modernmafia Posted September 12, 2012 Share Posted September 12, 2012 recently i have had some guy called millo or milo attack my games db he is able to change/alter things how can i secure my database for attacks also advice when adding a user to a db what should/ shouldnt be ticked [ATTACH=CONFIG]634[/ATTACH] Quote Link to comment Share on other sites More sharing options...
Danny696 Posted September 12, 2012 Share Posted September 12, 2012 It's not to do with MySQL, it's to do with your game. Try securing the forums, preferences, the dp hack, and the rest of the game. Quote Link to comment Share on other sites More sharing options...
sniko Posted September 12, 2012 Share Posted September 12, 2012 Although, it would help if you thought about the privileges you gave to the database user. Quote Link to comment Share on other sites More sharing options...
modernmafia Posted September 12, 2012 Author Share Posted September 12, 2012 Although, it would help if you thought about the privileges you gave to the database user. i ticked all boxes as i was unsure what not to tick Quote Link to comment Share on other sites More sharing options...
sniko Posted September 12, 2012 Share Posted September 12, 2012 Select, Insert, Update, Delete These are the common commands used in McCodes Quote Link to comment Share on other sites More sharing options...
modernmafia Posted September 12, 2012 Author Share Posted September 12, 2012 Select, Insert, Update, Delete These are the common commands used in McCodes would you suggest i re-add the user to my database and click the following options you have suggested ( in your opinion what would you do ) thanks for reply also Quote Link to comment Share on other sites More sharing options...
Octarine Posted September 12, 2012 Share Posted September 12, 2012 DROP is also required IIRC due to the TRUNCATE statement in the day cron. - A marginally safer alternative would be wise; ie DELETE with no WHERE clause. Quote Link to comment Share on other sites More sharing options...
sniko Posted September 12, 2012 Share Posted September 12, 2012 True Octarine, thanks for having my 6 ;) ModernMafia, no need. Just click your user in MySQL Databases. Quote Link to comment Share on other sites More sharing options...
modernmafia Posted September 12, 2012 Author Share Posted September 12, 2012 Thanks for your help you two :) Quote Link to comment Share on other sites More sharing options...
Danny696 Posted September 12, 2012 Share Posted September 12, 2012 Well think about what commands the hacker needs, aren't they the same? Quote Link to comment Share on other sites More sharing options...
sniko Posted September 12, 2012 Share Posted September 12, 2012 Well think about what commands the hacker needs, aren't they the same? Yeah, but ticking ALL PRIVILEGES opens the horizons and flood gates to the dark eternity, of what we call Hell. Sorry, I went a bit epic there :p Quote Link to comment Share on other sites More sharing options...
lucky3809 Posted September 13, 2012 Share Posted September 13, 2012 personally I make another folder outside the public directory, then stick the database files in there, and change the permissions. however this is not the only security you need, you also need to secure your pages, because you don't have to necessarily have access to files to execute a url hack... Quote Link to comment Share on other sites More sharing options...
modernmafia Posted September 13, 2012 Author Share Posted September 13, 2012 personally I make another folder outside the public directory, then stick the database files in there, and change the permissions. however this is not the only security you need, you also need to secure your pages, because you don't have to necessarily have access to files to execute a url hack... how do you go about doing this and is any one good at spotting loop whole or can look at the game online and suggest areas of improvement Quote Link to comment Share on other sites More sharing options...
modernmafia Posted September 13, 2012 Author Share Posted September 13, 2012 how do you go about doing this and is any one good at spotting loop whole or can look at the game online and suggest areas of improvement also a suggestion on what permission to use Quote Link to comment Share on other sites More sharing options...
Octarine Posted September 13, 2012 Share Posted September 13, 2012 Assuming a small Mccodes game, you ideally only want SELECT, INSERT, UPDATE and DELETE privileges for the game user; the lack of DROP privileges is easy enough to work around. Larger games will probably need other permission sets or multiple (mysql) users. You can protect files easily enough by moving them outside of the document root - for example - However that in turn raises a whole host of other permission related problems and frankly I'm not overly sure what benefit there would be over a .htaccess file with a simple <Files ...>...</Files> block outside of keeping the public_html (or whatever it is called on your hosting platform) clean. (A lot of people still hide their cron jobs in long/winded/folder/names in an attempt to hide them rather than using this method - why, I've no idea) As for spotting problem areas; decent logs help; your web server's own logs can be a start though they seldom provide sufficient information; ie: they don't log POST parameters or X_HTTP_xxx variables both of which are susceptible to common tricks. Knowing what is happening to you is the key to tracking down the problem itself; then understanding how the problem arose in the first case and either learning how to patch it yourself or employing somebody with necessary skills to patch it for you. Quote Link to comment Share on other sites More sharing options...
rulerofzu Posted September 13, 2012 Share Posted September 13, 2012 Sample of a htaccess file protection by name and extension. This will throw up a login dialogue box for a htaccess user if no valid user/pass is entered then it will throw a unauthorized webpage. <FilesMatch "(nameofafile|someotherfile)\.php$"> AuthName "Dialog prompt" AuthType Basic Require valid-user </FilesMatch> Quote Link to comment Share on other sites More sharing options...
Octarine Posted September 13, 2012 Share Posted September 13, 2012 [OT] Access controls provided by AuthName and AuthType directives need directives such as AuthUserFile and AuthGroupFile in order to work correctly. And why support authentication for a file you don't need access to anyway? <Files ...> or <FilesMatch ...> Order Deny, Allow Deny From All </Files...> would suffice no? Quote Link to comment Share on other sites More sharing options...
rulerofzu Posted September 13, 2012 Share Posted September 13, 2012 I agree totally with you Oct was just posting a method though just in case your hosting is restrictive there is some funny hosting setups out there!! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.