Welcome, guest! Please login or register.

    * Shoutbox

    RefreshHistory
    • ASDss: where do u download source and clients now
      August 18, 2017, 10:39:31 PM
    • ASDss: yo
      August 18, 2017, 10:39:20 PM
    • dan v jad: click me 4 da fun ;)[link]
      August 18, 2017, 04:39:58 PM
    • stCky: Palidinho is your OpenGL (was it OpenGL?) stuff open source anywhere?
      August 16, 2017, 09:07:22 PM
    • Travas:BUILD THE WALL
      August 15, 2017, 09:28:49 PM
    • Travas: i have ass cancer
      August 15, 2017, 09:23:29 PM
    • stCky: what are the fudge are you tryna ask?
      August 15, 2017, 08:21:35 PM
    • bader: what are the rsps community alive ?
      August 15, 2017, 05:46:16 PM
    • bader: yo guys
      August 15, 2017, 05:46:08 PM
    • Spacehost:[link] Updated our thread :)
      August 15, 2017, 09:40:34 AM
    • Adaro: The client is in Download section at Homepage
      August 15, 2017, 01:09:20 AM
    • FaTe_Of_GoDs: where do i get the client?????????????
      August 14, 2017, 05:23:14 PM
    • stCky: can anyone help me? I cant login to the shoutbox
      August 13, 2017, 05:45:15 PM
    • drubrkletern: appeal denied
      August 13, 2017, 02:35:27 PM
    • King_Trout:[link]
      August 13, 2017, 11:17:12 AM
    • Cole1497: no sorry
      August 13, 2017, 10:27:14 AM
    • ayz: yo can anyone explain something to me
      August 13, 2017, 08:08:51 AM
    • coolking12: Hi
      August 13, 2017, 04:16:06 AM
    • stCky: n+1
      August 11, 2017, 06:09:24 PM
    • PalidinoDH: How many more pages are going to show errors before this dude gets on and fixes shit
      August 11, 2017, 04:57:00 PM

    Author Topic: Keeping your server secure  (Read 4558 times)

    0 Members and 1 Guest are viewing this topic.

    Offlinelare69

    • Member
    • ****
    • *
    • Posts: 5,321
    • Thanks: +0/-0
      • View Profile
    Keeping your server secure
    « on: January 13, 2014, 05:47:06 PM »
    I'm not by any means an expert on this subject, so if anything is wrong or poorly explained feel free to make a post below and I'll fix it up :o

    I added a tl;dr in bolded red at the end of each section in case you don't feel like reading.

     


    Table of Contents

    1. Why should I read this or care?
    2. Why is the 'whatever works' logic extremely flawed?
    3. What is a socket flooder and how can I protect against it?
    4. Why is RSA important?
    5. What is packet injection and how can I protect against it?
    6. Conclusion




    Why should I read this or care?

    Good question. You wake up after a long hard night working on your server. You go to your computer to check on your players to see if they are satisfied, and you come to find out that while you were sleeping the server had been crashed multiple times by a socket flooder, players had been duping items using cheat engine, and that accounts were somehow being hacked? So obviously, like any other wL user, you go and cry to your mom about how someone is hacking your 'rsps' that you 'worked so hard on' and 'made from scratch'.

    I'm just kidding. :)

    But seriously, you should really read this if you have time to ensure that your server is well-protected against people who have malicious intent. There are a lot of viable opportunities for people who know a lot more about the rs2 protocol than you do to exploit your crappy code.

    and how? read on to find out.


    Summary: Read this tutorial because it's way too easy for someone like me (I'm at an average level) to take advantage of your server.





    Why is the 'whatever works' logic extremely flawed?

    A lot of the times on many runescape private server communities (especially rune-server) you'll see a member post a tutorial with code and you'll see someone else propose a better way of writing the code on the tutorial. Often, you'll see the member reply "well it works so why does it matter?". I'm not implying that every single time someone corrects your code its because it relates to this, because the person trying to help can be referring to the tidiness or design, or whatever else. But, take for example this analogy:

    "Doesn't matter how we make the house, as long as it holds, it holds."

    This is how utterly stupid you sound when you say this to someone who is familiar with programming. Why? What about the different seasons? Natural disasters? You have to build a house with all that stuff in mind, just in case.

    ... it's the exact same way with rsps programming! You have to write your code with all of the possible exploitation's that people can come up with in the back of your mind, so if by chance someone does try to exploit your code in the future, they can't! 


    Summary: Think of programming as building a house, your code has to be safe against exploitation from people who may be much more knowledgeable than you. 'Whatever works' isn't going to cut it.





    What is a socket flooder and how can I protect against it?

    Everyone is familiar with socket flooders (Runerebels is a very popular one), and thankfully most servers have some sort of protection from them. So what's the problem?

    • Not all servers have protection
    • Many servers don't have good protection

    The way almost all wL based servers protect from socket flooders really isn't the best, and that leaves opportunity for exploitation (especially Deltascape holy shit the protection is horrible). I'm not going to tell you how to fix or add it in depth because I wouldn't have enough space, but I am going to tell you what some appropriate methods are.

    One good way is to hold a hashmap with the host as the key and the number of connections as the value. This way, you can easily manage which hosts have whatever amount of connections and reject hosts who have too many (until they reduce their connections to below the limit). The host should be removed from the map when it does not have anymore existing sessions with the server (the last client he had logged on was disconnected).

    Another good way that should be used along with the above method is to limit the amount of connections your server takes from a certain host per second. If the user is trying to connect more than say 1 time per second the host is rejected until one second has finished passing.


    Summary: Make sure the host can only have a certain amount of client -> server sessions active at one time and make sure the host can only connect a certain amount of times per second or so to protect your server from socket flooders.




    Why is RSA important?

    Instead of me explaining it (which you know I'm bad at), there was a post made about it on rune-server that I thought explained it very well so I'll quote it. Credits to Nikki and Supah Fly for this section :)

    Quote
    Not sure if this has been covered before. I kind of doubt it, though.

    As you all are probably aware of, by default, RSA is disabled. This isn't very secure but it is what it is. You might be saying now, "well, we have our random number generator," but let's be real, it's not that great.

    Let's set up the scenario. Player is the person trying to play, and Haxr is the person trying to hurt Player. Server is the server.

    Code: [Select]
    Player loads client
    Haxr loads packet sniffer
    Player enters login details and logs in
    Haxr now has the username, password, and client/server seeds for ISAAC
    [NOTE: Haxr can use any packet to disconnect the client but he wants to do it right!]
    Server uses the idle logout packet to determine when people are idle
    Haxr sends idle logout packet, and server logs them out
    Haxr quickly logs in to the server and keeps Player from accessing their account

    As you can see, ISAAC can't protect from this. It's one packet. No matter what, the server will disconnect the client because the randomly generated numbers are out of sync or the idle logout packet successfully was read and the server logged the player out. Now, with Player logged out, Haxr is free to do whatever he pleases. ISAAC is only meant to stop a third party from doing packet injection, not the Player. It's important to note that there are "protections" against this in the client, but that only worked when we didn't know anything about the client. They're useless now. Also note that once Haxr gets the username and password, he can inject literally any data he wants to get the server to disconnect Player. All that being said, I've never known of anyone get packet sniffed, though. So that's a lower priority problem tbqh.

    There are a number of other rather useless things in the client due to all the open source stuff and publicly available documentation on packets.

    Random byte alterations (method424 - method440 in Stream)
    Random data packets (77, 165, 226, 246)


    The reasons for these being useless is because we can read any packet we want because we understand the source. I just removed these because they make writing servers harder for no conceivable reason. We don't even use the random data packets for anything. In fact, removing the random byte alterations makes servers that don't use them secure for the moment because all the cheat clients and player bombers use the old way.

    All that being said, there is no such thing as security in the 317 client by default. RSA encrypting the login block would be the only way for credentials to be kind of secure. The way to make the protocol secure is to change everything and use really good obfuscators to make it impossible for any client other than your own to connect.

    The only realistic thing, though, is to make sure the credentials are secure. All the other stuff doesn't matter because if the server is written right, it won't need to protect from cheat clients spawning objects and opening bank in random places.
    You can find a tutorial for enabling RSA here.


    Summary: Enable RSA so people can't sniff usernames and passwords.




    What is packet injection and how can I protect against it?

    Packet injection is basically what the name implies... injecting fake packets with fake data for the server to read. What can be accomplished with packet injection and exploitable code is people on your server running around spawning party hats and picking them up, spawning banks and using them in the wilderness, etc.

    And how do you protect against this? Its different for each scenario but lets think of an simple, easy to explain example: global items. We are going to examine a cheat engine hacker on two different servers.

    • Server with exploitable code
    Code: [Select]
    blackman8192 logs in

    blackman8192 drops a bronze scimitar

    [CLIENT: Spawn item for player]

    *blackman8192 takes out cheat engine and uses it to change the bronze scimitar to a blue party hat*

    blackman8192 picks up the bronze scimitar which upon entering his inventory turns into a blue party hat

    [SERVER: Add item to his inventory] // We are not even checking if the item is valid!!!

    blackman8192 does this multiple times and ruins the economy

    • Server without exploitable code

    Code: [Select]
    blackman8192 logs in

    blackman8192 drops a bronze scimitar

    [SERVER: Register 'bronze_scimtar:1:3095:3333:blackman8192' as a global item]

    [CLIENT: Spawn item for player]

    *blackman8192 takes out cheat engine and uses it to change the bronze scimitar to a blue party hat*

    blackman8192 attempts to pick up the item

    [SERVER: Checking for global item 'blue_partyhat:1:3095:3333:blackman8192']

    [SERVER: DENIED! Item does not exist!] // Success! He cannot do this because there is no party hat in the database.

    blackman8192 realizes this server wasn't made by a retard and leaves

      This my friends (the second example) is called packet validation. Packet validation is once again exactly what the name implies: validating packets. Making sure the data within these packets is legit before utilizing it.

      Another analogy: If you were an important figure, would you open a package you got in the mail? Hell no, of course not. You would have people open it carefully for you, and make sure nothing sketchy is inside. The same concept applies here.

      This is very common exploitation in wL based servers... that aren't very hard to fix.


      Summary: Do not trust any data sent from the client! Validate that the data is legit before doing anything with it.





      Conclusion

      I know there are more methods of exploiting servers that I missed but I tackled the big ones and I hope you learned something today anyway.
      « Last Edit: August 13, 2014, 01:36:41 AM by Davidi2 »
      hi. check out luna:)


      OfflineInt Bauk

      • Member
      • ****
      • Posts: 958
      • Thanks: +0/-0
        • View Profile
      Re: protecting your stupid piece of shit servers
      « Reply #1 on: January 14, 2014, 02:49:47 PM »
      nikki gave a basic outline of RSA, but thanks for the in-depth version. sure it will help people.

      if anyone is using RSA, i've implemented it with netty instead of mina.


      Offlinelare69

      • Member
      • ****
      • *
      • Posts: 5,321
      • Thanks: +0/-0
        • View Profile
      Re: protecting your stupid piece of shit servers
      « Reply #2 on: January 14, 2014, 04:08:24 PM »
      nikki gave a basic outline of RSA, but thanks for the in-depth version. sure it will help people.

      if anyone is using RSA, i've implemented it with netty instead of mina.
      should help people who want to keep their servers secure :)
      hi. check out luna:)


      OfflineDan0194

      • Member
      • ****
      • Posts: 1,140
      • Thanks: +0/-0
        • View Profile
      Re: Keeping your server secure
      « Reply #3 on: January 14, 2014, 05:38:24 PM »
      This will help a lot of people thx :D
      lol who told you winterLove had bad codes
      Smart man.
      if you read this your a fagit

      Offlineenzo42

      • Member
      • ****
      • Posts: 784
      • Thanks: +0/-0
        • View Profile
      Re: Keeping your server secure
      « Reply #4 on: January 14, 2014, 07:04:39 PM »
      Quote
      blackman8192 realizes this server wasn't made by a retard and leaves
      Lol had a good laugh.

      A good, well written guide as usual.

      Good job Clawz

      Offlineartem543

      • Member
      • ****
      • Posts: 1,539
      • Thanks: +0/-0
        • View Profile
      Re: Keeping your server secure
      « Reply #5 on: January 14, 2014, 10:09:37 PM »
      Nice explanation thread bud.

      Offlinekronikz

      • Member
      • ****
      • Posts: 3,286
      • Thanks: +0/-0
        • View Profile
      Re: Keeping your server secure
      « Reply #6 on: January 15, 2014, 04:40:46 PM »
      Very cool, skimmed through it but it looks cool. Another nice tutorial, nice job.
      I'm back for now :3

      OfflineLimits

      • Member
      • ****
      • Posts: 2,190
      • Thanks: +0/-0
        • View Profile
      Re: Keeping your server secure
      « Reply #7 on: January 15, 2014, 09:53:06 PM »
      Cool man, that Item pickup thing was interesting.

      Offlinelare69

      • Member
      • ****
      • *
      • Posts: 5,321
      • Thanks: +0/-0
        • View Profile
      Re: Keeping your server secure
      « Reply #8 on: January 25, 2014, 07:56:36 PM »
      bump
      hi. check out luna:)

      OfflineFox2007

      • Member
      • ****
      • Posts: 567
      • Thanks: +0/-0
        • View Profile
      Re: Keeping your server secure
      « Reply #9 on: February 02, 2014, 09:29:56 PM »
      This information is actually very helpful. I've seen not too many servers with any kind of validation whatsoever (even up to 718 and higher) and you can use cheatengine to do just about anything. Hopefully the newbs and pros will read this and benefit from it. Thanks for the contribution
      Foxtrot Studios - The next generation of java and web-development

      OfflineCoderOops

      • Member
      • ****
      • Posts: 589
      • Thanks: +0/-0
        • View Profile
      Re: Keeping your server secure
      « Reply #10 on: February 04, 2014, 05:41:27 AM »
      Server's has been hacked by Lenard lately, because he has found securityhole from smf forums :l...
      He just takes all source files.
      Whatever we do is worng, even breathing and sleeping ~~ Welcome to Haters island!

      Yo bro, "Wrong" is spelt wrong in your sig., just letting you know.

      Offlinelare69

      • Member
      • ****
      • *
      • Posts: 5,321
      • Thanks: +0/-0
        • View Profile
      Re: Keeping your server secure
      « Reply #11 on: February 04, 2014, 06:33:46 AM »
      Server's has been hacked by Lenard lately, because he has found securityhole from smf forums :l...
      He just takes all source files.
      ... what lol
      hi. check out luna:)

      OfflinexXSh0ckXx

      • Member
      • ****
      • Posts: 642
      • Thanks: +0/-0
        • View Profile
      Re: Keeping your server secure
      « Reply #12 on: February 04, 2014, 08:35:49 AM »
      Respect.. This made me cry..
      « Last Edit: February 09, 2014, 02:47:19 PM by xXSh0ckXx »
      Drop me a pm.

      They got money for wars, but can't feed the poors. - Tupac Shakur
      Old, but Gold.

