- Joined
- Aug 16, 2007
- Messages
- 1,378
- Reaction score
- 581
Everyone who is serious about the Ran server business should follow at least some of these steps for a better server security.
This guide is aimed at people who know how to use a computer and have at least some IT knowledge
Important Security practices :
1) (Most Important) Use the Server Machine for NOTHING OTHER than hosting the server, if possible don't even host database, website and server in the same machine, the more you seperate these 3 the safer it is.
2) Use middle man between Appache server and database, instead of allowing the webserver to edit the database directly, use Sockets (with javascript) and send requests to a server that will then write and read from the database, that way no matter how screwed up your website is, the server won't allow any bad queries to be run, so you have 100% protection against database damaging hacks
The reason why it's so important to use a middle man in the webserver is because of the config.php, that file contains your password and username for the SQL database! Using Appache exploits people can read your config.php and get full access to your database, if you use a middle man, there's no config.php inside the www folder, so there is no risk
3) Restrict the permissions of the SQL user, most people use SA as user account for server and website, that's very unprofessional, you should create an SQL user that has only the rights that it needs, for example server doesn't need the right to use DELETE command, it never deletes any line, so you could create a new SQL user that has SELECT and UPDATE rights only, as for the web server, if you let the web server access the website directly I suggest there too to remove the DELETE right, but the best would be to have a middle man
4) Daily back ups, use SQL Agent to create a recurring query that will backup your database on daily basis, the server can be running during the backup, but make sure the backup is done during off peak hours to prevent lag because during backup process a lot of I/O is consumed from the hard disk which delays interaction with the database (causes char failed to be processed)
5) Redundancy : Keep your database alive in multiple computers at a time!
A hard drive is never fail safe, even if you never had a hard drive crash on you for years, it could happen, any day, any time it could just be gone! So to prevent damage, setup SQL Redundancy, using 2 SQL Servers on different comptuers, google how to setup Redundancy (Replication servers) on SQL
6) Don't use .exe files that you can't trust! Any .exe you don't know could be a RAT (Remote access trojan) which will allow the creator of the RAT to access your pc freely, download your data, delete your stuff. RATs are the number 1 reason for data leaks in big companies! Because any employer (GM/CO Admin) Could download and click some .exe on ANY computer in the network, and infect the whole network with it. So even if you have 200 server machines, if 1 of them is infected, and the servers are in 1 network, you're screwed, all your data is compromised! Antivirus can't help you either, they're not 100% accurate
7) In the worst case, that your database was compromised, your players data would get lost! Which can be very bad for you. So to keep your players data safe, you need to follow these steps :
- NEVER EVER store credit card information on your database!!! Let paypal do that for you, they can safeguard their data better than a simple Ran server
- Md5 is not safe!! I can bruteforce 8 letter md5 passwords in 11 seconds! You need to add SHA1 to the md5 passwords, and maybe use salt (google it), for that, you need to edit the stored procedure user_verify (in RanUser) and add to the password argument from the procedure, the SHA1 hash. Also at your registration, on your website, you need to apply SHA256 AFTER using md5 hash! That way your passwords will be so hard, you'll need over 10.000 computers to bruteforce the passwords.
- Use Sha1 on your usernames too! Before saving the usernames in your database use Sha1 hash on them and them on user verify use Hashbytes('SHA1',Username) on the username argument before it's compared with the database
Using that will prevent anyone from getting the passwords and usernames of your player so they can't try other websites if the username and pass is the same, most people use their passwords at multiple places and if your data is compromised many player could suffer from hacked facebooks,paypal,accounts in other games
8) Don't rely too much on firewalls/Antivirus, they don't save you, firewalls are pointless on servers because servers are made to accept connections, you enable connection to certain ports, so the firewall is inactive in those ports, you just have to make sure you have no ports open that aren't ment to be open! Make sure the only ports open are those you opend yourself! RATs and Virus might open ports for their malicious activity
9) Use a long password for your database connection! at least 16 signs to prevent people from bruteforcing your SQL Password
10) Disable SA in SQL, create a new user account with a different name, but delete SA, everyone knows SA exists, so if a hacker wants to find a valid account their first try is SA
11) Don't give access to the server machine to anyone! Best is if only 1 single person uses the server machine ever!
12) Disable guest account, rename your user account don't have it called Admin or Administrator, don't use passwords like root, admin, administrator, 1234, qwerty, help, guest, or any word in a dictionary
13) Do not use the same password twice in your network, especially not the same password as the one you use in a website, your computer or anywhere, because if someone gets hold of your pass from another site they could hack your network
14) Do not use FTP! FTP doesn't use encryption for passwords, means that when you login to your FTP your password information travels the internet, reaches many routers of people, if they are using packet sniffers to listen to your connection they could pick up your password
If your server is popular the risk of hack increases. And not every hacker is a noob who uses tamper data or WPE, some know exactly what they're doing so, you better be prepared, security is not just about hack protection, it's also about data safeguarding, that way, no matter what happens, your data won't be gone
This guide is aimed at people who know how to use a computer and have at least some IT knowledge
Important Security practices :
1) (Most Important) Use the Server Machine for NOTHING OTHER than hosting the server, if possible don't even host database, website and server in the same machine, the more you seperate these 3 the safer it is.
