About Store Forum Documentation Contact
Donations:
206$/mo



Post Reply 
Sql security
Author Message
Rubeus Offline
Member

Post: #16
RE: Sql security
(06-07-2013 06:20 PM)cmontiel Wrote:  encrypted values in database... I don't think is a good idea because performance drops.

And for example, what happen with DoS attacks to EE game server port? It's not only sql injection...

This is a completely separate issue. The ideal setup is that the SQL database is only accessible on the local network and not from the internet at all. It's up to the client/server handshake to verify the integrity and identity of both entities.

(06-07-2013 06:20 PM)cmontiel Wrote:  I am going to change my question:
someone knows how to block attacks to a EE server port (tcp connection) ?

This is where you start getting into expensive corporate-level hardware firewalls. Software firewalls won't cut it for stopping a DoS. My recommendation is this: when you want to get your game up and running and making money, run your server(s) in a datacenter with redundant network connections and standard firewalls(Cisco or equivelant). When you get to the point where there is a real threat of a major DoS or other attack that can take down your system and it's cost effective to do so, you can upgrade with 0 downtime to smarter appliances-one network leg at a time-that will actively block DoS, brute force, and other types of attacks.
Otherwise, if your game remains relatively small, if you detect an attack, you can just view your firewall logs and manually block the offending IP address(es). This is the method we use at my workplace, even though we aren't small.
You might be able to use a software firewall program, but keep in mind that these programs need to use CPU, memory, and hard drive writes(logging). These programs can cripple a server, and even reduce the total number of active players the hardware can support.
06-07-2013 06:50 PM
Find all posts by this user Quote this message in a reply
cmontiel Offline
Member

Post: #17
RE: Sql security
Quote:This is a completely separate issue. The ideal setup is that the SQL database is only accessible on the local network and not from the internet at all. It's up to the client/server handshake to verify the integrity and identity of both entities.

My database is only accesible on local network. But that will not stop any attack to the game server port.

Quote:When you get to the point where there is a real threat of a major DoS or other attack that can take down your system and it's cost effective to do so, you can upgrade with 0 downtime to smarter appliances-one network leg at a time-that will actively block DoS, brute force, and other types of attacks.

In my opinion, if there is a real attack, its too late because you have lost users, money and even the server integrity. I am looking for a preemptive protection..

Quote:Otherwise, if your game remains relatively small, if you detect an attack, you can just view your firewall logs and manually block the offending IP address(es). This is the method we use at my workplace, even though we aren't small.

Hmm it doesn't looks a good solution. Easy as "hacker" change of ip by resetting the router, and you have the problem again in minutes.

I'm starting to give up :(
06-07-2013 07:14 PM
Find all posts by this user Quote this message in a reply
Rubeus Offline
Member

Post: #18
RE: Sql security
(06-07-2013 07:14 PM)cmontiel Wrote:  
Quote:When you get to the point where there is a real threat of a major DoS or other attack that can take down your system and it's cost effective to do so, you can upgrade with 0 downtime to smarter appliances-one network leg at a time-that will actively block DoS, brute force, and other types of attacks.

In my opinion, if there is a real attack, its too late because you have lost users, money and even the server integrity. I am looking for a preemptive protection..

There are a lot of options, but I recommended waiting because they are $$$$$$.

(06-07-2013 07:14 PM)cmontiel Wrote:  
Quote:[quote]
Otherwise, if your game remains relatively small, if you detect an attack, you can just view your firewall logs and manually block the offending IP address(es). This is the method we use at my workplace, even though we aren't small.

Hmm it doesn't looks a good solution. Easy as "hacker" change of ip by resetting the router, and you have the problem again in minutes.

I'm starting to give up :(

There's a timeout period for dynamically allocated IP addresses. It can be anywhere from 5 minutes to 5 days. If you reset your modem/router, it's highly possible you could end up with the same IP. Even if they could reset every few minutes, they would be crippling their own internet connection more than yours. What kind of script kiddy could take that much time away from downloading porn?
Additionally, static IP addresses are becoming more and more common. Cable and fiber generally use static IPs for their customers these days, so unless they are able to get a DDoS going, they are stuck.
Lastly, keep in mind that these kinds of attacks are a lot more rare than those in the security business would have you believe. They like to say that it only takes ~5 minutes to get a virus/hacked if you are connected to the internet with no firewall/antivirus, but I have 2 machines that I run DMZ with no protection that are both perfectly fine.
In the last 2 years, we only had 1 DoS attack at my workplace, and that ended by blocking a single IP. It caused one of our customers a few minutes of discomfort, but nothing more. And this was in retaliation for one of their clients using their network, and in turn, ours, to mail out spam. I think your game will be fine with minimal protections, as long as you aren't scamming. smile
06-07-2013 08:07 PM
Find all posts by this user Quote this message in a reply
aceio76 Offline
Silver Supporter

Post: #19
RE: Sql security
Wow it seemed only a couple of days and I missed a lot on this thread already.

The modsecurity module won't help you if you want to protect external clients that connect to your backend db directly, but it can help your website that most likely does require db access in the backend. To protect your backend from client connections (ie the ee server port and other ports you expose externally) you will need a different solution if you are already using modsecurity for your web servers. But if you did go with a NetScaler or a F5 solution, you can replace modsecurity altogether. As a side benefit to the NetScaler or F5 solution, you may get the ability of an application load balancer as well, which means you can make your backend systems fault-tolerant. Yes, they can be costly, so that will be up to you on how you set up your game service when you go into production. Also, depending on who provides your hosting, some of them might offer application firewall (and even application load-balancing) capabilities for an extra fee. There are options out there, but it requires money smile I will never recommend that you don't protect your servers. You will want to protect your digital plantation (your game service) so that you don't leave a bad taste in your player's mouths. Players are sensitive to companies potentially leaking account information and that could be enough to lose profit for months, which would be detrimental if you expect the game service to pay for the infrastructure it is using plus maybe income to you and your staff.
06-07-2013 08:55 PM
Visit this user's website Find all posts by this user Quote this message in a reply
cmontiel Offline
Member

Post: #20
RE: Sql security
Thanks for advices guys. My server is in Amazon EC2, they provide load balancers and firewall.

I've just talked with aceio in irc.

Conclusion, no cheap/free way to protect a tpc port.
06-07-2013 09:49 PM
Find all posts by this user Quote this message in a reply
Rubeus Offline
Member

Post: #21
RE: Sql security
EC2 provides you with virtualized firewall instancing, so you probably don't need anything extra, unless they provide very poor firewalls.
That aside, for this type of industry, a 99.95% SLA is very poor. If you can afford it, you will want to upgrade to a better service/co-location.
06-07-2013 10:26 PM
Find all posts by this user Quote this message in a reply
aceio76 Offline
Silver Supporter

Post: #22
RE: Sql security
AFAIK EC2 only provides L3 firewalls, so no protection on L7 which is the prevalent type of hacking that goes on over the web.
06-08-2013 12:12 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Esenthel Offline
Administrator

Post: #23
RE: Sql security
Hi,

I've just did some testing with EE.SQL methods, I've improved some unicode handling, identifier names with special characters, and SQL.string (for next release).

As long as you'll use SQL.string for writing custom conditions ("C Str &condition" method parameters) then you'll be fine. All other Str members/params are already safe and you don't need to do anything.
07-22-2013 07:52 PM
Find all posts by this user Quote this message in a reply
cmontiel Offline
Member

Post: #24
RE: Sql security
Thanks, more security is allways wellcome. wink
(This post was last modified: 07-22-2013 08:36 PM by cmontiel.)
07-22-2013 08:17 PM
Find all posts by this user Quote this message in a reply
jagatai Offline
Member

Post: #25
RE: Sql security
Just an FYI

both Endian
http://www.endian.com/en/community/overview/

and PFSense
http://www.pfsense.org/index.php@option=...id=43.html


Both firewalls use Snort as their IDS which provide lots of signatures to help mitigate attacks, you can also create a custom signature via Snort that looks for out-of-compliance packets destined to the game port and simply discard them as malicious.

-hope this helps.

PS.
Both Endian and PFSense are proven enterprise solutions, just requires a little learning curve and both stem from open source which is why they offer free ISO for appliance.
07-23-2013 06:23 PM
Find all posts by this user Quote this message in a reply
cmontiel Offline
Member

Post: #26
RE: Sql security
Interesting, I am going to read about them.
07-23-2013 11:34 PM
Find all posts by this user Quote this message in a reply
Post Reply