Server Help Forum Index Server Help
Community forums for Subgame, ASSS, and bots
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   StatisticsStatistics   RegisterRegister 
 ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin (SSL) 

Server Help | ASSS Wiki (0) | Shanky.com
[Zones] Recommended Security & DNS Practices

 
Post new topic   Reply to topic Printable version
 View previous topic  Red Zone help... Post :: Post Minispace  View next topic  
Author Message
L.C.
Server Help Squatter


Age:33
Gender:Gender:Male
Joined: Jan 03 2003
Posts: 574
Location: Missouri, US
Offline

PostPosted: Fri Oct 23, 2009 12:07 am    Post subject: [Zones] Recommended Security & DNS Practices Reply to topic Reply with quote

1. Generate new scrty and scrty1 files. You should do this for EACH instance of subgame2.exe/asss.exe. By generating new scrty and scrty1 files, the security checksum for your zone become unique for your zone. If all zones had the same scrty and scrty1 files, if one zone's encryption was broken, then everyone would be screwed. But if you use a unique pair of security-encryption files for your zone, you are safe from broken encryptions of other zones.

To generate new scrty and scrty1 files, run "Continuum.exe Z" in the command line and Continuum will generate new files. Just overwrite your old files with these new ones. Repeat this step for each instance and installation of subgame2.exe/asss.exe.

Source: http://sharvil.nanavati.net/projects/subspace/encryption.html



2. Place your ss:// address at the very beginning of the zone description. If you do not know what your address is, you probably do not have one. You must have a fully qualified domain name in order to use this feature. The reason for placing this address at the beginning of the zone description is to ensure and guarantee that this feature will be used; this will also make sure that no too long of a zone description will push your ss:// address beyond the maximum character limit, rendering this feature functionless.

The importance of ss:// is so that if the IP address of your server changes, players do not have to manually go and re-update their zone lists to get the new IP. Instead, Continuum will automatically check that address and update their zone lists for them -- and that way there will be no confusion about what happened to your zones as a result of an IP change.



3. Set CheckMod, CheckSMod, and CheckSysop to 1 in your server.ini. This will prevent unauthorized players from being able to login with staff powers if they happen to know the correct passwords.



4. Generate a random NamePassword under [Directory] in server.ini. Although unlikely, this will secure your zone's publishing in the directory server listings. You should use a unique password for each instance and installation of subgame2.exe/asss.exe. Unless someone figures out this password, nobody can hijack your zone's name in the listing. I would recommend using http://www.goodpassword.com/ to generate something that is preferably at least 13 characters and includes symbols. Then take that randomly generated password and feed it into http://gtools.org/tool/md5-hash-generator/ to get an MD5 of this password. Use this generated MD5 checksum as your NamePassword.



5. Consider using the following settings under [Misc] in server.ini:
Quote:
AllowPrerelease=1
// 0 = People with newer Continuum clients are not allowed to enter
// 1 = People with newer Continuum clients are allowed to enter and play

ForceContinuumOnly=1
// 0 = The Continuum client is not required to be able to connect to the zone; old Subspace v1.35 clients will be able to connect
// 1 = The Continuum client is required to be able to connect to the zone

AllowVIEClients=0
// 0 = Disalllow people from playing in your zone with the old Subspace v1.35 client
// 1 = Allow people to play in your zone with the old Subspace v1.35 client

ForceObsceneCheck=1
// 0 = Normal or obscene checking on usernames is disabled
// 1 = Obscene checking on usernames is enabled

CheckWeapons=1
// 1 = Will kick players that are violating the zone security settings through invalid or impossible uses of weapons if SecurityKickoff under [Security] in server.cfg is set to 1

CheckFastBombing=1
// 1 = Will check to see if a player is invalidly firing more bombs than possible




