4XCIRCO

On 8/28/2014 at 1:02 AM, Shogun said:

Hi guys,

 

Running a server for a year and a half while a bunch of guys gets paid to destroy it by any means ends up giving you a good insight in what the word security really means. So, after being the target of almost every type of attack possible over the Internet, I think I am ready today to write a quick checklist on how your Metin2 server should be secured from criminal and disruptive behavior. I will divide it into several parts: ingame, website, server, staff.

 

I will try to explain in brief how those attacks are executed, but the focus here is in how to defend from them effectively. I do not want this checklist to serve the purposes of hackers.

 

But be aware; you are never 100% safe - it depends on how much your enemy is willing to work on it. So this should be taken as a bare minimum. And don't forget: the science of destruction evolves constantly. What is considered safe today, might not be so safe tomorrow.

 

Disclaimer: This text reflects 5 years of experience managing a server's technical aspects. I do not do certain things (like quests) for a long time so excuse me for any mistakes I may be making here.

 

 

 

Part 1 - Ingame bugs and exploits

 

This part refers to threats that may realize through the game client or external software that acts through the game client.

 

While often overlooked, sometimes these can be more dangerous to your server than any other type of attack. Keep an eye in your server's economy - the average price of items. If prices for a particular item or all of them change suddenly, there may be some obscure reason behind it. That is one of the reasons why we keep public and private statistics on the average market price of every item at WoM.

 

 

 

One of the most common mistakes - and I commited this myself - when one wants to extensively edit everything is having an item give you more Yang when you NPC it than it costs to buy it from a shop. This gives unlimited Yang to whoever discovers it. There are even public bots which automate the process of buying and selling these items. The effect on the economy is devastating over a sufficient long period, not to mention that it's unfair that some people are infinitely rich and unbalance is never good for any MMORPG. Have your GM double check that no item can be sold for more than it costs.

 

However, this is not the only way that a player can obtain access to unlimited resources. Badly written quests may allow players to obtain their rewards repeatedly by closing their clients while a quest dialog is open. One simple way to avoid this is to make sure that the commands which reward the player are the last in the code block before changing state.

 

 

 

Now going into disruptive behaviour - the most annoying probably are the bugs which cause a server core to crash. The most famous is probably the number_ex bug. This causes several commands which depend on this function such as dice to be exploitable by using certain parameters. This bug is fixed in rev 40k and therefore in any game compiled from the source. If you are using 34k, the best you can do is use iMer's lib which provides several security enhancements. If you are using 2089, there are public diffs that patch this.

 

Another bug exists in the war command in 34k and older which leads to a server crash. You cannot disable this command as it is used by the guild leaders to war other guilds. iMer's Lib takes care of this bug in 34k.

 

Older and less known is the gold drop core crash bug present in 2089 and fixed -I believe- in 34k. Dropping huge amounts of gold or any other item which you can acquire in huge numbers in a map will cause the server to crash. I am not aware of public fixes for this exploit.

 

Another favourite is the kickhack or sync position hack -partially fixed only in 40k- which allows a malicious user to disconnect other players at will. There are even videos of this being done in DE years ago. iMer's lib provides a fix for rev 34k.

 

Finally, we have the long list of cheats which purely seek to gain advantage while playing. There are several client protection tutorials and services around this forum so I won't extend myself here about the subject.

 

 

 

Part 2 - Server and OS

 

Here we talk about the threats that affect your server and Operating System

 

Part 2.1 Choosing and preparing your server

 

There is no doubt at the moment of writing this that the french hosting company OVH provides the most cost-effective anti-ddos solution in the market. While many companies provide DDoS protection services, these cost several times as much as OVH offerings and this increase does not necessarily translate into a better protection. Therefore we will assume that you are renting either a dedicated server at OVH or a VPS at Eterhost as those are the ones I'm familiar with. Other providers or resellers may be configured in a different manner.

 

Dedicated Server at OVH

 

There are two flavors of the Anti-DDoS solution: Basic and Pro. Basic is free when renting a Kimsufi or Soyoustart server (cheap and intermediate OVH brands respectively). What it does is detect attacks directed at your IP address and route your traffic through the mitigation system during the attack. This is not enough to deter a dedicated hacker though - before the attack is detected, your server may be collapsed for a few minutes, and this can be repeated every hour by the attacker, as happened with one of the TEC attacks on WoM about 1 month ago.

