Server Security

[Legacy_Vincent07]

               

Perhaps I should elaborate further.

 

We use NWNX for database and server hosting, that's about it.

 

I've included nwnx_funcs, but have not yet used it.  Our OnPlayerChat is entirely custom.

 

So, how much of a headache am I looking at to merge this in?

               
               

               
            

[Legacy_FunkySwerve]

               

Hm. In that case, possibly a pretty big one. We use a lot of nwnx stuff, including custom effect ids, and more. I'll show you the basics, and let you decide if you want to dive in (I'm giving you everything I spot, but I may miss some included functions you'd need). Here's the snippet from where it fires on client enter:

http://pastebin.com/6aZ4kthA

Note that our entry script, which normally passes people through our first area, is put on hold while it waits for password confirmation:

http://pastebin.com/jbAf0pWa

That chunk of code repeats every 5 seconds until they enter the password, at which case they pass that return and execute the rest of the code in that onenter, which, among other things, deposits them in the normal start area, if that's where they belong.

 

The ApplyPasswordHold function is as follows:

http://pastebin.com/bbvGh7EQ

 

Then, of course, there's the chat event that screens for the various channels:

http://pastebin.com/GYyWx1Xe

 

That's basically just the standard SIMTools chat event, with some modifications for password support, as noted in the comment.

 

Next, some selected code from the chat include, including passwording functions and the !password command itself:

http://pastebin.com/LQimj55V

 

The SQLExecStatement is just a convenience function variant of the normal SQL injector function, SQLExecDirect:

http://pastebin.com/KMfeiM8H

It basically allows you to replace string quotes with ?s, to make the inputs more human-readable, with less room for annoying quote errors. Courtesy of acaos, along with this passwording code, I should mention.

 

Last up, the password database, both a describe and a sample select. People have criticized the use of OLD_PASSWORD, but it's basically a nonissue unless the person trying to defeat it has lower level access to the server. I sure as hell can't tell what people are entering, at any rate. I wind up setting people's passes to simple phrases like greeneggs if they forget them. '>

 

http://pastebin.com/66TzGtvN

 

Please feel free to ask questions.

 

Funky


 

 

               
               

               
            

[Legacy_ehye_khandee]

               

 

 

Funky,

 

Stop, man.

Please, this is already getting bad. 

 

We all know it is you who is writing posts, stop putting "Funky" at the end. 

 

 

 

White Tiger,

It is possible you do not understand the nature or history of 'signatures' but they exist, and are a feature of the forum. You would do well not to oppose others who are merely using the system as intended. Some might think it senseless bashing.

 

Be well. Game on.

GM_ODA

 

(I don't recall if I setup my auto sig here so bear with me if you get the above lines twice, it's been a while)

               
               

               
            

[Legacy_FunkySwerve]

               

White Tiger,

It is possible you do not understand the nature or history of 'signatures' but they exist, and are a feature of the forum. You would do well not to oppose others who are merely using the system as intended. Some might think it senseless bashing.

 

Be well. Game on.

GM_ODA

 

(I don't recall if I setup my auto sig here so bear with me if you get the above lines twice, it's been a while)

Heh, thanks for the defense. In point of fact, though, that's not a part of my signature. I still sign my forum posts as I do any piece of communication, email or otherwise, just as I do in my professional life. I think it's useful to remember that you're putting your name (or pseudonym, as the case may be) to what you say. And, as you say, signatures, be they auto-placed or otherwise, have a long and distinguised history, in part for that very reason. I'll spare everyone a lecture on the legal signficance of a signature in other settings. '>

 

Back on point: I've often considered a passwording system to supplement the cd key one, but the chat event involvement is problematic. I tend to suspect that most people are using either a NWNX-based scriptset, or the bioware event, already, adding one more snarl to a simple posting. Still, though, I'm willing to try at some point down the road, if there's enough interest.

 

Funky

               
               

               
            

[Legacy_WhiteTiger]

               

White Tiger,

It is possible you do not understand the nature or history of 'signatures' but they exist, and are a feature of the forum. You would do well not to oppose others who are merely using the system as intended. Some might think it senseless bashing.

 

Be well. Game on.

GM_ODA

 

(I don't recall if I setup my auto sig here so bear with me if you get the above lines twice, it's been a while)

 

Dear ehye_khandee,

 

The signature that belong to him is not "Funky".

He set up your signature with these stuffs:

 

Higher Ground - Action Packed Challenging Party Play Persistent World

Check out the Forums | Wiki | Server Status and follow us on Twitter and Facebook!

 

It's ridiculous you enter this story. Thankfully, not all people do it, they read and ignore, because they are interested in the content script you have here.

I'm a busy person to say more about it here, hope you understand it best.

               
               

               
            

[Legacy_leo_x]

               

I pondered for a bit whether or not one could password protect a server and then use nwnx to tie the actually input to individual account rather than the server.  Never followed up on it, but it might be an idea...  I'm not likely to. '>  Players could use the command line in that case (right?).

