

*A little tip here: If your provider gives you a static IP, just allow connections from this one. This might prevent people to bruteforce (or whatever) to get access to your server.
If you don't care for money, this might also be an idea:
When DarknessFight moved to a private host, we had 3 server: A database-server, a Gameserver for the Main-GS (including the website and Authserver) and a Gameserver for our low-rate server. The database-server and Main-Gameserver only allowed RDP-connections from our LowRate-Gameserver, so when I was planning to connect to the database, I always had to connect to the LowRate-Server first.
If those 2 options aren't possible for you, then just leave it opened.

4. Auth- and Gameserver
Well, since 7.4V2 (or was it 8.1?) this point is basically useless, but still:
Make sure that you have set a password for the telnet-function.

5. General things:
This point usually should be obvious, but there are some people out there which don't really care for it, so here again:
  1. Never give someone else access to your server. You can't trust anyone on the web.
  2. Use for everything a different password. Always a long one, including upper-/lowercase-letters, special chars and numbers. A good one could look like this: U$w[_Ux[;zxtxofP-0I=;DBL?,L
  3. Only use Up 2 Date-Software, in this case SQL & PHP. Sure, the newest PHP doesn't support the mssql-class, but you can still use the SQL Server Driver for PHP from Microsoft.

Note:
I am not a specialist when it comes to server security, I am writing this on own experience, also this topic will not tell you how to secure your server for everything.
This topic lives on your information and experience. I will always update it if you got new and helpful tips.
If you think I made a mistake somewhere or I'm missing something, feel free to correct me. I'm always happy to learn something new.

I will add a FAQ for other things (e.g. "What to do on DDOS?") later, kinda tired yet.

If you have any questions, feel free to ask. I'm trying to answer them if it's possible. If not, maybe someone else can answer it.

Note for some persons out there:
Yes, I know that you hate me now because I'm giving out some of your most obvious methods. I know that some of you think that the community doesn't deserve it (long story, for those which don't know), but I am happy if I even helped 1 person with that. So: I really don't care about your hate. :)
That's it for today.

Sincerely yours,

Xijezu



Xijezu is offline  
Thanks
19 Users
Old   #2
 
elite*gold: 0
Join Date: Aug 2012
Posts: 312
Received Thanks: 252
Quote:
Originally Posted by Xijezu View Post
3. Firewall[INDENT]Just open ports if you need them. Usually your Firewall should only have these ports opened:
  • 4500 (standard Authserver-port)
  • 4518 (standard Gameserver-port)
  • *3389 (standard RDP-Port)
Personnaly many hack are made by Gameserver or AuthServer I really recommend to closed these port and to change de default RDP-port ^^

For the website don't use old SQL... PHP5 exist and PDO too... Now only use them like that no-injection !!! If you don't know them, go learn ^^


gr4ph0s is offline  
Thanks
2 Users
Old   #3
 
elite*gold: 0
Join Date: Apr 2013
Posts: 35
Received Thanks: 1
wow, tyvm.

i do thank you for your helpful hints, i actually asked that question myself, but am uneducated in sql, so i simply backed out of putting mine online for now lol.

Quote:
Originally Posted by gr4ph0s View Post
If you don't know them, go learn ^^
this part however isnt really in the spirit of this thread is it?
j4ckwr4th is offline  
Old   #4


 
elite*gold: 30
Join Date: May 2011
Posts: 4,795
Received Thanks: 3,179
Quote:
Originally Posted by gr4ph0s View Post
Personnaly many hack are made by Gameserver or AuthServer I really recommend to closed these port and to change de default RDP-port ^^
Well, if you close 4500 and 4518, how should people connect to the server then? :)

Quote:
Originally Posted by gr4ph0s View Post
For the website don't use old SQL... PHP5 exist and PDO too... Now only use them like that no-injection !!! If you don't know them, go learn ^^
Almost forgot that. I'll add it, thanks. :)


Xijezu is offline  
Old   #5
 
elite*gold: 0
Join Date: Jul 2011
Posts: 236
Received Thanks: 74
A little bit of information from one of my friends who's a Network Admin:

If you decide to build your own server, first off use Windows Server 2008 or 2012, do not use Windows 7 or 8 or XP or whatever.

Secondly, make sure you have adequate Antivirus and Firewall security. The best Antivirus to use is Microsoft Security Essentials.

And lastly, and I quote: "... security is a balancing act between usability and security." ; "... it boils down to using secure protocols. SFTP or SCP for file transfer, SSH and RDP over VPN for management, strong pass phrases, etc..."

And when setting up your server, insure that the OS and any and all, non-necessary, network ports are CLOSED and locked down. The only information that should be transferring between your server and the user is data pertaining to the game and only the game.