 

The PRO version comes with all the OVH proper (also known as professional) line of servers. It adds the ability to route traffic permanently through the mitigation system and provides you with a simple hardware firewall. This is what you should get if serious attacks are a concern, specifically an Enterprise line server (cheapest is at about 100€/month, VAT included)

 

How to activate permanent mitigation on OVH Professional servers:

 

- Open the new manager. If you don't know where this is, open the classic manager and click on "Home" and then below on the "Dedicated" icon.

- Click on IP on the column at the left

- Click the little wheel that appears at the right of your server's IP address

- Select "Mitigation: permanent"

 

How to set up the hardware firewall:

 

- Click the wheel again and select "Activate firewall". Wait around a minute and then reload the page.

- Click the wheel and select "Configure firewall"

- You will be presented with the rules screen. You can add up to 20 rules to deny or allow specific ports on the firewall. Start by adding the allowed ports in the lower numbers and end with a global deny rule. Leaving a field blank in the "Add Rule" dialog will result in a wildcard; so if you leave the IP address field blank, this rule will affect all IPs.

 

Adding an allow port port rule: click on Add Rule; choose rule priority; select protocol (TCP or UDP); select Accept; enter the port number.

Adding a global deny: choose rule priority (must be higher than the allow port rules); select protocol (TCP or UDP); select Deny.

 

 

Here is an example set of rules. We have added the SSH port and the game & auth ports, as well as 3306 so our website can connect to MySQL. You can specify the webserver's IP in the rule to prevent others from connecting to your database, although I personally prefer to do this at the software level with the pf firewall; in any case, port 3306 must not be public.

 

"How do I connect with Navicat then?"

 

Simple, use the SSH Tunnel option. This logs you in to SSH and then connects to the MySQL server as localhost. You must enter your server's SSH login details in the SSH, and your MySQL login details in the General tab, but remember we are connecting to localhost or 127.0.0.1: that's what you must enter in hostname, NOT your server's public address, as MySQL doesn't see us as a remote user anymore.

 

Regarding UDP: UDP is your enemy. Disable it completely as I did in the above ruleset. The official client previously used UDP to check on server status, but it's trivial to override it in python so it always shows "NORM" regardless of the result of servercheck. If you are using 40k or source, the check already uses TCP, but your ports must be lower than 32768 (or the source modified) for it to work.

 

VPS at Eterhost

 

Our VPS are always routed through the mitigation system. Hardware firewall can be activated and configured to your needs for 5€/month extra.

 

Part 2.2 - Hardening SSH

 

First things first: have your OS always updated to the current version.

 

It is often recommended by experts to access your server through a non-administrative account (some operating systems such as CentOS even force you to create one at install), so that's what we will be doing. We will create a restricted user for our game server:

 

adduser game

 

We can leave everything as default except for the login group: enter "wheel" here. Users which are part of the wheel group can use the su command to gain administrator privileges. This allows us to completely block root from remote login.

 

Now it's time to create a SSH key for our new user. This makes bruteforce virtually impossible.

 

Finally, let's prevent login from root, and login without key:

 

ee /etc/ssh/sshd_config

 

Look for the "PermitRootLogin" line and leave it this way, uncommenting if necessary:

 

PermitRootLogin no

 

And next look for the "PasswordAuthentication" setting and edit it so it looks like this:

 

PasswordAuthentication no

 

Now let's restart ssh for changes to take effect:

 

service sshd restart

 

Warning: at this point, you should open a new putty window to test that you can login with the new user and key, and that you can use the su command to gain root privileges. Wrong settings may lock you out of your server.

 

Once everything is working, upload your server files to /home/game. This is the home directory of the user - a bit like "My Documents" in Windows. Make sure you change permissions in the files so the "game" user can read and write them:

 

chown -R game /home/game

 

(this command must be run as root! only root can change someone else's permissions. To switch between the game and root account, you use the su (short for superuser) command:

 

root# su game

Password: (game user's password)

game# su

Password: (root user's password)

root#

 

Or:

 

root# su game

Password: (game user's password)

game# exit

root#

 

Finally, it may be a good idea to install ssh-guard for extra security or change your SSH port if you don't like your logs being spammed by portscans. To change your SSH port, edit the Port line in /etc/ssh/sshd_config and restart the sshd service as indicated above. Remember to open the new port if you are using a firewall or you will lock yourself out of the server.

