[Guide] Creating a Secure Enviroment for Game & Web Serv

View previous topic View next topic Go down

[Guide] Creating a Secure Enviroment for Game & Web Serv

Post by  on Mon Dec 24, 2007 6:34 am

1. Stopping UNwanted Sql Queries (SQL Server Side)
1.a Setting UP a new Sql User Account
Quote:
Never connect to the database as a superuser or as the database owner.
Use always customized users with very limited privileges

1.b Removing Remote Procedure Call
1.c Allowing SQL mixmode Authetication (windows and sql)
1.d and READ THIS FOR MORE DETAILS

2. Server & Web Security
2.a General Do this !
Quote:

1. Install a Firewall
2. Disable unnessary Services
3. Don't Put up a unprotected FTP (or anonymous FTP service)
4. Install an Anti Virus Software
5. Only Enable Ports that are being used by you (disable others)


2.b IIS Security (internet information services)
Quote:

1. Remove unused script mappings
Quote:
IIS is preconfigured to support common filename extensions such as .asp
and .shtm. When IIS receives a request for a file of one of these
types, the call is handled by a DLL. The IIS Lockdown Tool removes
unneeded script mappings; however, your application may allow you to
further refine the configuration. If you don't use some of these
extensions or functionality, you should remove the mappings by
following this procedure:
1. Open Internet Services Manager.
2. Right-click the Web server, and choose Properties.
3. Click Master Properties
4. Select WWW Service, click Edit, click HomeDirectory, and then click Configuration
notes:
according to all php installation packages, u are supposed to set ur
php mapping to allow ALL, but i believe it should only be POST GET AND
REQUEST

2. Do set the proper permission to everything
Quote:

Rule of Thumb:
If it is for your own Use only set it to be Urs only, do not allow anonymous connections to it.



2.c PHP security
Quote:

1. PHP.ini setting changes
Quote:
PHP Code:
register_globals = Off



This is so that No
one will ever make false variables to ur web. and all GET variables
will have to be $_GET, and post variable wil have to be $_POST and so
on.
PHP Code:
mssql.secure_connection = Off



This will stop
windows authentication from connecting to your sql server, meaning u
can't connect to your mssql via php if u didnt setup a user/pass on it
(btw: this is the problem most server have, cause even if they change
pass it still connect, turn this OFF
PHP Code:
display_errors = Off
log_errors
= On
error_log
/var/log/php_errors



This is the Most
important ONE! u ask why? u know those guys who can get your database,
and you often wondered how the hell did they get it,. this is the
reason, well let me explain, when they UNION inject your website it
will display an ERROR and if they do it right they can actually get ur
username password of all your users, believe me UNION injection is very
easy to do especially that the MU database schema is very well known,
and even if they didnt know they can always UNION inject it to find
out. remember the ERROR is wat is displaying the database, so u should
disable error reporting
Another way to do this is to insert this to you website (make sure u put it on top just before the report_errors(E_NONE);



this will stop any error to ever show up. Error_log is just a place to put the logs.
(notes: if some of these lines have # before them please remove that.
that i a comment line, that will disable the line, if u remove,
obviously it wil enable the line. )

THIS IS THE MSSQL SPEED TRICK AND LOW DISCONNECTION using php.ini
PHP Code:
[MSSQL]
;
Allow or prevent persistent links.
mssql.allow_persistent = On
; Maximum number of persistent links. -1 means no limit.
mssql.max_persistent = -1
; Maximum number of links (persistent+non persistent). -1 means no limit.
mssql.max_links = -1
; Minimum error severity to display.
mssql.min_error_severity = 10
; Minimum message severity to display.
mssql.min_message_severity = 10
; Compatability mode with old versions of PHP 3.0.
mssql.compatability_mode = Off
; Valid range 0 - 2147483647. Default = 4096.
mssql
.textlimit = 4096
; Valid range 0 - 2147483647. Default = 4096.
mssql
.textsize = 4096
; Limits the number of records in each batch. 0 = all records in one batch.
;
mssql.batchsize = 0
mssql
.connect_timeout "5"
mssql.timeout "30";
; Use
NT authentication when connecting to the server
mssql
.secure_connection = Off
; Specify max number of processes. Default = 25
mssql
.max_procs = 250




