Ok, I'm officially sick of this.. All noobs, this is for you

[Hycker]

you forget somehting. everyone can use any ultra mega super security options with firewall, antivir, ddos protection and so policies but those things never give protection against USER'S (and nab roots) IDIOTISM!

 

[rbb138]

You would be surprised how many people leave ports in the 10xxx range open

 

[hrace009]

you forget somehting. everyone can use any ultra mega super security options with firewall, antivir, ddos protection and so policies but those things never give protection against USER'S (and nab roots) IDIOTISM!

i only use iptables to hold flood and protect myserver :
rest of it, my ISP will handle it.

 

[RorschachRev]

1: How so, exactly?
2: When you fix up files on your own, you close any backdoors no matter the release. But if you would like to elaborate, please do

Forum software often allows uploads. Same server has a forum. By setting chmod 777 /etc/hosts you have created a backdoor next time the security patches update.

Plain text HTTP is HACKABLE when you have chmod 777 directories - because of the PUT command in the specification.

Nothing important should be world writable ever, and I prefer nothing at all be world writable and simply use write access as necessary on groups because this is more secure. Remember a user can be a member of multiple groups as well.

I can keep going about the atrocious security most of your packages have. One of my favorites so far was an extra user in the mysql database. If I ever want to build a botnet, I'll start hunting for private shard PWI Servers.

I too am working on a tutorial with good security practices. The extra security is giving me a bit of a headache since Java does not log errors. (Missed another hard coded directory setting based off everything written to /.) Everything is intended to run as a user, with user level permissions for mysql, the perfect world server running from /home/pwuser/, etc. I run drupal web servers on the same 8 xeon processor machine, I'm not handing the whole thing over to PW.

I know I'm new here but claiming there are no back doors in most of these server implementations is flat out wrong.

 

[Swoosh91]

Forum software often allows uploads. Same server has a forum. By setting chmod 777 /etc/hosts you have created a backdoor next time the security patches update.

Please do elaborate how :
a) You plan to upload code which changes/adds a hosts file entry, seeing that any modern forum software uses file tokens for sanitizing download links
b) This entry compromises system security
b) How this "created a backdoor" in a system as I have described it further up

Plain text HTTP is HACKABLE when you have chmod 777 directories - because of the PUT command in the specification.

HTTP isn't "HACKABLE", it is a protocol. Apache, nginx, lighttpd, litespeed, etc, all have the 1.1 extensions of HTTP disabled by default. Nobody in 21. century uses them anymore.

Nothing important should be world writable ever, and I prefer nothing at all be world writable and simply use write access as necessary on groups because this is more secure. Remember a user can be a member of multiple groups as well.

I agree with this.

I can keep going about the atrocious security most of your packages have. One of my favorites so far was an extra user in the mysql database. If I ever want to build a botnet, I'll start hunting for private shard PWI Servers.

You are assuming that because the default packages have potential security audits, that we are all retarded and can't close them? Well... you could be correct, since 98% of this forum thinks development is copying files from forum directly to server. For the rest of us, please don't assume this. As for the extra user, yes, of course you'd want an extra user with less privaleges than root, please don't tell me you use your root mysql accounts for everything. Or did you mean something else?

Also, unless the server owner is retarded and has his mysql open on WAN, you'd need a way to talk to it from localhost, meaning you already have a way to execute remote code on the system, in which case Mysql access would be interesting, but not mandatory. Point is, mysql access, even on root, doesn't help you much in rooting a box.

I too am working on a tutorial with good security practices.

Cool, but noobs don't read.

The extra security is giving me a bit of a headache since Java does not log errors. (Missed another hard coded directory setting based off everything written to /.)

Uhm yes, yes it does.

Everything is intended to run as a user, with user level permissions for mysql, the perfect world server running from /home/pwuser/, etc. I run drupal web servers on the same 8 xeon processor machine, I'm not handing the whole thing over to PW.

Yeah, linux 101.

I know I'm new here but claiming there are no back doors in most of these server implementations is flat out wrong.

No, the implementation itself is correct, it's the way people use said implementations... I beg to differ .

 

[VengefulAvarias]

Pretty sure this is why you Chmod it to 0755 and NOT 0777 o.o.....

 

[RorschachRev]

Please do elaborate how :
a) You plan to upload code which changes/adds a hosts file entry, seeing that any modern forum software uses file tokens for sanitizing download links
b) This entry compromises system security
b) How this "created a backdoor" in a system as I have described it further up

Most forums don't get these sorts of things right. Sometimes the upload button is sanitized, but a XSS can pick another URL to download the file from since most PHP scripts don't determine between local and remote resources.

HTTP isn't "HACKABLE", it is a protocol. Apache, nginx, lighttpd, litespeed, etc, all have the 1.1 extensions of HTTP disabled by default. Nobody in 21. century uses them anymore.

The best hacks are protocol hacks.

You must be registered to see links

Apache basically says the script needs to be really good at #1 restricting itself to the web root and #2 the file permissions need to block writing. To make this more complicated, REST API uses PUT/DELETE in the HTTP specification. The original claim was that HTTP itself in text mode was unhackable. Well that's not true, there is also that HTTP 1.1 extension for the websocket protocol, but the browsers are supposed to come up with a security extension beyond the spec to avoid that nasty poisoning attack. "Text only" and "simple" is no defense for total security, it is a false sense of security.

As for the extra user, yes, of course you'd want an extra user with less privaleges than root, please don't tell me you use your root mysql accounts for everything. Or did you mean something else?

I mean the package set the guy up as a GM, set him up with the maximum allowed gold in the database, and set him with an extra user that you didn't configure. After I removed the 3rd backdoor I got to thinking, being a noob and not understanding all this stuff I might close 7 backdoors and miss 3 more. I went looking for a 1.4.5 then 1.4.6 package with better security.

Also, unless the server owner is retarded and has his mysql open on WAN, you'd need a way to talk to it from localhost, meaning you already have a way to execute remote code on the system, in which case Mysql access would be interesting, but not mandatory. Point is, mysql access, even on root, doesn't help you much in rooting a box.

phpmyadmin works on a local socket, even the /tmp/mysql.sock configuration. You use that user/pass to log in via phpmyadmin. There are tons of ways of leveraging a mysql user account up to mysql root.

No, the implementation itself is correct, it's the way people use said implementations... I beg to differ .

Any installation that has chmod 777 is not correct. At all. It is lazy. An installer script should keep the permissions the same, only use whoami and groups commands and chown chgrp as needed.

Again I want to beat down this "simple is secure" concept. If you don't call *any* libraries at all and only read never write data, that might be an excuse. Neither is true in this case. Most of the time app writers will assume that if the script has file permission to write the script is allowed to write. This isn't a security hole in and of itself because nothing should be running as root, and nothing should be world writable.

I'm used to python that will tell me if a library or resource fails to load. These execution scripts aren't checking to see if the folder exists before setting it as the base directory for the script export CLASSPATH=.:/usr/lib/jvm/java-6-sun-1.6.0.26/lib/dt.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/lib/tools.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/lib/mysql-connector-java-3.0.16-ga-bin.jarwell none of those places existed, and the directions specifically said to install openjdk-6-jre. The libraries called by the script don't exist and I get a silent fail. It prints *some* errors, which is deceptive when it can't load the necessary libraries that are required. Java is a witch, you will never convince me otherwise. .Net and Python are also middleware and don't suffer any of the problems that Java has despite being bytecode languages as well. For example, python can read low level data, and Java can't. It can also call CTypes. It also tells me when a library is missing. Having a fake PATH is one thing but needing libraries from the PATH and not being able to find them is a different one.

I am not going to be explicit with directions how to hack for 2 reasons. #1 I'd be too tempted to root a bunch of PW Servers over the weekend. #2 So would other people.

 

[leonara]

Im confuse With This Person Who Make This Threa
That It Really I Think

First We All Noob , Me Too
So Dont Kill Noob With This Thread If They Post Help Thread , And Before Already People Post The Tutorial And Release
Just Say Search Or Help Him Just Give Clue
If U Give Full Answer It Same u Give Them Eat
So They Cant Grow UP With Self

Bad Attitude

By The Way , For Security Your Server Maybe This Good For Learn

1) Change Your Port Access Like As , pwAdmin , SSH
2) Rename Your iWeb And PwAdmin
3) rename Your phpmyadmin
4) Make iptable ... For Reject DDOS Hacking Or Send Packet

Maybe Just That

Listen to Me ...
This is Function of Chmod

chmod 777 is All People can Do Anything
chmod 755 is Just Grup And user can Do Anything Here, This Setting is Public Setting For Programs Usually User use That
chmod 700 is This is For Private File Just Own Can Use This , User And Grup cant Use this. This setting are private for own

 

[kewtrewt]

For security reasons i run separate Mysql Server on a dedicated machine, the GameServers on separate dedicated machines, and the WebServer on a separated dedicated machine, and all these behind a hardware firewall that has open only the necessary ports and nothing more.
To access any of them you must be in LAN or VPN from outside.

 

[MaxZeus]

Sick...

 

[Gary Balian]

ok i totally agree with most of the things u guys say, but i am a noob i mean noober then you ever met, and i been searching already like 4 months or so, to figure out how to set up and use 1.4 server with virtual box, since every time i do it somehow all my files read as notepad, and i keep having issues on log in on to the server with virtual box, i cant seem to find how to change the files from notepad format to what i has to be originally, i don't know any programming, development, and other game developing programs, i never worked with anything like this, so idk what to do, one of the reasons i am replying to this thread because all the things u mentioned above i am that, like spoon feed. i just don't know where and how to start, and search for

 

[argonaut]

The learning never ends, become proficient in one aspect and noob in others.
Gary, i started 2 years ago and still feel nooby
A great place to start mate is at 343 release of the 136 files, all the hard work has been done and with a little reading you can be up and running in no time.
In the 136 section, most questions have already been asked so with a lot of reading you will be able to make your way through problems.
Just my opinion mate as that is where i also began.
Good luck.

 

[leonara]

Just Stay To Reading

 

[hrace009]

ok i totally agree with most of the things u guys say, but i am a noob i mean noober then you ever met, and i been searching already like 4 months or so, to figure out how to set up and use 1.4 server with virtual box, since every time i do it somehow all my files read as notepad, and i keep having issues on log in on to the server with virtual box, i cant seem to find how to change the files from notepad format to what i has to be originally, i don't know any programming, development, and other game developing programs, i never worked with anything like this, so idk what to do, one of the reasons i am replying to this thread because all the things u mentioned above i am that, like spoon feed. i just don't know where and how to start, and search for

only 4 months ????

most of us in here already 2 - 5 year's, and they feel still not enough.

4 months is still a short time. you need to learn how to use google search and some of unix. believe me, i know unix because this PW.

and don't focus only on RZ. if you search about UNIX in RZ, then you at the wrong place. use google to learn about unix.

Open your Eyes and your Brain. there is a lot of topics about Unix outside there.

 

[343]

Yea, too many people now-a-days want:

 

[Psytrac]

ok, you asked for it.. I want a golden spoon.. QQ

 

[Bola]

who dont want a golden spoon, if i have a golden spoon i'll be cool guy

 

[Hycker]

can i get src of golden spoon? :

 

[Gary Balian]

ok thank you guys for all the cool answears and golden spoon, i was stuck on ragezone trying to figure out all the answers specially when it came to unix, at least you guys did not make me feel like a real noob thanks for that

 

[gunse]

@Gary Balian, don't play the noob game, coz it does not exist in RZ, if you want something instant so prepare your money, ask someone expert to do that, if you have no money so try to learn from "google" or your real-life teacher, never ask someone here to teach you, it is non-sense, to be respected here you should have a tons of skill (c/c++, asm, java, *nix, reverse engineering tools, etc.)

So for the respect, stop chating and start learning. Good Luck!