Author Topic: Server Security (Read 1365 times)

Legacy_Vincent07 · « **on:** April 10, 2014, 01:28:20 am »

Some time ago, FunkySwerve posted a topic about securing a PW now that the Master Server is gone. This was a lovely bit of code, and we've made use of it on CD. However, it would seem there is some measure of CD Key recycling going on from GoG and we have had a few players unable to log in because of this. So I would like to find an SQL password security system that is not reliant on GSID.

I'd heard SoT used one, and so looked through what they posted. It seems tied into their massive NWNX implementations which we don't have. Similarly it is tailored into that module and not something I can easily remove for my own use.

Anyone know of a solution for this out there?

Legacy_Squatting Monk · « **Reply #1 on:** April 10, 2014, 02:02:10 am »

I know this is not what you asked for, but Funky posted a modification to the system to account for GoG CD Keys.

Legacy_Vincent07 · « **Reply #2 on:** April 10, 2014, 02:52:50 am »

The GoG keys haven't been the issue. We've been seen key duplication of the multiplayer keys players have received.

Legacy_Squatting Monk · « **Reply #3 on:** April 10, 2014, 02:55:38 am »

Ah, I see. That's certainly something that needs to be accounted for, then. In the meantime, have you contacted GoG about this?

Legacy_Vincent07 · « **Reply #4 on:** April 10, 2014, 04:40:37 am »

I have not, no. I've never dealt with them. (My copy of NWN is original release, as is each xpac)

Mostly I'm interested in finding some different manner of server security, preferably a password system. So far my searches have yielded nothing.

Legacy_Pstemarie · « **Reply #5 on:** April 10, 2014, 12:57:45 pm »

I don't think its so much GOG recycling CD Keys as the clown that posted a torrent some time back that had over 100 legitimate CD Keys that people had erroneously stored in online file repositories attached to personal websites thinking that was a safe way to store something.

One thing I've wondered, now that the master server authentication is gone, wouldn't it be possible to install the GOG version with the generic keys and then replace those keys with your own made-up multiplayer keys?

Legacy_Shadooow · « **Reply #6 on:** April 10, 2014, 01:17:49 pm »

Alternatives to CDKEY verification exists - for example you can make a ingame password system where each logging player will have to input a password in a starting area before you teleport player into last stored area.

But there is one problem remaining - players with same cd key cannot play on the same server at the same time...

Legacy_WhiteTiger · « **Reply #7 on:** April 10, 2014, 04:24:42 pm »

And can we skip the step of checking CD-KEY? players can't login on module because have your CDKEYS duplicated and would be great to make the players enter in game without individual serial code.

Legacy_FunkySwerve · « **Reply #8 on:** April 10, 2014, 04:27:53 pm »

I don't think its so much GOG recycling CD Keys as the clown that posted a torrent some time back that had over 100 legitimate CD Keys that people had erroneously stored in online file repositories attached to personal websites thinking that was a safe way to store something.

One thing I've wondered, now that the master server authentication is gone, wouldn't it be possible to install the GOG version with the generic keys and then replace those keys with your own made-up multiplayer keys?

This. I have yet to see a duplicate key from GoG. I have seen dozens of them from torrented sites. About 10 times a year I get some clueless torrenter posting on our forums asking why there's a password on their account when they've never played on the server. This is, of course, why we have passwording in addition to the cd key check. I tell them first come, first served, and explain that a GoG key is only 5-10 bucks depending on whether they have a sale going. Otherwise all the torrented keys would be sharing vaults, wallets, and so forth. In fact, we also get a few gripes a year by people wondering why their items are disappearing, or one of their toons was deleted. It's because they haven't yet passworded their account, and another torrenter was logged in as them, using their items and playing their characters.

Torrented keys are pretty easy to spot. When you do a SQL search for most keys, e.g., key XXXXXXXX:

SELECT * FROM pwdata WHERE val LIKE '%XXXXXXXX%';

you get one hit. On a torrented key, you'll get dozens, if you have a busy server. I think my record is something like 250 hits. More typical is 60-70 hits.