Much of this also pertains to a hosted dedicated server as well.
HeavenOnlyWishes is offline  
Old   #6


 
elite*gold: 30
Join Date: May 2011
Posts: 4,795
Received Thanks: 3,179
Quote:
Originally Posted by HeavenOnlyWishes View Post
If you decide to build your own server, first off use Windows Server 2008 or 2012, do not use Windows 7 or 8 or XP or whatever.
If you're using a server from a hosting-company, they usually install Windows Server on it.

Quote:
Originally Posted by HeavenOnlyWishes View Post
Secondly, make sure you have adequate Antivirus and Firewall security. The best Antivirus to use is Microsoft Security Essentials.
I'm not sure about this part, at the very beginning I was trying this on DF, but it seems that Microsoft Security Essentials caused some problems with the server. I wasn't able to connect to the RDP again. Same for the Firewall (that's why I prefer Windows Firewall).

Quote:
Originally Posted by HeavenOnlyWishes View Post
The only information that should be transferring between your server and the user is data pertaining to the game and only the game.
I'm not sure here either, but wouldn't this require a special tool which checks for the packet-structure and either forward it or not?
Xijezu is offline  
Old   #7
 
elite*gold: 0
Join Date: Jul 2011
Posts: 236
Received Thanks: 74
Quote:
Originally Posted by Xijezu View Post
If you're using a server from a hosting-company, they usually install Windows Server on it.
True, but not everyone knows what OS to use when building their own, which is why I mentioned it...


Quote:
Originally Posted by Xijezu View Post
I'm not sure about this part, at the very beginning I was trying this on DF, but it seems that Microsoft Security Essentials caused some problems with the server. I wasn't able to connect to the RDP again. Same for the Firewall (that's why I prefer Windows Firewall).
Not sure about the issues with MSE, I've never had any... As for the firewall it depends on what firewall you use. My friend hosts several servers across multiple platforms and OSs, he swears by MSE, and he has a pretty beefy firewall to compliment it. Not sure what he uses though.


Quote:
Originally Posted by Xijezu View Post
I'm not sure here either, but wouldn't this require a special tool which checks for the packet-structure and either forward it or not?
As far as I know you should be able to set WS2008/2012 up to prevent unwanted access and data transfer on it's own, but using a utility to back this up wouldn't be a bad idea. I can ask.... ok we're just using names at this point cause "my friend" is getting old.... his names Pat, I can ask Pat about it.
HeavenOnlyWishes is offline  
Old   #8
 
elite*gold: 0
Join Date: Jun 2008
Posts: 104
Received Thanks: 14
Disable Webdav in xampp 1.7.3 or older and xampp will be alot more secure webdav has a default password and username on all installations on these versions and will let anyone upload a file to your web server and run any command they wish on your computer ive seen alot of people on here say your server security is horrible look in your web documents for a file i left you this is a very easy thing to do only takes 5 seconds to accomplish

you can just delete the folder webdav and remove all webdav lines in xampp/apache/conf/httpd.conf then restart apache and this backdoor will be gone
hackfever is offline  
Old   #9


 
elite*gold: 30
Join Date: May 2011
Posts: 4,795
Received Thanks: 3,179
Quote:
Originally Posted by hackfever View Post
Disable Webdav in xampp 1.7.3 or older and xampp will be alot more secure webdav has a default password and username on all installations on these versions and will let anyone upload a file to your web server and run any command they wish on your computer ive seen alot of people on here say your server security is horrible look in your web documents for a file i left you this is a very easy thing to do only takes 5 seconds to accomplish

you can just delete the folder webdav and remove all webdav lines in xampp/apache/conf/httpd.conf then restart apache and this backdoor will be gone
There would be still some security holes opened, also, like I said, XAMPP isn't for public hosting, so I personally don't recommend XAMPP.
Xijezu is offline  
Old   #10
 
elite*gold: 0
Join Date: Sep 2008
Posts: 1,570
Received Thanks: 1,154
1. MSF the best AntiVirus? Okay i wouldn't say that but hey AntiVirus isn't the important thing because normally you do not use your Root to download a lot of **** from the internet and you should test the files you are transferring to your root on your own pc. But it's allways better to have a antivirus software because nobody knows...but normally this won't happen very often if you won't use your root as a download server .

2. I wouldn't use port 3389 switch it to something else that attackers have to search for it.

3. DON'T FORGET TO CHANGE YOUR AUTH SERVER TELNET PW (About 80% of the "new" pservers didn't do that)

4. For the 8.1 GS use console.allow_ip to configure the ip's that are allowed to connect via telnet. Example: S console.allow_ip:127.0.0.1
(Notice: Since 8.1 the console PW is hashed)

5. Test your root on your own: or check for exploits.

6. Disallow the get_env and set_env functions for every gm. You are able to get all .opt values like the database pw hash via get_env.

