Most visitors online was 10387 , on 26 Apr 2024
Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!
Join Today!you forget somehting. everyone can use any ultra mega super security options with firewall, antivir, ddos protection and so policies but those things never give protection against USER'S (and nab roots) IDIOTISM!
1: How so, exactly?
2: When you fix up files on your own, you close any backdoors no matter the release. But if you would like to elaborate, please do
Forum software often allows uploads. Same server has a forum. By setting chmod 777 /etc/hosts you have created a backdoor next time the security patches update.
Plain text HTTP is HACKABLE when you have chmod 777 directories - because of the PUT command in the specification.
Nothing important should be world writable ever, and I prefer nothing at all be world writable and simply use write access as necessary on groups because this is more secure. Remember a user can be a member of multiple groups as well.
I can keep going about the atrocious security most of your packages have. One of my favorites so far was an extra user in the mysql database. If I ever want to build a botnet, I'll start hunting for private shard PWI Servers.
I too am working on a tutorial with good security practices.
The extra security is giving me a bit of a headache since Java does not log errors. (Missed another hard coded directory setting based off everything written to /.)
Everything is intended to run as a user, with user level permissions for mysql, the perfect world server running from /home/pwuser/, etc. I run drupal web servers on the same 8 xeon processor machine, I'm not handing the whole thing over to PW.
I know I'm new here but claiming there are no back doors in most of these server implementations is flat out wrong.
Most forums don't get these sorts of things right. Sometimes the upload button is sanitized, but a XSS can pick another URL to download the file from since most PHP scripts don't determine between local and remote resources.Please do elaborate how :
a) You plan to upload code which changes/adds a hosts file entry, seeing that any modern forum software uses file tokens for sanitizing download links
b) This entry compromises system security
b) How this "created a backdoor" in a system as I have described it further up
The best hacks are protocol hacks.HTTP isn't "HACKABLE", it is a protocol. Apache, nginx, lighttpd, litespeed, etc, all have the 1.1 extensions of HTTP disabled by default. Nobody in 21. century uses them anymore.
I mean the package set the guy up as a GM, set him up with the maximum allowed gold in the database, and set him with an extra user that you didn't configure. After I removed the 3rd backdoor I got to thinking, being a noob and not understanding all this stuff I might close 7 backdoors and miss 3 more. I went looking for a 1.4.5 then 1.4.6 package with better security.As for the extra user, yes, of course you'd want an extra user with less privaleges than root, please don't tell me you use your root mysql accounts for everything. Or did you mean something else?
phpmyadmin works on a local socket, even the /tmp/mysql.sock configuration. You use that user/pass to log in via phpmyadmin. There are tons of ways of leveraging a mysql user account up to mysql root.Also, unless the server owner is retarded and has his mysql open on WAN, you'd need a way to talk to it from localhost, meaning you already have a way to execute remote code on the system, in which case Mysql access would be interesting, but not mandatory. Point is, mysql access, even on root, doesn't help you much in rooting a box.
Any installation that has chmod 777 is not correct. At all. It is lazy. An installer script should keep the permissions the same, only use whoami and groups commands and chown chgrp as needed.No, the implementation itself is correct, it's the way people use said implementations... I beg to differ .
ok i totally agree with most of the things u guys say, but i am a noob i mean noober then you ever met, and i been searching already like 4 months or so, to figure out how to set up and use 1.4 server with virtual box, since every time i do it somehow all my files read as notepad, and i keep having issues on log in on to the server with virtual box, i cant seem to find how to change the files from notepad format to what i has to be originally, i don't know any programming, development, and other game developing programs, i never worked with anything like this, so idk what to do, one of the reasons i am replying to this thread because all the things u mentioned above i am that, like spoon feed. i just don't know where and how to start, and search for