 

In lieu of that and no CDKEYS, I think a session based system, might work ok.  I.e. if you login within X minutes from a logout with the same IP address, you needn't renter a password.  Part of me likes a password/no cdkey thing, but if multiple people are accessing the same account/vault/character I'd guess the result would be pure disaster.  Edit: Oops, don't think that can ever happen concurrently.

               
               

               

                     Modifié par leo_x, 12 avril 2014 - 10:57 .
                     
                  

            

[Legacy_WhiteTiger]

               

by leo_x

 

if you login within X minutes from a logout with the same IP address, you needn't renter a password.

 

good idea, maybe I'll use that in my server

               
               

               
            

[Legacy_FunkySwerve]

               

I pondered for a bit whether or not one could password protect a server and then use nwnx to tie the actually input to individual account rather than the server.  Never followed up on it, but it might be an idea...  I'm not likely to. '>  Players could use the command line in that case (right?).

 

In lieu of that and no CDKEYS, I think a session based system, might work ok.  I.e. if you login within X minutes from a logout with the same IP address, you needn't renter a password.  Part of me likes a password/no cdkey thing, but if multiple people are accessing the same account/vault/character I'd guess the result would be pure disaster.  Edit: Oops, don't think that can ever happen concurrently.

It can happen, if you use a shared vault with more than one instance, like we do. [Edit] The problems I'm referring to have only occurred since the master server went dark, because someone can now sign into the same account more than once simultaneously. [/Edit] In that scenario, linking cd key to login is absolutely critical to prevent oodles of different problems. We coordinate logins across servers with MySQL:

http://pastebin.com/RRYdZrgP

 

As for the command line idea, I don't know enough to say. Your knowledge greatly exceeds mine in that department.

 

Funky

               
               

               
            

[Legacy_leo_x]

               

Ah, I didn't even think of that scenario.

 

I looked into it a bit, but I don't think it's probably worth the trouble over a chat password system.  It would be nice in some ways tho, one could store their password in an external launcher and never have to futz with it again.

 

Edit: It just occurred to me nwnx_connect could probably be expanded it to have password message... Maybe ShadoOoW/Virusman would be interested?  Those without NWNCX would have to have a password method still tho.

               
               

               

                     Modifié par leo_x, 13 avril 2014 - 01:26 .
                     
                  

            

[Legacy_Shadooow]

               

Edit: It just occurred to me nwnx_connect could probably be expanded it to have password message... Maybe ShadoOoW/Virusman would be interested?  Those without NWNCX would have to have a password method still tho.

This thread already made me thought about a more hardcoded password way. I think it could be done without NWNCX,, just serverside but I havent investigated yet and neither I wont in near future - too much of the unfinished bussiness and I have now also a homam4 map to play '> .

               
               

               
            

[Legacy_Vincent07]

               

On the subject of multiple server isntances, we do that too. All of our dungeons are on a different server.  How would one go about stopping dual-logins these days?

 

Ideally I'd like to also alter my tracking command to list PCs on both instances,  but have not figured that out yet.   I really need to learn more about using SQLite.

               
               

               
            

[Legacy_FunkySwerve]

               

On the subject of multiple server isntances, we do that too. All of our dungeons are on a different server.  How would one go about stopping dual-logins these days?

 

Ideally I'd like to also alter my tracking command to list PCs on both instances,  but have not figured that out yet.   I really need to learn more about using SQLite.

Using the database table I posted, here's our double login function:

 

http://pastebin.com/AK7uHLrw

 

Here's hg_client_inc, the include it relies on:

 

http://pastebin.com/tfmj33iV

 

As you can see, that's a much more robust implementation. All you really need to do is store id's on login, check them out when they leave, and check for hung servers so players aren't locked out until someone resets. More detail that that, you can get into to a degree based on your comfort level. Just use the double login function as a baseline, trimming it down to bare bones if you like.

 

Funky

               
               

               
            

[Legacy_meaglyn]

               

@funky, this seems to be a replacement for the multiple CDkey system you had about a year ago, yes?

               
               

               
            

[Legacy_FunkySwerve]

               

No, we use both. That database tracks all kinds of things for users, logging them going back 48 hours. CD keys are stored permanently. In fact, we still use the pwdata table for it, and SIMTools bans, simply because most of our other stuff is held in custom tables, so there's not much issue concerning table bloat and long query times.

 

Funky

               
               

               
            

[Legacy_meaglyn]

               

No, we use both. That database tracks all kinds of things for users, logging them going back 48 hours. CD keys are stored permanently. In fact, we still use the pwdata table for it, and SIMTools bans, simply because most of our other stuff is held in custom tables, so there's not much issue concerning table bloat and long query times.

 

The pastebin for what the password table looks like is missing so I wasn't sure. It looks like you are just doing a password to cdkey mapping rather than tying the password to the player name. So if a player has several keys she needs to change/set the password on each key. Do you do this check before or after the previously mentioned cdkey check? I assume you do that other one first.

 

btw, thanks for sharing your wisdom and experience with this and all the other stuff.  Digging out all those code snippets takes time.

 

meaglyn