2) Use middle man between Appache server and database, instead of allowing the webserver to edit the database directly, use Sockets (with javascript) and send requests to a server that will then write and read from the database, that way no matter how screwed up your website is, the server won't allow any bad queries to be run, so you have 100% protection against database damaging hacks
The reason why it's so important to use a middle man in the webserver is because of the config.php, that file contains your password and username for the SQL database! Using Appache exploits people can read your config.php and get full access to your database, if you use a middle man, there's no config.php inside the www folder, so there is no risk
3) Restrict the permissions of the SQL user, most people use SA as user account for server and website, that's very unprofessional, you should create an SQL user that has only the rights that it needs, for example server doesn't need the right to use DELETE command, it never deletes any line, so you could create a new SQL user that has SELECT and UPDATE rights only, as for the web server, if you let the web server access the website directly I suggest there too to remove the DELETE right, but the best would be to have a middle man
4) Daily back ups, use SQL Agent to create a recurring query that will backup your database on daily basis, the server can be running during the backup, but make sure the backup is done during off peak hours to prevent lag because during backup process a lot of I/O is consumed from the hard disk which delays interaction with the database (causes char failed to be processed)
5) Redundancy : Keep your database alive in multiple computers at a time!
A hard drive is never fail safe, even if you never had a hard drive crash on you for years, it could happen, any day, any time it could just be gone! So to prevent damage, setup SQL Redundancy, using 2 SQL Servers on different comptuers, google how to setup Redundancy (Replication servers) on SQL
6) Don't use .exe files that you can't trust! Any .exe you don't know could be a RAT (Remote access trojan) which will allow the creator of the RAT to access your pc freely, download your data, delete your stuff. RATs are the number 1 reason for data leaks in big companies! Because any employer (GM/CO Admin) Could download and click some .exe on ANY computer in the network, and infect the whole network with it. So even if you have 200 server machines, if 1 of them is infected, and the servers are in 1 network, you're screwed, all your data is compromised! Antivirus can't help you either, they're not 100% accurate
7) In the worst case, that your database was compromised, your players data would get lost! Which can be very bad for you. So to keep your players data safe, you need to follow these steps :
- NEVER EVER store credit card information on your database!!! Let paypal do that for you, they can safeguard their data better than a simple Ran server
- Md5 is not safe!! I can bruteforce 8 letter md5 passwords in 11 seconds! You need to add SHA1 to the md5 passwords, and maybe use salt (google it), for that, you need to edit the stored procedure user_verify (in RanUser) and add to the password argument from the procedure, the SHA1 hash. Also at your registration, on your website, you need to apply SHA256 AFTER using md5 hash! That way your passwords will be so hard, you'll need over 10.000 computers to bruteforce the passwords.
- Use Sha1 on your usernames too! Before saving the usernames in your database use Sha1 hash on them and them on user verify use Hashbytes('SHA1',Username) on the username argument before it's compared with the database
Using that will prevent anyone from getting the passwords and usernames of your player so they can't try other websites if the username and pass is the same, most people use their passwords at multiple places and if your data is compromised many player could suffer from hacked facebooks,paypal,accounts in other games
8) Don't rely too much on firewalls/Antivirus, they don't save you, firewalls are pointless on servers because servers are made to accept connections, you enable connection to certain ports, so the firewall is inactive in those ports, you just have to make sure you have no ports open that aren't ment to be open! Make sure the only ports open are those you opend yourself! RATs and Virus might open ports for their malicious activity
9) Use a long password for your database connection! at least 16 signs to prevent people from bruteforcing your SQL Password
10) Disable SA in SQL, create a new user account with a different name, but delete SA, everyone knows SA exists, so if a hacker wants to find a valid account their first try is SA
11) Don't give access to the server machine to anyone! Best is if only 1 single person uses the server machine ever!
12) Disable guest account, rename your user account don't have it called Admin or Administrator, don't use passwords like root, admin, administrator, 1234, qwerty, help, guest, or any word in a dictionary
13) Do not use the same password twice in your network, especially not the same password as the one you use in a website, your computer or anywhere, because if someone gets hold of your pass from another site they could hack your network
14) Do not use FTP! FTP doesn't use encryption for passwords, means that when you login to your FTP your password information travels the internet, reaches many routers of people, if they are using packet sniffers to listen to your connection they could pick up your password
If your server is popular the risk of hack increases. And not every hacker is a noob who uses tamper data or WPE, some know exactly what they're doing so, you better be prepared, security is not just about hack protection, it's also about data safeguarding, that way, no matter what happens, your data won't be gone
Last edited:
