Author Topic: Server Security (Read 1363 times)

Legacy_WhiteTiger · « **Reply #15 on:** April 10, 2014, 05:41:55 pm »

Or is it that password protection enables a player to log in using any player name?

Henesua,

The player need to create your account that contain login/pass and, after login, will be able login only with the username he created. If he try to login with different username, will be booted.

OBS: The player need insert the password each time he try login again to module.

Legacy_FunkySwerve · « **Reply #16 on:** April 10, 2014, 06:13:39 pm »

Depends. It's relative if you are using the cdkey to prevent the "exploits". You can use Database / MySQL to preventing whatever.

But what kind of ex)plo^it protection you mean?

1.You can use a third party system with database to log into the game with passwords for each player.

2.The system made by Shadooow, which does not allow the creation of the character with a Bastard sword +20. Link

In my view, this is a problem for the players.

"If you like it, buy the game" they need to experience

I'm not going to elaborate on ex&pl@oits in a thread where you use the word searchably, sorry. Suffice to say, it does not depend. It's one part of a total security system, on the one hand, which absolutely should include a password system, as I note above. On the other, if you have multiple instances, it is completely indispensable.

Funky

Legacy_FunkySwerve · « **Reply #17 on:** April 10, 2014, 06:29:38 pm »

i think i don't fully understand how Funky's security system works or at least haven't fully grokked how someone can get around it because I didn't think a password system was necessary.

So the way I grasp this:

you have a pair of IDs - player name and cd key - which are stored together

each player can only use one player name at a time, and to switch you have to tell the system that you want to switch player names on next login

if someone logs in with a CD Key and has the wrong player name or with a player name using the wrong CD key they are booted.

If this is how it works it seems to be fairly tight to me. The problem is that players need to be consistent with the player name they use.

But I guess it might be possible for someone who merely wishes to cause harm to find out what a specific player's CD Key is. Is this the problem that password protection solves?

Or is it that password protection enables a player to log in using any player name?

Or did I get this all wrong?

There is a way to get someone's cd key if you're not an admin, on which I will not elaborate. It's already possible to log in with anyone's playername, since the Gamespy passwording is no longer working, since they downwed the servers years back. CD keys, by their lonesome, are not completely secure, though the knowhow to circumvent them is exceedingly rare (1 person in 10 years, for us, and he gave acaos and I some difficulty, requriing a custom anti-crash plugin on top of this).

We link accounts to keys, and keys to passwords. This permits the establishment of a one-to-one relationship of key to account, and establishes a sort of digital fingerprint. It blocks other keys from accessing the account without permission, and further blocks non-password holders. It is a far better system than a password only system, though this is perhaps not obvious to someone who hasn't worked with them.

Password systems, to block as much as possible, need to lock out movement and non-password chat until the password is entered. Otherwise, the 'blocked' player can still wreak all kinds of havoc - especially if they're logged in with a key granting access to dm chat commands, for example. This is incredibly inconvenient for, for example, a player who crashes out during combat and needs to re-enter - they're frozen in place until they can type the pass, any likely to get splattered (plotting them is also not a good solution, but that's delving into minutiae of minutiae).

So, you want a dual-layer system, with cd key blocks for the vast majority of mundane blocking, and passwording for the more unusual cases (extremely skilled hackers and publicly-broadcasted cd keys).

Further, you probably do NOT want to require re-entry of a password on every login, just every server reset, assuming you're doing them fairly regularly, given inconveniences like the combat scenario listed above. We only require it on first login each reset per instance, resulting in much greater convenience to players at a minimal cost to security (0 reported issues with that approach in the last 4-5 years).

Funky

Legacy_FunkySwerve · « **Reply #18 on:** April 10, 2014, 06:35:46 pm »

If you're going to ask a question:

And can we skip the step of checking CD-KEY? players can't login on module because have your CDKEYS duplicated and would be great to make the players enter in game without individual serial code.

It's not terribly good form to pretend to know the answer and argue with the person answering you:

Depends. It's relative if you are using the cdkey to prevent the "exploits". You can use Database / MySQL to preventing whatever.

But what kind of ex.plo(it protection you mean?

