[Guide] Creating a Secure Enviroment for Game & Web Serv

1. Stopping UNwanted Sql Queries (SQL Server Side)
1.a Setting UP a new Sql User Account
Quote:

Never connect to the database as a superuser or as the database owner. Use always customized users with very limited privileges

1.b Removing Remote Procedure Call
1.c Allowing SQL mixmode Authetication (windows and sql)
1.d and READ THIS FOR MORE DETAILS

2. Server & Web Security
2.a General Do this !
Quote:

1. Install a Firewall 2. Disable unnessary Services 3. Don't Put up a unprotected FTP (or anonymous FTP service) 4. Install an Anti Virus Software 5. Only Enable Ports that are being used by you (disable others)

2.b IIS Security (internet information services)
Quote:

1. Remove unused script mappings Quote: IIS is preconfigured to support common filename extensions such as .asp and .shtm. When IIS receives a request for a file of one of these types, the call is handled by a DLL. The IIS Lockdown Tool removes unneeded script mappings; however, your application may allow you to further refine the configuration. If you don't use some of these extensions or functionality, you should remove the mappings by following this procedure: 1. Open Internet Services Manager. 2. Right-click the Web server, and choose Properties. 3. Click Master Properties 4. Select WWW Service, click Edit, click HomeDirectory, and then click Configuration notes: according to all php installation packages, u are supposed to set ur php mapping to allow ALL, but i believe it should only be POST GET AND REQUEST 2. Do set the proper permission to everything Quote: Rule of Thumb: If it is for your own Use only set it to be Urs only, do not allow anonymous connections to it.

2.c PHP security
Quote:

1. PHP.ini setting changes Quote: PHP Code: register_globals = Off This is so that No one will ever make false variables to ur web. and all GET variables will have to be $_GET, and post variable wil have to be $_POST and so on. PHP Code: mssql.secure_connection = Off This will stop windows authentication from connecting to your sql server, meaning u can't connect to your mssql via php if u didnt setup a user/pass on it (btw: this is the problem most server have, cause even if they change pass it still connect, turn this OFF PHP Code: display_errors = Off log_errors = On error_log /var/log/php_errors This is the Most important ONE! u ask why? u know those guys who can get your database, and you often wondered how the hell did they get it,. this is the reason, well let me explain, when they UNION inject your website it will display an ERROR and if they do it right they can actually get ur username password of all your users, believe me UNION injection is very easy to do especially that the MU database schema is very well known, and even if they didnt know they can always UNION inject it to find out. remember the ERROR is wat is displaying the database, so u should disable error reporting Another way to do this is to insert this to you website (make sure u put it on top just before the report_errors(E_NONE); this will stop any error to ever show up. Error_log is just a place to put the logs. (notes: if some of these lines have # before them please remove that. that i a comment line, that will disable the line, if u remove, obviously it wil enable the line. ) THIS IS THE MSSQL SPEED TRICK AND LOW DISCONNECTION using php.ini PHP Code: [MSSQL] ; Allow or prevent persistent links. mssql.allow_persistent = On ; Maximum number of persistent links. -1 means no limit. mssql.max_persistent = -1 ; Maximum number of links (persistent+non persistent). -1 means no limit. mssql.max_links = -1 ; Minimum error severity to display. mssql.min_error_severity = 10 ; Minimum message severity to display. mssql.min_message_severity = 10 ; Compatability mode with old versions of PHP 3.0. mssql.compatability_mode = Off ; Valid range 0 - 2147483647. Default = 4096. mssql.textlimit = 4096 ; Valid range 0 - 2147483647. Default = 4096. mssql.textsize = 4096 ; Limits the number of records in each batch. 0 = all records in one batch. ;mssql.batchsize = 0 mssql.connect_timeout "5" mssql.timeout "30"; ; Use NT authentication when connecting to the server mssql.secure_connection = Off ; Specify max number of processes. Default = 25 mssql.max_procs = 250 2. Writing good Php Codes [read here]