6. Consider using the following setting for ArenaMode:
Quote:
ArenaMode=5
// 1 = Any player can create their own subarena
// 2 = Only moderators (Mod) and above can create subarenas
// 3 = Only super moderators (SMod) and above can create subarenas
// 4 = Only system operators (SysOp) can create subarenas
// 5 = All subarenas will use spawn.cfg for settings, only system operators (SysOp) can create subarenas [Default]
Be sure to make a copy of default SVS server.cfg file and rename it to spawn.cfg. By setting it to 5, you will prevent a million *.cfg files from being created in your zone's directory. However, you may need to manually create a *.cfg file for a subarena that you would like to create. I have heard that by setting this to 5, modifying the settings of any subarena (or arena that is not the public arena) will modify server.cfg/spawn.cfg. You may want to play around with this a little to figure out how to create subarenas, but overall -- you will save yourself and your system the trouble of the unnecessary creation of settings configuration files for each subarena that a player ?go's to in your zone.
Back to top
View users profile Send private message Add User to Ignore List Send email Visit posters website AIM Address Yahoo Messenger MSN Messenger
Maverick
broken record


Age:39
Gender:Gender:Male
Joined: Feb 26 2005
Posts: 1521
Location: The Netherlands
Offline

PostPosted: Fri Oct 23, 2009 4:04 am    Post subject: Reply to topic Reply with quote

Useful post grav_cool-hands.gif
_________________
Nickname: Maverick (I changed my name!)
TWCore developer | Subspace statistics
Back to top
View users profile Send private message Add User to Ignore List Visit posters website
Hakaku
Server Help Squatter


Joined: Apr 07 2006
Posts: 299
Location: Canada
Offline

PostPosted: Fri Oct 23, 2009 4:55 am    Post subject: Reply to topic Reply with quote

A few comments:

#2 - We concluded in the previous thread that the ss:// part can be included absolutely anywhere in the description. You don't have to list it if you already list your website and that server.website.url is valid. Read Priit's explanation here.

#4 - I honestly never understood the purpose of passwords in a directory list server. The only advantage it serves is to ultimately block all access except to a few limited zones. As far as I know, Continuum doesn't block duplicate zone names, so I don't really see how a zone can be compromised without it really going through all the trouble to have the same name, ip, and port. Even then, the directory server should refuse such a connection under the precedence that it already exists.

#5 - Yes, if you set the arenamode to 5, when editing the settings in a different arena, a new file will be created.
Back to top
View users profile Send private message Add User to Ignore List Send email
Samapico
No, these DO NOT look like penises, ok?


Joined: May 08 2003
Posts: 1252
Offline

PostPosted: Fri Oct 23, 2009 11:19 am    Post subject: Reply to topic Reply with quote

Nice post... should be pinned
_________________
(Insert a bunch of dead links here)
Back to top
View users profile Send private message Add User to Ignore List
Cheese
Wow Cheese is so helpful!


Joined: Mar 18 2007
Posts: 1017
Offline

PostPosted: Fri Oct 23, 2009 5:18 pm    Post subject: Reply to topic Reply with quote

very well written
_________________
SSC Distension Owner
SSCU Trench Wars Developer
Back to top
View users profile Send private message Add User to Ignore List Visit posters website AIM Address
CypherJF
I gargle nitroglycerin


Gender:Gender:Male
Joined: Aug 14 2003
Posts: 2582
Location: USA
Offline

PostPosted: Fri Oct 23, 2009 6:38 pm    Post subject: Reply to topic Reply with quote

+1 ... i'd add the following suggestions as well..

http://cypherjf.sscentral.com/articles/securing-subgame/

Quote:
#4 - I honestly never understood the purpose of passwords in a directory list server. The only advantage it serves is to ultimately block all access except to a few limited zones. As far as I know, Continuum doesn't block duplicate zone names, so I don't really see how a zone can be compromised without it really going through all the trouble to have the same name, ip, and port. Even then, the directory server should refuse such a connection under the precedence that it already exists.


Additionally, from what I've seen and if I can recall correctly, Directory Servers will keep a list of servers which they had seen and the password associated with it for some threshold. If I recall correctly, SSC prefixed zones are secured on the SSC directory server; for example, if you had a non-official SSC server - SSCY <zone name>; it won't appear in the listing (only on the SSC directory server). Not saying passwords are good or bad thing for directory servers; but, they do serve a potential purpose.
_________________
Performance is often the art of cheating carefully. - James Gosling
Back to top
View users profile Send private message Add User to Ignore List
Display posts from previous:   
Post new topic   Reply to topic    Server Help Forum Index -> General Questions All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum
View online users | View Statistics | View Ignored List


Software by php BB © php BB Group
Server Load: 1039 page(s) served in previous 5 minutes.

phpBB Created this page in 0.544595 seconds : 31 queries executed (93.6%): GZIP compression disabled