1.You can use a third party system with database to log into the game with passwords for each player.

2.The system made by Shadooow, which does not allow the creation of the character with a Bastard sword +20. Link

In my view, this is a problem for the players.

"If you like it, buy the game" they need to experience

In point of fact, it's moderately annoying. '<img '>

Funky

Legacy_WhiteTiger · « **Reply #19 on:** April 10, 2014, 07:01:13 pm »

Funky,

I do not care. You seem to be bossy.

EDITED: My answer to Vicent "How to protect PW Servers" is on 2Âºpage.

                     ModifiÃ© par WhiteTiger, 11 avril 2014 - 03:54 .

Legacy_WhiteTiger · « **Reply #20 on:** April 10, 2014, 07:22:12 pm »

Vincent07,

If you would like to find a good security system, you should do what I quoted above. And also how Shadooow quoted, you can make a database system that players can register on the site and there you put a button called "Enable Login" and then the player can log into your account once time.

But besides that, just the computer that clicked in the button "Enable Login" will be able to enter the game because we will do the checking by IP.

It is the best security system and simple.

--------------------------------------------------------

EDITED:

You should create a table called "logintable" with some fields for example: name(of player), username, password, email.

Then you insert to site this:

TO CREATE ACCOUNT

INSERT INTO logintable SET name="#registerName", username="#registerUsername", password="#registerPW", email="#registerEmail";

WHEN CLICK ENABLE LOGIN

UPDATE logintable SET ip="#registerIP" WHERE username="#registerLogin";

SERVER-SIDE SCRIPT (On Client Enter)

//don't forget to check if your script have #aps_include on the top

object oPC = GetEnteringObject();

if (!GetIsPC(oPC)) return;

string sSQL = "SELECT username FROM logintable WHERE ip='" + GetPCIPAddress(oPC)+ "';";

SQLExecDirect(sSQL);

string sUserName = "";

if (SQLFetch() != SQL_SUCCESS)

{

BootPC(oPC);

return;

}

Legacy_Vincent07 · « **Reply #21 on:** April 10, 2014, 07:25:19 pm »

I'll post ours, written by acaos, when I get home. It uses SIMTools. Are you running NWNX? If not, you'll have to do some tweaking to make it work with the bioware event.

Funky

We are using NWNX and an SQL database. Though I know there's a lot of additions for NWNX that we do not use mostly as none of us have yet taken the time to understand them. And we lack someone with any real SQL knowledge.

I understand NWScript enough that I was able to implement the CDKey security code you posted some time back, but not really do much else in that regard.

Legacy_henesua · « **Reply #22 on:** April 10, 2014, 07:50:33 pm »

There is a way to get someone's cd key if you're not an admin, on which I will not elaborate.

Thanks. I needed to know if it was possible. I'm certainly not asking you to tell us how to do it. But I would like to know how often this happens. You seem to suggest later in your post that this is a very rare problem. Is that true?

Legacy_WhiteTiger · « **Reply #23 on:** April 10, 2014, 08:39:12 pm »

I'm not going to elaborate on ex&pl@oits in a thread where you use the word searchably, sorry.

Funky

Funky,

Stop, man.

Please, this is already getting bad.

We all know it is you who is writing posts, stop putting "Funky" at the end.

Legacy_Vincent07 · « **Reply #24 on:** April 10, 2014, 08:45:45 pm »

Vincent07,

If you would like to find a good security system, you should do what I quoted above. And also how Shadooow quoted, you can make a database system that players can register on the site and there you put a button called "Enable Login" and then the player can log into your account once time.

But besides that, just the computer that clicked in the button "Enable Login" will be able to enter the game because we will do the checking by IP.

It is the best security system and simple.

(Snipped code for length)

You mean on our site? We use a proboards forum not connected really to our server host, which is the other admin. So not really sure how I would even go about this. Again, my knowledge of anything relating to SQL is next to nil.

Legacy_WhiteTiger · « **Reply #25 on:** April 10, 2014, 08:49:21 pm »

You mean on our site? We use a proboards forum not connected really to our server host, which is the other admin. So not really sure how I would even go about this. Again, my knowledge of anything relating to SQL is next to nil.

