[MUD-Dev] Java servers and hacking

[ceo]

Daniel James wrote:

> p.s. I wrote and cancelled a 'hear hear' to Randy's Java praise;
> our servers haven't crashed once in eight months of alpha
> testing. They did get pretty confused once, but they stubbornly
> refused to keel over.

Over the weekend, a pre-alpha server for a game I've been producing
got hacked (cracked/whatever). Well, they tried. The logs contain
some pretty obvious attempts to cause buffer-overruns (oh, how I
chuckled at that). But far more amusingly it looked like they were
attempting a mixture of known-exploits for apache and IIS, and there
were frequent occurences of garbage requests ending in
"\WinNT\cmd.exe".

The first of these was defeated by the fact the server is entirely
java (no JNI), and the second by the fact that yes it's an
HTTP-server, but a custom one written for our needs. HTTP servers
don't take long to write, especially if you only need a subset of
the functionality!

FYI for anyone new to MUD's/security:

I would strongly recommend not exposing any well-known systems
(MySQL, Apache, etc) on the front-end of your server(s) if you can
easily avoid it. Especially if you can put any sandboxed /
buffer-overflow-tolerant language there (note: statistics I've had
from some security mailing lists in the past suggest that the
biggest single cause of server-exploits is buffer-overflows, despite
the libraries available to easily prevent them).

For 3rd-party apps you just limit access so that it can only be from
localhost. Some apps make this easy (e.g. MySQL etc) others you just
have to firewall the port(s) they listen on so that they can only be
connected to from localhost/127.0.0.1 (and turn on
source-address-verification). Firewalls under linux are surprisingly
easy to understand and use these days.

Adam M
_______________________________________________
MUD-Dev mailing list
MUD-Dev at kanga.nu
https://www.kanga.nu/lists/listinfo/mud-dev