3. SERVER ATTACKS DEFINED
3.a SQL injection (wat is it, and how to stop it?)
Let me keep this short due to it has been covered many times over, Sql
injection is a type of attach that deals with manipulating you scripts
(asp, or php) query to the mssql database,. these type
Quote:

Direct URL example: http://mysite.com/something.php?find=dude'; drop table character -- aboce is an example of a direct URL injection. Stopping recommendation: 1. Turn off Register Globals in php.ini (see 2.c.1) 2. Filter all $_GET variables ( do not allow bad words( UNION, drop) , and bad characters (; - ' ") 3. make it so that $_GET variables are limited in lenght ( use strlen(); php function to count)

Quote:

Form Attack (this includes CSS RCSS) this is a attack that is target at the back end of your forms,. with back end i mean the target of ur forms. Since on Muonline we do a lot of stuff using forms such as registration, pk reset, lvl reset, change pass, and etc. this is a widely used injection attack. Stopping recommendation: 1. Turn off Register Globals in php.ini (see 2.c.1) 2. Filter all $_POST variables ( do not allow bad words( UNION, drop) , and bad characters (; - ' ") 3. make it so that $_POST variables are limited in lenght ( use strlen(); php function to count) 4. There is two other things u can to you forms that makes it 100% hack proff! One is to add a hidden Session Token to Forms,. and this token is verified according to the persons IP address and session. this is such a good idea that it is imbedded in Mutoolz. And another alternatice is Random Image verify script. 5. It is always a good idea to Separate character from number input. and verify them in the back end. also use such built in commands like htmlentities(); htmlspecialchars(); isnum(); and etc. Bottom line. sql injection can be handled easily on very well programmed websites. Rule of thumb will be limiting wat the User see and do with him knowing it.

Quote:

UNION INJECTION This is as u may not know it, is the reason why Vatrix and his crew are famous of, U often wondered in owwwwwwwwwwwwwwwwww... how the heck did those database stealing , over elite stuff, well this is it.. it is called UNION injection.. This a SQL query joins two tables and if they dont match they give an error, ur question if they give an error wats so usefull about these,. for u noobs out there it is the error that they are LOOKING FOR! Imagine this, wat if they made a UNION injection that joins the two fields namely username and password and UNION it with a mismatch table , wat would they get an error message in ur website tell them that username = 'bahahah' and pass = '1123' is not a match for something.. waaaaaaaaaaaaaaaaa? ur dead.,. ur another question: how the get my entire database., since MU database is like an open source DB, they dont have to work much, do some stored procedure to create a temp_db ( with all ur username/pass) and output the temp_db out to ur website via error , via UNION.. Stopping recommendation: 1. Aside from putting anti sql injection on ur forms and URL GET VARIABLES? you do wat i said in section 2.c.1 wer i said to turn of DISPLAY ERRORS. since it errors that they live for, then dont make it show any.

3.b Packet Injection ( common in Muonline dataservers )
Quote:

Packet Injection DATASERVERS and yet another GOOD programmer doing his worst. I have to hand it to the guy who made this, it took a lot of effort to do this, decoding and understanding Gameserver to dataserver packets is NOT AN EASY task,. Wat is this? this is a like lying to the DATASERVER or ur MU server,. if thing it does is ask the user wat he wants as an UPDATE to the DATASERVER, then a website with sockets capabilty create this packets with to be sent to your DATASERVER PORTS, with this the DATASERVER is tricked to thinking that the PACKETS CAME FROM the GAMESERVER, THUS it executes the packets that falsely sent to it. Even though, this type of attack is less harmfull as Sql injection, it can give u headaches, since they can give there Character super items and super stats, BUT they cant DELETE OR DROP tables on ur mssql server (that's just about the good news on this one) Stopping recommendation: 1. INSTALL A FIREWALL or a PORT BLOCKER. 2. DO NOT ALLOW OUTSIDE CONNECTION TO YOUR DATASERVERS,. only allow local connections, 3. REMEMBER TO PROTECT ALL DATASERVER PORTS!

3.c Harvesters
3.d DDOS

im going to get some zzzz.. ill explain tomorrow about these.

---

Working On Another Free MuToolz...