Yes, you can do using a forum, for example, it just needs to be connected to the database. There are many courses of MySQL. Which type of connection are you using with NWNX? It is SQLite?

Legacy_WhiteTiger · « **Reply #26 on:** April 10, 2014, 09:03:05 pm »

Vicent07,

Furthermore players can have a private place on the site / forum to change the password, email and even do several other things.

my knowledge of anything relating to SQL is next to nil.

The language we used in Aurora Toolset is like, you should visit the Lexicon:

http://www.nwnlexicon.com/

Legacy_WhiteTiger · « **Reply #27 on:** April 10, 2014, 10:24:29 pm »

Excuse me, maybe you should use the Funky idea. It seems to be better in your case since you will have the support forum here and any problem can be solved more easily.

I'll post ours, written by acaos, when I get home. It uses SIMTools. Are you running NWNX? If not, you'll have to do some tweaking to make it work with the bioware event.

Funky

he will return home and will help you. (;

Legacy_FunkySwerve · « **Reply #28 on:** April 11, 2014, 03:33:45 am »

Thanks. I needed to know if it was possible. I'm certainly not asking you to tell us how to do it. But I would like to know how often this happens. You seem to suggest later in your post that this is a very rare problem. Is that true?

Yes. We've only seen one person do it since I started running HG in 2004. That same person found a fair number of creative ways to cause trouble, far more than your run-of-the-mill server crasher. He was actually able to log in with my account, which, thanks to his unusual silence when greeted and !playerinfo, a player noted. By the end of his short but relatively infamous career, acaos had had to create a brand new NWNX plugin to prevent him from crashing us. So this is hardly the kind of thing you see frequently, and it does not appear to have become common knowledge on any of the sites that discuss NWN or general gaming ex#plo&its.

I'm happy to disclose a little more in private, if you want to pm me, but far and away the most common use of our passwording setup is the blocking of other torrented/publicly distributed keys by the first person using one to !password the account. I think that alone has probably accounted for a good two dozen GoG purchases over the last couple years. '<img '> It's for that reason that we only check once per login. We have 12 instances, so the odds that a given playername has logged in to the same instance and unlocked it when someone tries to bypass cdkey protection are incredibly low. If you're only running one instance, it'd still only be worth checking once per login, in my opinion, though if you're paranoid you could force a recheck every 3 or 6 real hours using a timestamp check, especially if any runs players are likely to crash out of are comparitively short (and thus less likely to result in crashes during runs, if they, like our players, start runs fairly soon after logging in).

Funky

Legacy_FunkySwerve · « **Reply #29 on:** April 11, 2014, 03:43:32 am »

We are using NWNX and an SQL database. Though I know there's a lot of additions for NWNX that we do not use mostly as none of us have yet taken the time to understand them. And we lack someone with any real SQL knowledge.

I understand NWScript enough that I was able to implement the CDKey security code you posted some time back, but not really do much else in that regard.

That's fine. SIMTools is actually a nwscript setup for the nwnx_chat plugin event, which I think is a part of the core NWNX install, nowadays.

SIMTools is posted on the Vault. It uses the default NWNX setup for the SQL database, so as to be as user-friendly as possible. You can find a link to it here:

Click Me

I'll post the code snippets that would need to be implemented to do our passwording setup, in a few hours (still at work here). It's a little more involved than the cd key boot, since it has to intercept all chat, but it works quite well. I don't have a lot of spare time these days to help with installation, but I can field questions.

Funky

Bioware Archive

News:

Author Topic: Server Security (Read 1363 times)

Legacy_WhiteTiger

Server Security

Legacy_FunkySwerve

Server Security

Legacy_FunkySwerve

Server Security

Legacy_FunkySwerve

Server Security

Legacy_WhiteTiger

Server Security

Legacy_WhiteTiger

Server Security

Legacy_Vincent07

Server Security

Legacy_henesua

Server Security

Legacy_WhiteTiger

Server Security

Legacy_Vincent07

Server Security

Legacy_WhiteTiger

Server Security

Legacy_WhiteTiger

Server Security

Legacy_WhiteTiger

Server Security

Legacy_FunkySwerve

Server Security

Legacy_FunkySwerve

Server Security