2. Writing good Php Codes [read here]




3. SERVER ATTACKS DEFINED
3.a SQL injection (wat is it, and how to stop it?)
Let me keep this short due to it has been covered many times over, Sql
injection is a type of attach that deals with manipulating you scripts
(asp, or php) query to the mssql database,. these type
Quote:
Direct URL
example: http://mysite.com/something.php?find=dude'; drop table character --
aboce is an example of a direct URL injection.
Stopping recommendation: 1. Turn off Register Globals in php.ini (see 2.c.1)
2. Filter all $_GET variables ( do not allow bad words( UNION, drop) , and bad characters (; - ' ")
3. make it so that $_GET variables are limited in lenght ( use strlen(); php function to count)


Quote:
Form Attack (this includes CSS RCSS)
this is a attack that is target at the back end of your forms,. with
back end i mean the target of ur forms. Since on Muonline we do a lot
of stuff using forms such as registration, pk reset, lvl reset, change
pass, and etc. this is a widely used injection attack.
Stopping recommendation: 1. Turn off Register Globals in php.ini (see 2.c.1)
2. Filter all $_POST variables ( do not allow bad words( UNION, drop) , and bad characters (; - ' ")
3. make it so that $_POST variables are limited in lenght ( use strlen(); php function to count)
4. There is two other things u can to you forms that makes it 100% hack proff!
One is to add a hidden Session Token to Forms,. and this token is
verified according to the persons IP address and session. this is such
a good idea that it is imbedded in Mutoolz. And another alternatice is
Random Image verify script.
5. It is always a good idea to Separate character from number input.
and verify them in the back end. also use such built in commands like
htmlentities(); htmlspecialchars(); isnum(); and etc.
Bottom
line. sql injection can be handled easily on very well programmed
websites. Rule of thumb will be limiting wat the User see and do with
him knowing it.

Quote:
UNION INJECTION
This is as u may not know it, is the reason why Vatrix and his crew are
famous of, U often wondered in owwwwwwwwwwwwwwwwww... how the heck did
those database stealing , over elite stuff, well this is it.. it is
called UNION injection.. This a SQL query joins two tables and if they
dont match they give an error, ur question if they give an error wats
so usefull about these,. for u noobs out there it is the error that
they are LOOKING FOR!
Imagine this, wat if they made a UNION injection that joins the two
fields namely username and password and UNION it with a mismatch table
, wat would they get an error message in ur website tell them that
username = 'bahahah' and pass = '1123' is not a match for something..
waaaaaaaaaaaaaaaaa? ur dead.,. ur another question: how the get my
entire database., since MU database is like an open source DB, they
dont have to work much, do some stored procedure to create a temp_db (
with all ur username/pass) and output the temp_db out to ur website via
error , via UNION..
Stopping recommendation:
1. Aside from putting anti sql injection on ur forms and URL GET
VARIABLES? you do wat i said in section 2.c.1 wer i said to turn of
DISPLAY ERRORS. since it errors that they live for, then dont make it
show any.

3.b Packet Injection ( common in Muonline dataservers )
Quote:
Packet Injection DATASERVERS
and yet another GOOD programmer doing his worst. I have to hand it to
the guy who made this, it took a lot of effort to do this, decoding and
understanding Gameserver to dataserver packets is NOT AN EASY task,.
Wat is this? this is a like lying to the DATASERVER or ur MU server,.
if thing it does is ask the user wat he wants as an UPDATE to the
DATASERVER, then a website with sockets capabilty create this packets
with to be sent to your DATASERVER PORTS, with this the DATASERVER is
tricked to thinking that the PACKETS CAME FROM the GAMESERVER, THUS it
executes the packets that falsely sent to it. Even though, this type of
attack is less harmfull as Sql injection, it can give u headaches,
since they can give there Character super items and super stats, BUT
they cant DELETE OR DROP tables on ur mssql server (that's just about
the good news on this one)
Stopping recommendation: 1. INSTALL A FIREWALL or a PORT BLOCKER.
2. DO NOT ALLOW OUTSIDE CONNECTION TO YOUR DATASERVERS,. only allow local connections,
3. REMEMBER TO PROTECT ALL DATASERVER PORTS!


3.c Harvesters
3.d DDOS

im going to get some zzzz.. ill explain tomorrow about these.



Working On Another Free MuToolz... Very Happy


Favourite Game : MuOnline
Registration date : 1969-12-31

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum