• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!
  • If you're using Gesior 2012 or MyAAC, please review this thread for information about a serious security vulnerability and a fix.

How to make your server safe against hacking?

luq14

Cookie Cotton Joe's
Joined
Apr 4, 2008
Messages
93
Reaction score
18
Location
Somewhere near sea.
Hello. I would start this thread because I'm working on a big big big OT project solo. I'm artist so I focus on map and story, the map is my baby. And.. When I finally publish the server, I don't want to get it stolen... I'm not a programmer, so I need help. Please. :)
What tricks do You have to protect your OTserv and it's website?
 

Fortera Global

Banned User
Joined
Nov 20, 2015
Messages
1,160
Solutions
2
Reaction score
111
  • Not that this prevents it, but first it's important to host the game and the web separately.
  • The sourcer you can protect using it only when compiling (when finished, save it on your computer and delete from server).
  • Grep -r "readfile" on your web to check if you have this malicious code (it + $_request you could end up hurting yourself).
  • Never invite anyone you don't trust to use anyDesk or TeamView, as it can copy files without your noticing
  • Sprites you can't protect 100%, there is encryptions but some guys know how to decrypt it
  • As I know, map you can't protect yet (there is few types of map track)
 

Source

Intermediate OT User
Joined
May 31, 2020
Messages
139
Reaction score
129
Location
OpenTibia .dev
GitHub
source61
  • Not that this prevents it, but first it's important to host the game and the web separately.
  • The sourcer you can protect using it only when compiling (when finished, save it on your computer and delete from server).
  • Grep -r "readfile" on your web to check if you have this malicious code (it + $_request you could end up hurting yourself).
  • Never invite anyone you don't trust to use anyDesk or TeamView, as it can copy files without your noticing
  • Sprites you can't protect 100%, there is encryptions but some guys know how to decrypt it
  • As I know, map you can't protect yet (there is few types of map track)
Good list.
A couple points worth mentioning about map tracking I think is that:
1) It doesn't track spawns perfectly, and of course it requires a player to actually play the game to be able to explore the entire map manually, taking a lot of time and effort (and map tracking won't give you access to npcs, monsters, map scripts, map zones (at least with older versions), etc) and
2) If the server uses OTClient and blocks Cipclient I assume the injection can, if not be 100% blocked, at least be tampered with and make it hard to get the tracker working, assuming it's compatible with OTClient in the first place.

And there's a similar situation with OTClient encryption, you can't protect against theft 100%, but you can make it harder to get to and tamper with modules. Sprites I think is probably the hardest to protect though. I imagine one of the best and simplest defenses against theft of sprites is splitting the file into tiny segments upon loading it in memory and only putting it back together on a per-request basis. This should at least defend successfully against simple memd attacks, especially if the segmentation process is randomized.
 

ralke

(҂ ͠❛ ෴ ͡❛)ᕤ
Joined
Dec 17, 2011
Messages
1,162
Solutions
27
Reaction score
628
Location
Santiago - Chile
GitHub
ralke23
Twitch
ralke23
This is a very common too if you're pointing to hacking (phpMyAdmin specifically), very easy to fix xD
 

hellboy

Well-Known Member
Joined
Apr 6, 2008
Messages
493
Solutions
4
Reaction score
97
Location
player:getTown()
This is a very common too if you're pointing to hacking (phpMyAdmin specifically), very easy to fix xD

Just don't use any GUI for mysql?
Use console.
 

Michael 4463

Premium User
Premium User
Joined
Nov 15, 2007
Messages
814
Solutions
7
Reaction score
339
Location
Santiago, Chile (Australian)
1. Configure your network firewall correctly
  • Block everything
  • Allow only what you absolutely need
  • Consider restricting your ssh port to your home IP address if static
2. Install and configure a utility like fail2ban
  • If you're using any htaccess authentication, configure fail2ban to monitor that too

3. When configuring MySQL, disable remote access (I think this is now the default actually)

4. Consider using SSH keys rather than a password (this is less important if you've locked your SSH port to your home IP anyway)

5. If you use phpMyAdmin (which is fine, don't have a care for anybody telling you to just use console), lock access to it with htaccess (and ensure fail2ban is configured to monitor it)

6. Use SSL for any websites served from the machine including phpMyAdmin

Probably a few more useful tips I am forgetting, I'll update this if I think of any later
 
Last edited:
Top