About the only potential point of confusion occurs if you have guilds, where some players share keys. There, though, there's still a marked difference in quantity, with maybe 12-20 hits on a guild-shared key.

We do warn our players who share keys that it makes it difficult to distinguish them as different from those they share keys with, and that they may wind up responsible for that person's actions when using their key, but it hasn't been a major issue thus far.

Long story short...passwording. I think I've posted a passwording system, courtesy of acaos, somewhere on here. LMK if you can't find it and I'll repost.

Funky

Legacy_FunkySwerve · « **Reply #9 on:** April 10, 2014, 04:29:38 pm »

And can we skip the step of checking CD-KEY? players can't login on module because have your CDKEYS duplicated and would be great to make the players enter in game without individual serial code.

No. You want both. That way, if you ban someone, they lose everything they accumulated on their old account, and have to start over. It's possible to do that with just a password, but it's far less convenient.

Funky

Legacy_FunkySwerve · « **Reply #10 on:** April 10, 2014, 04:31:14 pm »

But there is one problem remaining - players with same cd key cannot play on the same server at the same time...

This is NOT a problem. It's key to preventing serious ex^plo@its.

Funky

Legacy_FunkySwerve · « **Reply #11 on:** April 10, 2014, 04:32:37 pm »

I don't think its so much GOG recycling CD Keys as the clown that posted a torrent some time back that had over 100 legitimate CD Keys that people had erroneously stored in online file repositories attached to personal websites thinking that was a safe way to store something.

One thing I've wondered, now that the master server authentication is gone, wouldn't it be possible to install the GOG version with the generic keys and then replace those keys with your own made-up multiplayer keys?

This is not an appropriate discussion for these boards. PM me if you don't understand why.

Funky

Legacy_FunkySwerve · « **Reply #12 on:** April 10, 2014, 04:33:54 pm »

I have not, no. I've never dealt with them. (My copy of NWN is original release, as is each xpac)

Mostly I'm interested in finding some different manner of server security, preferably a password system. So far my searches have yielded nothing.

I'll post ours, written by acaos, when I get home. It uses SIMTools. Are you running NWNX? If not, you'll have to do some tweaking to make it work with the bioware event.

Funky

Legacy_WhiteTiger · « **Reply #13 on:** April 10, 2014, 05:31:12 pm »

This is NOT a problem. It's key to preventing serious ex^plo@its.

Funky

"key to preventing serious ex^plo@its"

It's relative if you are using the cdkey to prevent the "ex^plo@its". You can use Database / MySQL to preventing whatever.

1.You can use a third party system with database to log into the game with passwords for each player.

2.The system made by Shadooow, which does not allow the creation of the character with a Bastard sword +20. Link

Legacy_henesua · « **Reply #14 on:** April 10, 2014, 05:31:19 pm »

i think i don't fully understand how Funky's security system works or at least haven't fully grokked how someone can get around it because I didn't think a password system was necessary.

So the way I grasp this:

you have a pair of IDs - player name and cd key - which are stored together

each player can only use one player name at a time, and to switch you have to tell the system that you want to switch player names on next login

if someone logs in with a CD Key and has the wrong player name or with a player name using the wrong CD key they are booted.

If this is how it works it seems to be fairly tight to me. The problem is that players need to be consistent with the player name they use.

But I guess it might be possible for someone who merely wishes to cause harm to find out what a specific player's CD Key is. Is this the problem that password protection solves?

Or is it that password protection enables a player to log in using any player name?

Or did I get this all wrong?

Bioware Archive

News:

Author Topic: Server Security (Read 1365 times)

Legacy_Vincent07

Server Security

Legacy_Squatting Monk

Server Security

Legacy_Vincent07

Server Security

Legacy_Squatting Monk

Server Security

Legacy_Vincent07

Server Security

Legacy_Pstemarie

Server Security

Legacy_Shadooow

Server Security

Legacy_WhiteTiger

Server Security

Legacy_FunkySwerve

Server Security

Legacy_FunkySwerve

Server Security

Legacy_FunkySwerve

Server Security

Legacy_FunkySwerve

Server Security

Legacy_FunkySwerve

Server Security

Legacy_WhiteTiger

Server Security

Legacy_henesua

Server Security