|
You last visited: Today at 08:36
Advertisement
[HOW TO] Basic server security, TO ALL P*SERVER OWNER
Discussion on [HOW TO] Basic server security, TO ALL P*SERVER OWNER within the Shaiya PServer Guides & Releases forum part of the Shaiya Private Server category.
07/18/2016, 14:50
|
#1
|
elite*gold: 0
Join Date: Feb 2015
Posts: 473
Received Thanks: 1,093
|
[HOW TO] Basic server security, TO ALL P*SERVER OWNER
Hello E*PvP,
As a a lot of servers closed recently, I'll teach you how to make a decent server, because some servers here are just open to every kind of hacks...
So lets go
I / System Requirements
- A decent host
- If possible, having 2 servers would be better (one for your WEB server, and the other one for your GAME & sql server)
- I would recomand you to use lastest Windows Server OS & lastest SQL Server (so Windows Server 2012 R2 & nowdays). In fact, almost every one are still using windows server 2008 R2 or SQL Server 2005....
II / Basic game-server protection
So, now we'll see how to setup decent firewall rules.
(to open your windows firewall, simply type "fire" in your search windows bar, and clic on the first result, i mean this one:
)
Now lets see the 3 required rules that I made.
- The first one "Login & Game Shaiya Server" simply open 30800 & 30810 port (TCP only) others shaiya ports HAVE TO BE CLOSED, or we will be able to close your server remotly and so on
- The second one "RDP && SSH" will allow you to use windows RDP to access to your server, I mean this tool:
For this rule, please set "remote adress" to your own home adress. Why ? Because if someone know your password, he won't be able to use it.
Note: I'm using custom RDP port, mine is 15000 but change it if you want. default one is TCP port 3389.
- The lastest rule is for SQL Server. if you have 2 VPS, set "remote adress" to you web server adress, else delete this rule if you are running your web server & your sql server on the same VPS. In fact, no one will be able to connect to your SQL Server, no matter if your password is Shaiya123 or a secure one.
Okay well... now we have a secure game server, basic issues are patched.
III / Basic Web server protection
* - PHP & Appache installation
Please, setup your web server your self! download here and here. Why ? Because some softwares "all in one" might contain obvious security issues in the panel that they give. So please delete (or secure) this panel.In fact these software are mainly made for local development, not for public website. And, almost all of these softwares will run a MySQL DB.. but we don't need it, and it will use your RAM.
a - web firewall
Here is the firewall rules for the second machine (or the web-related rules if you are using only one VPS) ignore this step if you are using a classic web-host (with cpanel and so on)
Okay and now lets see the 2 rules that I made:
- The first one allow TCP HTTP && HTTPS (80 & 443 ports)
- The second one is, once again, for RDP. with, once again "remote adress" set to my home adress.
Okay... now we have a decent firewall protection, lets see the web-releated issues.
b - SQL Injections
A lot of shaiya PHP scripts are using GET or POST and then a SQL query, with the wished variables. The problem is, if you are not using the pdo bind functions, or any other function that make put a variable in your query with a decent way, any kid will be able to drop your databases.
Now lets see 3 exemples:
1 - file: exemple_odbc_unsafe.php
PHP Code:
<html> <h2>Checking if user exists</h2> <form method="POST" action="./exemple.php">
Username: <input type="text" name="username" />
</form>
<?php
if (isset($_POST["username"])){
$conn = odbc_connect("Driver={SQL Server Native Client 11.0};Server=127.0.0.1;Database=PS_UserData;", "Shaiya", "Shaiya123"); $rs = odbc_exec($conn, "SELECT Count(*) AS counter FROM PS_UserData.dbo.Users_Master WHERE UserID='" . $_POST["username"] . "';"); $arr = odbc_fetch_array($rs); echo ("There is ".$arr['counter']." account(s) called ".$_POST["username"]); } ?>
</html>
So this script is unsecure, because we can inject any SQL code. for exemple, lets try with this username:
Code:
Trayne01'; DELETE FROM PS_UserData.dbo.Users_Master;--
in fact, if we put this "username", we will delete all our accounts. SO PLS DONT DO THIS (if you just deleted your accounts, because you didn't use your brain no matter if I put it in the requirements, you can still resotre your accounts by using .)
