Server Help

General Questions - [Zones] Recommended Security & DNS Practices

L.C. - Fri Oct 23, 2009 12:07 am
Post subject: [Zones] Recommended Security & DNS Practices
1. Generate new scrty and scrty1 files. You should do this for EACH instance of subgame2.exe/asss.exe. By generating new scrty and scrty1 files, the security checksum for your zone become unique for your zone. If all zones had the same scrty and scrty1 files, if one zone's encryption was broken, then everyone would be screwed. But if you use a unique pair of security-encryption files for your zone, you are safe from broken encryptions of other zones.

To generate new scrty and scrty1 files, run "Continuum.exe Z" in the command line and Continuum will generate new files. Just overwrite your old files with these new ones. Repeat this step for each instance and installation of subgame2.exe/asss.exe.

Source: http://sharvil.nanavati.net/projects/subspace/encryption.html



2. Place your ss:// address at the very beginning of the zone description. If you do not know what your address is, you probably do not have one. You must have a fully qualified domain name in order to use this feature. The reason for placing this address at the beginning of the zone description is to ensure and guarantee that this feature will be used; this will also make sure that no too long of a zone description will push your ss:// address beyond the maximum character limit, rendering this feature functionless.

The importance of ss:// is so that if the IP address of your server changes, players do not have to manually go and re-update their zone lists to get the new IP. Instead, Continuum will automatically check that address and update their zone lists for them -- and that way there will be no confusion about what happened to your zones as a result of an IP change.



3. Set CheckMod, CheckSMod, and CheckSysop to 1 in your server.ini. This will prevent unauthorized players from being able to login with staff powers if they happen to know the correct passwords.



4. Generate a random NamePassword under [Directory] in server.ini. Although unlikely, this will secure your zone's publishing in the directory server listings. You should use a unique password for each instance and installation of subgame2.exe/asss.exe. Unless someone figures out this password, nobody can hijack your zone's name in the listing. I would recommend using http://www.goodpassword.com/ to generate something that is preferably at least 13 characters and includes symbols. Then take that randomly generated password and feed it into http://gtools.org/tool/md5-hash-generator/ to get an MD5 of this password. Use this generated MD5 checksum as your NamePassword.



5. Consider using the following settings under [Misc] in server.ini:
Quote:
AllowPrerelease=1
// 0 = People with newer Continuum clients are not allowed to enter
// 1 = People with newer Continuum clients are allowed to enter and play

ForceContinuumOnly=1
// 0 = The Continuum client is not required to be able to connect to the zone; old Subspace v1.35 clients will be able to connect
// 1 = The Continuum client is required to be able to connect to the zone

AllowVIEClients=0
// 0 = Disalllow people from playing in your zone with the old Subspace v1.35 client
// 1 = Allow people to play in your zone with the old Subspace v1.35 client

ForceObsceneCheck=1
// 0 = Normal or obscene checking on usernames is disabled
// 1 = Obscene checking on usernames is enabled

CheckWeapons=1
// 1 = Will kick players that are violating the zone security settings through invalid or impossible uses of weapons if SecurityKickoff under [Security] in server.cfg is set to 1

CheckFastBombing=1
// 1 = Will check to see if a player is invalidly firing more bombs than possible




6. Consider using the following setting for ArenaMode:
Quote:
ArenaMode=5
// 1 = Any player can create their own subarena
// 2 = Only moderators (Mod) and above can create subarenas
// 3 = Only super moderators (SMod) and above can create subarenas
// 4 = Only system operators (SysOp) can create subarenas
// 5 = All subarenas will use spawn.cfg for settings, only system operators (SysOp) can create subarenas [Default]
Be sure to make a copy of default SVS server.cfg file and rename it to spawn.cfg. By setting it to 5, you will prevent a million *.cfg files from being created in your zone's directory. However, you may need to manually create a *.cfg file for a subarena that you would like to create. I have heard that by setting this to 5, modifying the settings of any subarena (or arena that is not the public arena) will modify server.cfg/spawn.cfg. You may want to play around with this a little to figure out how to create subarenas, but overall -- you will save yourself and your system the trouble of the unnecessary creation of settings configuration files for each subarena that a player ?go's to in your zone.
Maverick - Fri Oct 23, 2009 4:04 am
Post subject:
Useful post grav_cool-hands.gif
Hakaku - Fri Oct 23, 2009 4:55 am
Post subject:
A few comments:

#2 - We concluded in the previous thread that the ss:// part can be included absolutely anywhere in the description. You don't have to list it if you already list your website and that server.website.url is valid. Read Priit's explanation here.

#4 - I honestly never understood the purpose of passwords in a directory list server. The only advantage it serves is to ultimately block all access except to a few limited zones. As far as I know, Continuum doesn't block duplicate zone names, so I don't really see how a zone can be compromised without it really going through all the trouble to have the same name, ip, and port. Even then, the directory server should refuse such a connection under the precedence that it already exists.

#5 - Yes, if you set the arenamode to 5, when editing the settings in a different arena, a new file will be created.
Samapico - Fri Oct 23, 2009 11:19 am
Post subject:
Nice post... should be pinned
Cheese - Fri Oct 23, 2009 5:18 pm
Post subject:
very well written
CypherJF - Fri Oct 23, 2009 6:38 pm
Post subject:
+1 ... i'd add the following suggestions as well..

http://cypherjf.sscentral.com/articles/securing-subgame/

Quote:
#4 - I honestly never understood the purpose of passwords in a directory list server. The only advantage it serves is to ultimately block all access except to a few limited zones. As far as I know, Continuum doesn't block duplicate zone names, so I don't really see how a zone can be compromised without it really going through all the trouble to have the same name, ip, and port. Even then, the directory server should refuse such a connection under the precedence that it already exists.


Additionally, from what I've seen and if I can recall correctly, Directory Servers will keep a list of servers which they had seen and the password associated with it for some threshold. If I recall correctly, SSC prefixed zones are secured on the SSC directory server; for example, if you had a non-official SSC server - SSCY <zone name>; it won't appear in the listing (only on the SSC directory server). Not saying passwords are good or bad thing for directory servers; but, they do serve a potential purpose.
All times are -5 GMT
View topic
Powered by phpBB 2.0 .0.11 © 2001 phpBB Group