      OfflinePure_

      • Member
      • ****
      • *
      • Posts: 4,687
      • Thanks: +0/-0
        • View Profile
      Re: Keeping your server secure
      « Reply #13 on: February 04, 2014, 10:07:57 AM »
      Server's has been hacked by Lenard lately, because he has found securityhole from smf forums :l...
      He just takes all source files.
      ... what lol
      Your forum security has little to do with the game's security, assuming you aren't linking accounts between the two using MySQL. If you want security against an XSS attack, SQL injection or the likes you might want to read up more on that separately from this thread.

      As for OP these are basic concepts, I don't see why people are so surprised.
      i won the forum

      Offlinelare69

      • Member
      • ****
      • *
      • Posts: 5,321
      • Thanks: +0/-0
        • View Profile
      Re: Keeping your server secure
      « Reply #14 on: February 04, 2014, 11:37:11 AM »
      As for OP these are basic concepts, I don't see why people are so surprised.
      They just don't know any better. If thomas hadn't explained this to me way back when I was just starting out I wouldn't have known until I got really familiar with the protocol. So I made this informative tutorial for the same reason :)

      although with that said there's a lot more to do to keep your server completely secure. obfuscating the client code and encrypting passwords would help out as well
      hi. check out luna:)

      OfflinePure_

      • Member
      • ****
      • *
      • Posts: 4,687
      • Thanks: +0/-0
        • View Profile
      Re: Keeping your server secure
      « Reply #15 on: February 04, 2014, 11:41:06 AM »
      As for OP these are basic concepts, I don't see why people are so surprised.
      They just don't know any better. If thomas hadn't explained this to me way back when I was just starting out I wouldn't have known until I got really familiar with the protocol. So I made this informative tutorial for the same reason :)

      although with that said there's a lot more to do to keep your server completely secure. obfuscating the client code and encrypting passwords would help out as well
      Encrypting the passwords would only protect you from packet sniffing (if you encrypt client-side) or if somebody gains access to your character files. Obfuscating the client is a waste of time, Jagex tried and look where it got them (not saying it's completely useless though). That said, most of the security concepts are common sense.
      i won the forum

      OfflineSessy Pk3r

      • Member
      • ***
      • Posts: 221
      • Thanks: +0/-0
        • View Profile
      Re: Keeping your server secure
      « Reply #16 on: February 07, 2014, 10:28:44 AM »
      most of the security concepts are common sense.
      Because people keep releasing their methods :palm:

      Offlinelare69

      • Member
      • ****
      • *
      • Posts: 5,321
      • Thanks: +0/-0
        • View Profile
      Re: Keeping your server secure
      « Reply #17 on: February 07, 2014, 01:24:19 PM »
      most of the security concepts are common sense.
      to you yes because you aren't an idiot and you're familiar with the protocol but think of someone who's relatively new and hasn't had any experience with any sort of game development
      hi. check out luna:)

      Offlinematzie

      • Member
      • ****
      • Posts: 1,006
      • Thanks: +0/-0
        • View Profile
      Re: Keeping your server secure
      « Reply #18 on: February 08, 2014, 06:52:28 PM »
      RSA will still not protect you from reflection clients. Nor will obfuscation.
      I will not reveal my methods but still hopeless (: botting is botting, period lol.
      The best thing you could add is a anti-bot mechanism that is more than an interface.
      Quote from: Justin Bieber
      Also, I don't know how other people feel about this but personally I really dislike having to interact with community staff since they're usually kids with a pumped up sense of authority.
      Who its by XD

      OfflineMyNameIsDylan

      • Member
      • **
      • Posts: 39
      • Thanks: +0/-0
        • View Profile
      Re: Keeping your server secure
      « Reply #19 on: February 15, 2014, 06:34:48 PM »
      Haha, great post. Everything you stated was true. This taught me a lot as well. Thanks!
      Classic RSPS, to be released soon! Bringing back the old day's.

       

      Copyright © 2017 MoparScape. All rights reserved.
      Powered by SMFPacks SEO Pro Mod |
      SimplePortal 2.3.5 © 2008-2012, SimplePortal