2 - file: exemple_odbc_safe.php
PHP Code:
<html> <h2>Checking if user exists</h2> <form method="POST" action="./exemple.php">
Username: <input type="text" name="username" />
</form>
<?php
if (isset($_POST["username"])){
$conn = odbc_connect("Driver={SQL Server Native Client 11.0};Server=127.0.0.1;Database=PS_UserData;", "Shaiya", "Shaiya123"); $rs = odbc_prepare($conn, "SELECT Count(*) AS counter FROM PS_UserData.dbo.Users_Master WHERE UserID= ? ;"); $rs = odbc_execute($rs,array($_POST["username"])); $arr = odbc_fetch_array($rs); echo ("There is ".$arr['counter']." account(s) called ".$_POST["username"]); } ?>
</html>
This script is safe, because we are using a funcntion that make our $_POST vars secure, and we can't inject SQL code.
3 - file: exemple_pdo_sqlsrv.php
PHP Code:
<html> <h2>Checking if user exists</h2> <form method="POST" action="./exemple.php">
Username: <input type="text" name="username" />
</form>
<?php
if (isset($_POST["username"])){ $dsn = "sqlsrv:Server=127.0.0.1;Database=PS_UserData"; $user = 'Shaiya'; $password = 'Shaiya123'; try { $dbh = new PDO($dsn, $user, $password); } catch (PDOException $e) { echo 'Connection failed: ' . $e->getMessage(); } $res = $dbh->prepare("SELECT Count(*) AS counter FROM PS_UserData.dbo.Users_Master WHERE UserID = :userid ;"); $res->bindPram('::userid',$_POST["username"],PDO::PARAM_STR,32) $arr = $res->fetchAll(); echo ("There is ".$arr['counter']." account(s) called ".$_POST["username"]); } ?>
</html>
This script is safe, because we are using PDO::BindParam function, so we can't inject SQL code.
So
Now lets see an last exemple, lets check if is secure:
proc.php line 19
PHP Code:
if (isset($_POST['Var1'])) { $DisplayItemName=$_POST['Var1']; $replace = array( "'" => "_", "é" => "e", "è" => "e", "ê" => "e", "î" => "i", //"ï" => "i", "à" => "a", "û" => "u", "ô" => "o" ); //$newstr = utf8_encode(str_replace_assoc($replace,$_POST['Var1'])); $newstr = str_replace_assoc($replace,$_POST['Var1']);
$ItemName=$newstr;
The vars $ItemName will be used later in our sql vars
PHP Code:
$CheckItemNumber="SELECT Grade from dbo.Items WHERE ItemName like '$ItemName'";
So its not secure at all to put this script in your public website. (I made it for my admin panel months ago)
So how to secure this script, and make it usable for your public area?
Lets secure this script, at each time you'll have a variable declared as a query, it should be like:
PHP Code:
$CheckItemNumber=odbc_prepare("SELECT Grade from dbo.Items WHERE ItemName like ? ;");
And so, at each odbc_exec(), we should use odbc_execute() instead
proc.php line 40
PHP Code:
$retour=odbc_execute($CheckItemNumber,array($ItemName));
Yeah, in fact, its really simple!
IV / Others basics exploits & issues
The secure ps_login.exe can be found .
OTHER DOWNLOADS
The secure ps_dbagent episode 4 can be found here. (patched item dupe)
The secure ps_dbagent episode 5.4 can be found here. (patched item dupe)
And secure ps_dbagent episode 6.3 (for Juuf's or Shen's files) can be found here. (patched item dupe)
As I inveted you to use lastest SQL Server versions, here is some edited dll that I made to help you to upgrade your SQL server. In fact, with these modification you won't be able to use SQL Server 2012 and greater.
Edited 5.4 itemmall dll can be found here.
Edited Juuf's EP 6 dll can be found here.
