Any version Comprehensive attack protection (OOG and others). Server protection from hacking Physical server protection

Most programs must interact with the user by entering certain data, whether it is the full name, height, weight to be entered into the database, or the geometric dimensions of some object for which something needs to be calculated. All this data is entered by the user - a person, which means that anything can come in response. What will the program produce if, instead of the required age, the user writes it in a word? Most likely the program will crash or hang, but not if it has "fool protection" in it.

Why might a program terminate or freeze? The program will try to convert the character set to a number, which will fail, which means further work application is not defined. Therefore, it is very important to organize the structure of the program so that when you enter unexpected for the data program (incorrect in terms of the required format: a number is needed, but a word is entered), the application did not "fall", but informed the user that an error had occurred and offered to repeat the input. This is "fool-proof".

Implementing foolproofing in C

To implement good foolproofing for entering various numeric (int, double...) data, it is necessary to read not the numbers themselves, but the entire input string and only then analyze the input. The C language has a very nice function sscanf(const char *, const char *, args) , which works similarly to the scanf(const char *, args) function, returning the number of successfully read arguments, only the data is read not from the standard input stream, but from the string passed to it as the first argument.

Let's look at a few examples of functions that implement a fool check using the sscanf function.

Entering an integer with checking for invalid input

int get_integer(const char *msg) ( char answer; // string to read int n; // final integer printf("%s", msg); // print prompt fgets(answer, sizeof(answer), stdin); // read the string // until an integer is read while (sscanf(answer, "%d", &n) != 1) ( printf("Incorrect input. Try again: "); // print a message about error fgets(answer, sizeof(answer), stdin); // and reread the string ) return n; // return a valid integer )

To read an integer, the algorithm reads the entire string and then tries to get an integer out of it. In the event that this failed, the function displays an error message with a suggestion to repeat the input until the correct integer value is entered.

Entering a real number with a check for incorrect input

double get_double(const char *msg) ( char answer; // string to read double x; // resulting real number printf("%s", msg); // print prompt fgets(answer, sizeof(answer), stdin); // read the string // until a real number is read while (sscanf(answer, "%lf", &x) != 1) ( printf("Incorrect input. Try again: "); // print a message about error fgets(answer, sizeof(answer), stdin); // and re-read the string ) return x; // return a valid real number )

Entering a point on the coordinate plane (structure with two real fields)

// description of the data structure typedef struct point_t ( double x; // x coordinate double y; // y coordinate ) point_t; point_t get_point(const char *msg) ( char answer; // string to read point_t point; // final point printf("%s", msg); // print prompt fgets(answer, sizeof(answer), stdin ); // read line // until both point coordinates are read while (sscanf(answer, "(%lf,%lf)", &point.x, &point.y) != 2) ( printf("Incorrect input. Try again: "); // print the error message fgets(answer, sizeof(answer), stdin); // and re-read the string ) return point; // return the correct point )

As can be seen from the examples, the feature of returning the number of arguments read by the sscanf function allows you to control the correctness of the entered data in the specified format, and reading the entire line protects against the fact that space characters or line breaks "\n" remain in the input stream, which very often force you to spend not a single hour or even a day to search for an error.

Hello everyone from the UNITWAY PW team. With this theme, we would like to demonstrate the absence of unfair competition from our side and black, ugly, deceitful competition from the NewDestiny project.

Here is a list of solutions from attacks that have ever been used by the administrators of NewDestiny loko9988, TyrikMan (Yesterday's OOG attack was from the IP address of Yoshkar Ola), Killer_Pooh (An attack from the city of Volzhsky was also recorded). In addition to attacks on us, we received information about an attack on a number of other servers, which was associated with our discovery. By publishing a number of fixes from these attacks, we demonstrate our non-involvement in attacks on anyone, despite the clearly concerned position of the administrator Zzebra PW (mirthost) on our project. We absolutely do not hold a grudge against everyone who fell for the yellow article about us, everyone has their own head on their shoulders.


And this is only a part of their accounts.

