Retro Security

[JordanEllis]

Hey all, I was just wondering if my Habbo retro was secure, or not - if not, how can I improve it?

I have Xampp (deleted webdav), portforwarded, BCStorm, HabboPHP, no-ip domain.

Was just wondering if there are any known exploits I can patch, or anything else that needs injecting into my database to prevent SQL injects, etc - anything to make it secure before it goes public is much appreciated. Thanks, Jord!

Here is my CMS - I can't see any potential areas for injection apart from registration?
Hobba

[MentaL]

[MentaL]

Set a root password on phpmyadmin/sql.

[Jam32]

I really wouldn't use xampp.
Also your site seems to be down. Best thing to do is search through this section and the release section for exploits. There is plenty lingering about!

[JordanEllis]

Hobba Hotel
it shouldn't be down :(
also I have the root password :p

What else could I use instead of Xampp, seeing as it's being hosted on my laptop, rather than a VPS (for now)

[Jam32]

If your running on a laptop you'll have to be super secure. There are many skids and kiddy booters, who will simply boot you offline over something pathetic. Not just the hotel goes down but your connection will too. (4 years ago you'd be alright, nowadays its e-suicide)

If and when you get on a vps use IIS. For now on a laptop i'd personally use a proper apache and mysql setup(Not prepacked together like xampp)

[V for Vendetta]

I'll have to be honest that you need to following improvements.

- If you're running on a VPS then you might want to add DdoS proxy for if people are going to try to attack your server

- Don't use XAMPP just use IIS because that's much better and way secure.

- Be sure that your passwords are on somewhere where nobody else can breach it, So be sure that you have it wrote down on a paper on your desk or such else.

Last: Delete Anonymous. Via there people can upload to your files and just delete them easily.

[Quackster]

Your domain links to a LAN IP. Which is why it's down for us.

[JordanEllis]

Your domain links to a LAN IP. Which is why it's down for us.

Does this work?

I'll have to be honest that you need to following improvements.

- If you're running on a VPS then you might want to add DdoS proxy for if people are going to try to attack your server

- Don't use XAMPP just use IIS because that's much better and way secure.

- Be sure that your passwords are on somewhere where nobody else can breach it, So be sure that you have it wrote down on a paper on your desk or such else.

Last: Delete Anonymous. Via there people can upload to your files and just delete them easily.

I'm not running on a vps as of yet, so I guess IIS is out of the window? And the password isn't written anywhere apart from my config settings. Anonymous deleted, thankyou.

If your running on a laptop you'll have to be super secure. There are many skids and kiddy booters, who will simply boot you offline over something pathetic. Not just the hotel goes down but your connection will too. (4 years ago you'd be alright, nowadays its e-suicide)

If and when you get on a vps use IIS. For now on a laptop i'd personally use a proper apache and mysql setup(Not prepacked together like xampp)

Any further help on the apache and mysql setup? As I am using a laptop for now, and xampp (suicide, I know)

[Dave]

Use Cloudflare, NGINX and restrict special pages to your IP only.

[V for Vendetta]

Use Cloudflare, NGINX and restrict special pages to your IP only.

How about no. Cloudflare sucks, he rather want to use DdoS proxy.

[1ntel]

deleted

[JordanEllis]

Tell me more about CloudFlare, please, if you would

[azaidi]

Your SWF links in your client are set to 192.168.1.71, and your no-ip site is too. Please set everything to your IP 86.164.153.144 or to your no-ip domain.

[JordanEllis]

Yeah I figured that out, had to create a new no-ip as the old one is on a different email, apparently.
It's now hobba.no-ip.org, which is better

ERRORDismissSorry, that domain ("no-ip.org") requires an extra step. Please contact us directly and we'll help you quickly.
:(

[V for Vendetta]

Explain what is wrong with Cloudflare?

You can find the IP easily brother. You haven't read my previous post obviously yet but you are always able to get the VPS/Computer ip which makes them still able to screw around with you.