Edited lastest Shen's dll can be found here.
Edited Shen's dll (with wings) can be found here.
I'm still uploading these files, pls wait.
- If you are using a weird database,
Now you have a decent server, so your server should stay online for a long time.
Have fun!
|
|
|
07/18/2016, 15:47
|
#2
|
elite*gold: 0
Join Date: Aug 2013
Posts: 244
Received Thanks: 56
|
Well, this just about covered everything for all of the noobies out there. Great Tutorial, Trayne.
|
|
|
07/18/2016, 15:59
|
#3
|
elite*gold: 0
Join Date: Oct 2015
Posts: 156
Received Thanks: 54
|
Nice one.
|
|
|
07/19/2016, 14:37
|
#4
|
elite*gold: 0
Join Date: Jul 2009
Posts: 64
Received Thanks: 8
|
@ Trayne01 : do you use any software to protect ddos , or just only firewall?
|
|
|
07/19/2016, 16:45
|
#5
|
elite*gold: 0
Join Date: Feb 2015
Posts: 473
Received Thanks: 1,093
|
No I don't. They are all useless imo
|
|
|
07/21/2016, 12:37
|
#6
|
elite*gold: 0
Join Date: Jul 2009
Posts: 64
Received Thanks: 8
|
Quote:
Originally Posted by Trayne01
No I don't. They are all useless imo
|
How do u protect ur server , to anti ddos ?
|
|
|
07/21/2016, 13:19
|
#7
|
elite*gold: 0
Join Date: Feb 2015
Posts: 473
Received Thanks: 1,093
|
Quote:
Originally Posted by tkminh
How do u protect ur server , to anti ddos ?
|
A windows-software won't protect you against DDoS... In fact DDoS is not the main problem for our shaiya servers. I mean, if you are hosting your server at home, yeah ddos is a problem, but if you are using a decent hosting solution, then its harder to be targetable of these "DDoS"..
In fact, DDoS are rare, and are much more rumors than serious attacks. I never saw a large scale DDoS that forced a Shaiya Server to close.
Since 2011, my servers never have slowed because of DDoS.
And a lot of nowdays hosting services now give DDoS protection for free. (Such as Arbor protection)
|
|
|
06/22/2020, 20:08
|
#8
|
elite*gold: 0
Join Date: Sep 2016
Posts: 4
Received Thanks: 0
|
Nice! Thanks
|
|
|
07/03/2020, 21:18
|
#9
|
elite*gold: 0
Join Date: Jul 2020
Posts: 22
Received Thanks: 7
|
Very good
Quote:
Originally Posted by Trayne01
Hello E*PvP,
As a a lot of servers closed recently, I'll teach you how to make a fucking decent server, because some servers here are just open to every kind of hacks... Seriously, please close your server now if you can't follow this tut....
So lets go (this tut is fine for all shaiya server files)
I / System Requirements
- A decent host (for my part, i'm using , what I mean by decent host ? High connexion speed, high RAM & CPU VPS, almost 24h/24h support, DDoS protection included for free, lastest windows server OS, twin server rooms, they are using network and so on)
- VPS = Virtual Private Server, best shaiya hosting solution (cheaper than dedicated server)
- If possible, having 2 VPS would be better (one for your WEB server, and the other one for your GAME & sql server)
- An unique server, I won't allow you to read bellow if your are making a multi-colour server or something that already exists
- I would recomand you to use lastest Windows Server OS & lastest SQL Server (so Windows Server 2012 R2 & nowdays). In fact, almost every one is still using windows server 2008 R2 & SQL Server 2005 LOL.... guys please don't be stupid by doing only what our old tuts are saying, because in fact this is now 7 years old.... There is no advantages at all to use out-dated softwares (RAM is often managed better now, security is much more guaranteed and so on)
- A normal brain (we'll need to use it)
II / Basic game-server protection
So, now we'll see how to setup decent firewall rules.
My firewall looks like that (please zoom and see the 3 rules that I made):
(to open your windows firewall, simply type "fire" in your search windows bar, and clic on the first result, i mean this one:
)
Now lets see the 3 rules that I made.
- The first one "Login & Game Shaiya Server" simply open 30800 & 30810 port (TCP only) others shaiya ports HAVE TO BE CLOSED, or we will be able to close your server remotly and so on
- The second one "RDP && SSH" will allow you to use windows RDP to access to your server, I mean this tool:
For this rule, please set "remote adress" to your own home adress. Why ? Because if someone know your password, he won't be able to use it.
Note: I'm using custom RDP port, mine is 15000 but change it if you want. default one is TCP port 3389.
- The lastest rule is for SQL Server. if you have 2 VPS, set "remote adress" to you web server adress, else delete this rule if you are running your web server & your sql server on the same VPS. In fact, no one will be able to connect to your SQL Server, no matter if your password is Shaiya123 or a secure one.
Okay well... now we have a secure game server, basic issues are patched.
III / Basic Web server protection
* - PHP & Appache installation
Please, setup your web server your self! download here and here. Why ? Because some softwares "all in one" might contain obvious security issues in the panel that they give. So please delete (or secure) this panel.In fact these software are mainly made for local development, not for public website. And, almost all of these softwares will run a MySQL DB.. but we don't need it, and it will use your RAM.
a - web firewall
Here is the firewall rules for the second machine (or the web-related rules if you are using only one VPS) ignore this step if you are using a classic web-host (with cpanel and so on)
Okay and now lets see the 2 rules that I made:
- The first one allow TCP HTTP && HTTPS (80 & 443 ports)
- The second one is, once again, for RDP. with, once again "remote adress" set to my home adress.
Okay... now we have a decent firewall protection, lets see the web-releated issues.
b - SQL Injections
A lot of shaiya PHP scripts are using GET or POST and then a SQL query, with the wished variables. The problem is, if you are not using the pdo bind functions, or any other function that make put a variable in your query with a decent way, any kid will be able to drop your databases.
Now lets see 3 exemples:
1 - file: exemple_odbc_unsafe.php
PHP Code:
<html> <h2>Checking if user exists</h2> <form method="POST" action="./exemple.php"> Username: <input type="text" name="username" /> </form> <?php if (isset($_POST["username"])){ $conn = odbc_connect("Driver={SQL Server Native Client 11.0};Server=127.0.0.1;Database=PS_UserData;", "Shaiya", "Shaiya123"); $rs = odbc_exec($conn, "SELECT Count(*) AS counter FROM PS_UserData.dbo.Users_Master WHERE UserID='" . $_POST["username"] . "';"); $arr = odbc_fetch_array($rs); echo ("There is ".$arr['counter']." account(s) called ".$_POST["username"]); } ?> </html>
So this script is unsecure, because we can inject any SQL code. for exemple, lets try with this username:
Code:
Trayne01'; DELETE FROM PS_UserData.dbo.Users_Master;--
in fact, if we put this "username", we will delete all our accounts. SO PLS DONT DO THIS (if you just deleted your accounts, because you didn't use your brain no matter if I put it in the requirements, you can still resotre your accounts by using .)
2 - file: exemple_odbc_safe.php
PHP Code:
<html> <h2>Checking if user exists</h2> <form method="POST" action="./exemple.php"> Username: <input type="text" name="username" /> </form> <?php if (isset($_POST["username"])){ $conn = odbc_connect("Driver={SQL Server Native Client 11.0};Server=127.0.0.1;Database=PS_UserData;", "Shaiya", "Shaiya123"); $rs = odbc_prepare($conn, "SELECT Count(*) AS counter FROM PS_UserData.dbo.Users_Master WHERE UserID= ? ;"); $rs = odbc_execute($rs,array($_POST["username"])); $arr = odbc_fetch_array($rs); echo ("There is ".$arr['counter']." account(s) called ".$_POST["username"]); } ?> </html>
This script is safe, because we are using a funcntion that make our $_POST vars secure, and we can't inject SQL code.
3 - file: exemple_pdo_sqlsrv.php
PHP Code:
<html> <h2>Checking if user exists</h2> <form method="POST" action="./exemple.php"> Username: <input type="text" name="username" /> </form> <?php if (isset($_POST["username"])){ $dsn = "sqlsrv:Server=127.0.0.1;Database=PS_UserData"; $user = 'Shaiya'; $password = 'Shaiya123'; try { $dbh = new PDO($dsn, $user, $password); } catch (PDOException $e) { echo 'Connection failed: ' . $e->getMessage(); } $res = $dbh->prepare("SELECT Count(*) AS counter FROM PS_UserData.dbo.Users_Master WHERE UserID = :userid ;"); $res->bindPram('::userid',$_POST["username"],PDO::PARAM_STR,32) $arr = $res->fetchAll(); echo ("There is ".$arr['counter']." account(s) called ".$_POST["username"]); } ?> </html>
This script is safe, because we are using PDO::BindParam function, so we can't inject SQL code.
So
Now lets see an last exemple, lets check if is secure:
proc.php line 19
PHP Code:
if (isset($_POST['Var1'])) { $DisplayItemName=$_POST['Var1']; $replace = array( "'" => "_", "é" => "e", "è" => "e", "ê" => "e", "î" => "i", //"ï" => "i", "à" => "a", "û" => "u", "ô" => "o" ); //$newstr = utf8_encode(str_replace_assoc($replace,$_POST['Var1'])); $newstr = str_replace_assoc($replace,$_POST['Var1']); $ItemName=$newstr;
The vars $ItemName will be used later in our sql vars
PHP Code:
$CheckItemNumber="SELECT Grade from dbo.Items WHERE ItemName like '$ItemName'";
So its not secure at all to put this script in your public website. (I made it for my admin panel months ago)
So how to secure this script, and make it usable for your public area?
Lets secure this script, at each time you'll have a variable declared as a query, it should be like:
PHP Code:
$CheckItemNumber=odbc_prepare("SELECT Grade from dbo.Items WHERE ItemName like ? ;");
And so, at each odbc_exec(), we should use odbc_execute() instead
proc.php line 40
PHP Code:
$retour=odbc_execute($CheckItemNumber,array($ItemName));
Yeah, in fact, its really simple!
IV / Others basics exploits & issues
The secure ps_login.exe can be found .
OTHER DOWNLOADS
The secure ps_dbagent episode 4 can be found here. (patched item dupe)
The secure ps_dbagent episode 5.4 can be found here. (patched item dupe)
And secure ps_dbagent episode 6.3 (for Juuf's or Shen's files) can be found here. (patched item dupe)
As I inveted you to use lastest SQL Server versions, here is some edited dll that I made to help you to upgrade your SQL server. In fact, with these modification you won't be able to use SQL Server 2012 and greater.
Edited 5.4 itemmall dll can be found here.
Edited Juuf's EP 6 dll can be found here.
Edited lastest Shen's dll can be found here.
Edited Shen's dll (with wings) can be found here.
I'm still uploading these files, pls wait.
- If you are using a weird database,
Now you have a decent server, so your server should stay online for a long time. So please make it serious, make a nice website and make nice custom features. I love our servers, but I don't like when unorignal servers come and close after couple of weeks... So I only wanted to help you to keep your server online as long as possible.
Have fun!
|
Almost the same as I did, I used it to improve my changes xD
|
|
|
Similar Threads
|
[Selling] WTS Game Private server [ Vps - Security Proxy - Security ddos] Files
06/10/2016 - Web Host / Server Trading - 2 Replies
Want To Sell
My Vps Ram 8 Giga have time
with security have time
have all files you need
you only setup
|
Private server setup & basic security
11/12/2012 - Silkroad Online Trading - 5 Replies
My service includes:
database setup
ODBC setup
server files configuration (VSRO 1.188, VSRO 1.193, BlackRogue 1.037 or old ECSRO files)
IIS configuration
FTP server configuration
creating basic firewall and IPsec rules (basic security)
custom certification server (for example, if you need 2 AGS, 3 GS, etc.)
|
All times are GMT +2. The time now is 08:36.
|
|