One of the reasons for the publication of this topic was the rumors that have reached us. The essence of these rumors is that loko9988 is attacking servers not only because of competition, but also in order to offer these servers protection through it.

Protection against OOG attacks based on iptables:
First of all, we create scripted firewall rules, you can call them whatever you want.

iptables -A INPUT -p tcp -m multiport --dports 29000 -m length --length 500:65535 -j LOG --log-prefix "PW"

Click to reveal...

With this rule, we write all game packets from port 29000 in size from 500 to 65535 bytes.

iptables -A INPUT -p tcp -m multiport --dports 29000 -m length --length 500:65535 -m recent --name packets --set
iptables -A INPUT -p tcp -m multiport --dports 29000 -m length --length 500:65535 -m recent --name packets --update --seconds 1 --hitcount 100 -j REJECT

Click to reveal...

With these rules, we block the user if the server received from him more than 100 packets of 500 - 65535 bytes in 1 second on 29000 (game) port.

iptables -A INPUT -p tcp -m multiport --dports 29000 -m length --length SIZE -m recent --name packet1 --set
iptables -A INPUT -p tcp -m multiport --dports 29000 -m length --length SIZE -m recent --name packet1 --update --seconds 15 --hitcount 3 -j REJECT

Click to reveal...

With these rules, we block users who sent more than 3 packets in 15 seconds to port 29000. SIZE - packet size in bytes.
How to track the packet size in bytes?
After the first rule, where we log all game packages, you can see them in the file /var/log/syslog or team dmesg in the server console.
When an attack is underway, there will be many identical packets in the syslog in a short time.

PW IN=ipip1 OUT= MAC= SRC= USERIP ADDRESS DST=*.*.*.* LEN=547 TOS=0x00 PREC=0x00 TTL=241 ID=13328 DF PROTO=TCP SPT=22511 DPT=63947 WINDOW=254 RES=0x00 ACK PSH URGP=0

Click to reveal...

In the example above, the burst size is "LEN=547".

We figured out the OOG protection. Let's move on to other ways NewDestiny competes.
Brute accounts. Everything is quite simple here:
#block brute force login

iptables -A INPUT -p tcp -m multiport --dports 29000 -m conntrack --ctstate NEW -m recent --name brute --set
iptables -A INPUT -p tcp -m multiport --dports 29000 -m conntrack --ctstate NEW -m recent --name brute --update --seconds 30 --hitcount 3 -j REJECT

Click to reveal...

With this rule, we block the user's IP for 30 seconds if he made more than 3 connection requests to port 29000.

• Make a full restriction on ports, except for gaming through iptables.
• Make a connection to the server using ssh key (keys) with a code word.
• Use latest versions mysql, apache2 and other important packages.
• After loading through OOG, use logrotate, otherwise, when backup logs RAM Your server will be fully utilized. This may result in a hack.
• Do not use third-party software on the game server.
• Use a custom player password filter. Within a few hours, there were over 50,000 invalid authorization attempts on our authorization. 30% of our players had identical logins from these login-password pairs.

We prefer fair conduct of competition, we do not have time and extra money for attacks. Do not mess with these people, it can end badly.

It is impossible to protect the server from external access once and for all, because every day new vulnerabilities are discovered and new ways of hacking the server appear. We will talk about protecting servers from unauthorized access in this article.

The servers of any company can sooner or later become a target for hacking or a virus attack. Typically, the result of such an attack is data loss, reputational or financial damage, so server security issues should be addressed in the first place.

It should be understood that protection against server hacking is a set of measures, including those that imply constant monitoring of server operation and work to improve protection. It is impossible to protect the server from external access once and for all, because every day new vulnerabilities are discovered and new ways of hacking the server appear.

We will talk about protecting servers from unauthorized access in this article.

Ways and methods of protecting servers from unauthorized access

Server physical protection

Physical protection. It is desirable that the server be located in a secure data center, a closed and guarded room, outsiders should not have access to the server.

