Changing Server/Service Passwords and General Secuity

General assistance and guidelines for editing the server side of Soma.

Changing Server/Service Passwords and General Secuity

Postby Tiffany » Tue Feb 26, 2008 9:02 am

I was asked a question from someone else and I thought I would compile this quick post
Is their a way of stopping people hacking the database? A change of passwords on the database creation or patch?

There is as few things that can be done but this is by no means an exhaustive list:

Prerequirements, Tools required: Winhex or equivalent Winhex Download

1) Change db password from soma to another four char password. However, to make brute force attacks slower you will need something like z0_á. Then ALL the instances of PWD= in each of the services and oneperone exe need to be hexed using a hex editor similar to Winhex.
Code: Select all
   A ) Choose Password
   B ) Hex 1p1 With the password
   C ) Hex Service Manager with password!
   D ) Hex all Service exe's with the password
   E ) Set Up SQL Security login with password!
   F ) Set Up ODBC with the password!
   G ) Alter the conf.php or your own web services config files

A) Choosing a good password with the current limitations
A word on passwords, more characters would be better but there are some points in the exe's you cant easily change to >4 chars.

The probem with the password is still there of course, with 4 char one and (26+10+10)^4 [26alpha, 10 numbers and 10 usable odd chars] This would still take <124Hrs to brute force hack (0.1sec per) [10Hours @ 10ms per highly unlikely].

You could also use one of the accented chars like é which extends the combinations to (26+52+10+10)^4 [26alpha, 52 foreign alpha, 10 numbers and 10 usable odd chars]. This alters the possible to 2562Hrs [256Hours @ 10ms per which is highly unlikely].
An example is "s0_á" you can get á by using Alt-Gr + a or the aly + keypad number method can be used like alt + 200 is È or alt + 169 is ©.
But be wary, not all characters are allowed in an MSSQL / ODBC Connect Password

B ) Hexing 1per1
Run Winhex, open the oneperone.exe (or Euro1per1.exe)
Choose Search, Replace Text (or Press Ctrl H), type in PWD=soma in the find text and PWD=newpassword in the replace field (make sure password length does NOT exceed 4 chars).

You should have 2 replacements.
Save Euro1per1.exe and click yes at the "Are you sure you want to overwrite" prompt.

C ) Hexing Service Manager
open the ServiceManger.exe in Winhex.
Choose Search, Replace Text (or Press Ctrl H), type in PWD=soma in the find text and PWD=newpassword in the replace field (make sure password length does NOT exceed 4 chars).
You should have 1 replacement.
Save ServiceManager.exe and click yes at the "Are you sure you want to overwrite" prompt.

D ) Hexing Service Exe's
Open each of the exe's in the (FileManager, Game, Session, UserManager).
Choose Search, Replace Text (or Press Ctrl H), type in PWD=soma in the find text and PWD=newpassword in the replace field (make sure password length does NOT exceed 4 chars).
FileManager.exe: 0 replacements.
Game.exe: 1 replacement.
Session: 1 replacement.
UserManager: 0 replacement.
Save all the exe's edited and click yes at the "Are you sure you want to overwrite" prompt.

E ) Set Up SQL Security login with password!
Open the Enterprise manager and expand the [+]'s to reveal the security option, click this item and right-click the soma login user, select properties and alter the password.

F ) Set Up ODBC with the password!
Click Start -> Control Panel -> Performance and Maintenance -> Administrative Tools and select the Data Sources item ( or Start->run, copy/paste in run dialog: %SystemRoot%\system32\odbcad32.exe ) Click the ODBC item / System DSN / Select the soma DSN. Click the configure button on the right, click Next and enter the new password at the bottom of the screen.
Click Next, Next, Next and try the Test button, which should work corrrectly.

B ) Editing PHP Config file
Open the conf.php file located in the htdocs directory and change the Password
Code: Select all
//MSSQL Password
$db_pass = 'soma';       <----- Change to new password


Reboot if you are happy all seems to have gone smoothly. Then go through a server start sequence as normal.

2) Alter the login script of the db as detailed in the client and server section to stop people spoofing thier way to chars that are not associated with their login.

3) Ensure there are no other logins in the security section than dbo or soma and also make sure the default System Administrators password is something not easily hackable.

4) Install a Firewall with DoS and DdoS protection cos if they can't get to the DB they will try to force others off the server or the server to crash. Like: Sygate. NB: Ensure its has SYN connect flood option which ignores connections that exceed a certain packet connect speed approx default 50 pkts/sec. This will stop the connect flood tool. Additional options should also be to ignore connect requests for IP's > a certain number. It is highly unlikely that > 10 or 16 users will be trying to connect from the same IP (ie., users on the same network). Therefore, to stop a mass connect DOS the firewall should ignore multiple-IP connections greater than this limit. This is useful as the SYN flood function will not protect against slower packet connects which will fill-up the connections and eventually will hit the top limit of the services disallowing anymore legitimate users from connection.

5) Fix Dsoma Chars joining Hsoma guilds and tracing into Hsoma.

6 ) Make sure you replace the std xamp page (default.html or default.php in the htdocs folder with your own).

7) From Badgerr: For further security you should create a second user for limit read-only access to use for the web access (since basic db access php scripts can be easy to abuse), maybe make a stored procedure to copy non-sensitive data to another table, that way you can limit which tables the web user has access to and cuts down on the risks that come with querying gameuser.
Tiffany
SD Pro 2 Star
SD Pro 2 Star
 
Posts: 428
Joined: Sat Jan 12, 2008 1:17 pm

Return to Server Development

Who is online

Users browsing this forum: No registered users and 2 guests

cron