 

Part 2.3 Software Firewall: pf

 

At this point it's a good idea to add a second line of defense with the pf firewall. First we will create the /etc/pf.conf file following this sample config.

 

ee /etc/pf.conf

 

Make sure you enter the correct interface and all the ports which must be open: SSH and game ports in our case. Neither p2p ports or db core port should be open to the public! Under trusted_hosts, enter the IP address of your web server so it can connect to the database (We assume a typical set up of web server + game / db server here) instead of opening port 3306 to everyone.

 

This firewall provides us with scrubbing and rate limiting capabilities which the hardware firewall doesn't.

 

Next we will enable pf:

 

kldload pf

pfctl -e

 

Check that everything is working fine and then add the following line to /etc/rc.conf to load pf on boot:

 

pf_enable="YES"

Top notch. Love to see security being openly mentioned and shared with the community!

TBH, the old metin2 look gave me the best immersion into an asian fantasy world. I would love to see more weapons and armor of such kind.

Hey Com.

I am just an old dude from the 2008 era that somehow got into computer stuff because he always sit for hours playing metin2. Well lets specifiy, cheating, exploiting and hacking in my favourite games got me into IT.

Its amazing to see that there is still some action in the metin2 community.

An ambitious project and once finished a perfect base for highly costumized metin2 servers.

GameForge is a german company, thus I assume they would take legal actions against any unprohibited distribution of their product in front of a german court.

What I would like to mention is a part out of the Act on Copyright and Related Right (Urheberrechtsgesetz – UrhG).

https://www.gesetze-im-internet.de/englisch_urhg/englisch_urhg.html#p0018

As far as I understand, the final product of the above metioned project would be a copy of the game metin2. In our case, we cannot (even) bring to proof that we own a licence or any other evidence in which a right to reproduce, alter or copy the original game is metioned. Rewriting the code base would only make all participans to authors of their code base, but put together with GameForges assets we would have an altered product. Altered on the code side.

-----

Section 3
Adaptations

Translations and other adaptations of a work which are the adapter’s own intellectual creations are protected as independent works without prejudice to the copyright in the adapted work. The insubstantial adaptation of an unprotected musical work is not protected as an independent work.

-------

Section 7
Author

The author is the creator of the work.

------

Section 25
Access to copies of works

(1) The author may require that the owner of the original or of a copy of his work make the original or copy thereof available to him insofar as this is necessary for the production of copies or adaptations of the work and does not conflict with the legitimate interests of the owner.

(2) The owner shall not be obliged to surrender the original or the copy to the author.

---

Section 69f
Infringement of rights

(1) The rightholder may require of the owner or proprietor that all unlawfully produced or distributed copies or all copies intended for unlawful distribution be destroyed. Section 98 (3) and (4) shall apply accordingly.

(2) Subsection (1) shall apply accordingly to means the sole purpose of which is to facilitate the unauthorised removal or circumvention of any technical device which may have been applied to protect the computer program.

----

Section 96
Prohibition of exploitation

(1) Illegally produced copies may neither be distributed nor used for the purposes of communication to the public.

------

Section 97
Right to require cessation of infringement and to damages

(1) Any person who infringes copyright or any other right protected under this Act may be required by the injured party to eliminate the infringement or, where there is a risk of repeated infringement, may be required by the injured party to cease and desist. Entitlement to prohibit the infringer from future infringement shall also exist where the risk of infringement exists for the first time.

(2) Any person who intentionally or negligently performs such an act shall be obliged to pay the injured party damages for the prejudice suffered as a result of the infringement. When setting the damages any profit obtained by the infringer as a result of the infringement of the right may also be taken into account. Entitlement to damages may also be assessed on the basis of the amount the infringer would have had to pay in equitable remuneration if the infringer had requested authorisation to use the right infringed. Authors, writers of scientific editions (section 70), photographers (section 72) and performers (section 73) may also demand monetary compensation for damage which is non-pecuniary in nature provided and to the extent that this is equitable.

P.S: I am not a lawyer

On 6/10/2021 at 12:07 AM, Ace628 said:

i cant connect with navicat.. i dont know what i do wrong i use the ip from the virtualbox and the id: root und

passwort: dev 

 

Start your FreeBSD vm and connect via PuTTY. Then connect to your mysql server as root user with the password option.