Set up SSH authentication

When setting up access to the server, use SSH key authentication instead of a password, since such keys are much more difficult, and sometimes simply impossible to crack using a brute-force search.

If you think that you still need a password, be sure to limit the number of attempts to enter it.

Pay attention if you see a message like this when you log in:

Last failed login: Tue Sep 28 12:42:35 MSK 2017 from 52.15.194.10 on ssh:notty
There were 8243 failed login attempts since the last successful login.

It may indicate that your server has been hacked. In this case, to configure server security, change the SSH port, limit the list of IPs from which access to the server is possible, or install software that automatically blocks excessively frequent and suspicious activity.

Install the latest updates regularly

To ensure server protection, install the latest patches and updates of the server software that you use - operating system, hypervisor, database server.

It is advisable to check for new patches, updates, and reported bugs/vulnerabilities every day to prevent attacks exploiting zero-day vulnerabilities. To do this, subscribe to news from the software development company, follow its pages on social networks.

Protect passwords

By far one of the most common ways to gain access to a server is to crack the server's password. Therefore, follow the well-known, but nevertheless relevant recommendations in order not to leave the server unprotected:

• do not use passwords that are easy to guess, such as the name of the company;
• if you are still using the default password for the admin console, change it immediately;
• passwords for different services must be different;
• if you need to share your password with someone, never send your IP address, username and password in the same email or messenger message;
• You can set up 2-Step Verification to log in to the administrator account.

firewall

• Make sure the server has , is configured, and is running all the time.
• Protect both incoming and outgoing traffic.
• Keep track of what ports are open and for what purpose, do not open anything unnecessary to reduce the number of possible vulnerabilities for server hacking.

In particular, a firewall helps a lot in protecting the server from ddos attacks, because you can quickly create blocking firewall rules and add IP addresses from which the attack is coming from, or block access to certain applications using certain protocols.

Monitoring and intrusion detection

• Limit the software and services running on your server. Periodically check everything that you have running, and if any unfamiliar processes are found, delete them immediately and start checking for viruses.
• Periodically check for signs of tampering. Hacking may be evidenced by new Accounts users you didn't create, moving or deleting a file /etc/syslog.conf, deleted files/etc/shadow And /etc/passwrd .
• Monitor your server performance, keep an eye on its normal speed and throughput, so you can notice deviations, for example, when the load on the server has become significantly more than usual.

Using VPN and SSL/TLS Encryption

If needed remote access to the server, it should only be allowed from certain IP addresses and happen over the VPN.

The next step in ensuring security can be setting up SSL, which will not only encrypt data, but also verify the identity of other participants in the network infrastructure by issuing appropriate certificates to them.

Server security check

It would be a good idea to independently check the security of the server using the pentest method, i.e. attack simulation to find potential vulnerabilities and eliminate them in time. It is advisable to involve specialists in this information security, however, some tests can be done independently using server hacking programs.

What else threatens servers besides hacking

A server can go down for a number of reasons other than being hacked. For example, it could be a malware infection or just a physical failure of one of the components.

Therefore, measures to protect the server should include:

• Installing and updating programs to protect the server - antiviruses.
• Regular encrypted copies of data at least once a week, because, according to statistics, server hard drives are in the first place in terms of the frequency of breakdowns. Make sure that backup copy stored in a physically secure environment.
• Ensuring uninterrupted power supply to the server room.
• Timely physical prevention of servers, including cleaning them from dust and replacing thermal paste.

The experience of Integrus specialists tells us that best protection against such threats is the use best practices in the field of server protection systems.

To ensure the security of our customers' servers, we use a combination of tools: firewalls, antiviruses, security / event management technologies (SIM / SEM), intrusion detection / protection technologies (IDS / IPS), network behavioral analysis (NBA) technologies, of course regular preventive maintenance servers and arrangement of secure server rooms on a turnkey basis. This allows you to minimize the risks of hacking or server failure for other reasons.

We are ready to conduct a security audit of your company's servers, consult specialists, perform all types of work on setting up the protection of server equipment.