Idea to make Hacking Impossible

[Devile]

Originally posted by Festo+--><div class='quotetop'>QUOTE(Festo)</div>

YOU CORRUPT BASTARD! btw ian is back in the KO section ^_^[/b]

He keeps me blocked on MSN, same as Alex, so I guess nothing has changed.

<!--QuoteBegin-__countess__
By locally i mean from hosts on the same subnet. By altering this line you just refuse remote connections to the database. All the applications on the servers on the same subnet that has access to the specific database will keep working

U said 127.0.0.1 which is just the same box. Said nothing about specific access. Anyway, thats how it is AFAIK.

I think K2 made a mistake with Cypher server where the DB was prolly on the same server or not restricted, letting ppl modify it at will. For example my GM account was 11 chars long and completely unrelated to the character name (Kenjuro_Orc), yet they managed to find the accountid and password. In all my time as a GM, I never shared any of my accountids or even gave bits of info about them. How the hell they managed to hack that one but not the other ones? It was well known that hackers could edit Cypher DB but not Ares, Diez, etc. Sure, later on there were other bugs on the web that let ppl SQL inject, but the cypher case was different.

What I know is that has been secured know and the topology u propose is what they use. Its a pretty common scenario. What they lack of is a director, a manager with experience in ALL these subjects that organizes the whole circus and makes it work efficiently. Start making procedures for everything, create a solid organization, priorities, clear communication channels, etc. If u dont have all these, they will always complain about lack of resources. Obviously there's lack of resources if everything is a mess.

[Flippy]

Originally posted by __countess__
What needs to be done is so simple, yet they don't do it.

First of all, make their db server listen only on localhost. And since i'm pretty sure they use MySQL(yea i know ) i'll just post a one line solution for that. *

Edit your config file for MySQL, and add or edit this line:

bind-address * * * * * *= 127.0.0.1 * *<-- make it look like this, restart db daemon, it's easy.

Add rules to your firewall that deny every single connection from a remote host to your database server. So the database server will only be available from your local subnet(s). I'd really like to see how they're gonna SQL Inject now.

Create a new db on a new box, use that for your totally insecure forums. Who cares if his forum account gets hacked.

You wanna change the topology of your network? Even better... you could just add a couple of tiers so you can give the hackers a hard time. You can add a back-end tier(be-net), here goes the db-server/app-server etc. Then you can add a front-end tier(fe-net), here goes any load-balancing software you might have, your firewall(s), etc. and then you can add your i-net tier, here goes all the services/daemons etc that remote users should have access too. Of course i-net can only communicate with fe-net and fe-net can communicate with be-net. Since only fe-net can communicate with be-net, make sure your fe-net is as secure as it can be allowing only access to specific ips(local ips) and ports. And of course, on the be-net, deny all access except any requests that are coming from fe-net.

Finally, you want to manually access the db server? Add an Enigma Card authentication system, the system gives you a token everytime you wanna login, you put that on your enigma card, it generates a one-time password everytime and you login with that. To do that of course, you might wanna consider migrating from Win 2k3 to a Unix-(like) OS.

These are the most common security measures that most companies with on-line services use. And no it's not that expensive :-/

so many servers in 1 pc ? nah

about SQL inject , the only way to protect from this is not have hole in ur website.
The site have to get into the login server so he can actually read ur acc id & pw and check if they are the good one or not.
So sql inject is a "bug" that allow you to do other query , via a site already connected to the database.
limit it to 127.0.0.1 wont change anything , when u sql inject , its the site who inject into the db , not "you" (even if ure the one asking for it , its still the site doing it)

about migring to Unix , i dont think its possible because its not k2 who makes the files but MGAME , so its not K2 fault here (but k2 still suck , dw about that :wub: ) so the only way with unix would be wine ( or similar ) and that would be stupid (would take too much CPU,if its still the same system)


about the PW changing everytime , how will ur game server connect to the DB then ? :mellow:


anyway there is many more easy solution to ban all the koxp user but cant post it here yet or they will fix it (koxp creators)