7. Don't use the official cs. (I'm not sure about it but as far as i know there is a known security whole in the cs)

8. If you are using the upload server don't forget that there is a telnet client in the upload server too.

9. If you use an apache/tomcat on a windows machine...make sure that this server isn't running on the administrator account!

10. If you are using mysql for your website don't forget to close the mysql port!

@Xijezu perhaps you should say a few words about the upload server. You have to open the upload server ports if you want to get the guildicons running. They should be open too
c1ph3r is offline  
Thanks
3 Users
Old   #11
 
elite*gold: 0
Join Date: Mar 2013
Posts: 6
Received Thanks: 0
Is there a way for the full protection of the father DOS Attack
Black.Berry is offline  
Old   #12


 
elite*gold: 30
Join Date: May 2011
Posts: 4,795
Received Thanks: 3,179
Quote:
Originally Posted by Black.Berry View Post
Is there a way for the full protection of the father DOS Attack
As far as I know: No. As (maybe a bad one) example, see Anonymous.
A real DDOS-attack can take down almost everything.
The problem is:
Windows just has 2 ways to handle packets: Allow or Drop.
Linux has 3 ways to handle the packets due the IPTable: Allow, Drop and ignore.
If you use a Linux-server as some kind of "router" and disable incoming connections to your Windows-server (except from the Linux-server), you are able to handle a lot of those DDoS-attacks.

If someone knows a different (or even better way) way or if I'm wrong here, feel free to tell me. :)

Quote:
Originally Posted by c1ph3r View Post
2. I wouldn't use port 3389 switch it to something else that attackers have to search for it.
Well, ... If it takes 2 minutes more doesn't matter, just use a Portscanner and you've got the new port. :/

Quote:
Originally Posted by c1ph3r View Post
6. Disallow the get_env and set_env functions for every gm. You are able to get all .opt values like the database pw hash via get_env.
Will add this, thanks.

Quote:
Originally Posted by c1ph3r View Post
8. If you are using the upload server don't forget that there is a telnet client in the upload server too.
Everything GALA made has a telnet-client, even their patch-server on retail. Guess how I was able to took the patch-server down for a day? ;p

Quote:
Originally Posted by c1ph3r View Post
10. If you are using mysql for your website don't forget to close the mysql port!
Why using MySQL if you've got swa... eh.. MSSQL?
Well, okay, if you are using a forum-software, but in this case you really should move the website on a different server.

Quote:
Originally Posted by c1ph3r View Post
@Xijezu perhaps you should say a few words about the upload server. You have to open the upload server ports if you want to get the guildicons running. They should be open too ;)
Damnit, I forgot about this. Thanks.
Xijezu is offline  
Old   #13
 
elite*gold: 0
Join Date: Sep 2008
Posts: 1,570
Received Thanks: 1,154
Quote:
Originally Posted by Xijezu View Post
Well, ... If it takes 2 minutes more doesn't matter, just use a Portscanner and you've got the new port. :/
There are firewalls available with portscanning detection that will make this a little bit harder
c1ph3r is offline  
Old   #14
 
elite*gold: 0
Join Date: Jul 2011
Posts: 236
Received Thanks: 74
I would like to ask that this post be Stickied.....
HeavenOnlyWishes is offline  
Old   #15
 
elite*gold: 0
Join Date: Apr 2013
Posts: 35
Received Thanks: 1
agreed

edit : rest was null ^^


j4ckwr4th is offline  
Reply



« Previous Thread | Next Thread »

Similar Threads
[Guide][Security] Securing Your Server * 1x Game Server *
Summary: Alright, i know i haven't been around here releasing lately, been very distracted and have been resenting the ******** community, sorry...
18 Replies - SRO PServer Guides & Releases
^^ Server security
how to install the hack shield, or how to install cheat on the server. protection against interference with the client
2 Replies - Metin2 PServer - Discussions / Questions
Security Server
bitte helft mir .. wie man einen Sicherheits-Server zu erstellen metin2 nicht kontrollieren meinem Server nicht, um eine Verbindung meine navicatul...
2 Replies - Metin2 PServer - Discussions / Questions
[HELP]Better Security for dk server
hey guys this is my first post asking for help, and yes ive used the search alot. your not gonna see this alot from me because im trying to learn...
13 Replies - Dekaron Private Server



All times are GMT +2. The time now is 07:51.


Powered by vBulletin®
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.

Support | Contact Us | FAQ | Advertising | Privacy Policy
Copyright ©2017 elitepvpers All Rights Reserved.