Haunted Dawg Posted March 17, 2008 Posted March 17, 2008 Well have you recently been having problems running your crons? Well ok ill let you on a good secret on how to stop other people from running your crons. Ok im posting this because previusly ive seen some games have problems with other people running there crons. Add another table to the database: You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. Now go to the minute cron and put this into it: You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. Then let your cron run using the cron manager. Dont run it by your self. After the cron minute ran go into your database and look at the table cron_runner then look at the ip that it gives ok since you got that now add this: You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. This is basicly a v1 code because v2 has a code already set to the crons to run. Hope you can get rid of those buggers trying to run the crons themselfs. Quote
Isomerizer Posted March 17, 2008 Posted March 17, 2008 Re: Secure Your Crons. Whats with all the SQL? Why not just... You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. Quote
Guest Anonymous Posted March 17, 2008 Posted March 17, 2008 Re: Secure Your Crons. Personally, I'd shift the crons *outside* of the web root and call them directly from the crontab rather than with the usual curl, but that facility does depend on your hosting company... Come to think of get, just get rid of them - You seldom need crons. But it does require thinking a little outside the box. Quote
Haunted Dawg Posted March 17, 2008 Author Posted March 17, 2008 Re: Secure Your Crons. ISO the mysql query is to insert into the database to check what ur host cron ip is. Then you can update it to set it so that only your host can run the crons. and yes nyna. My crons are running on a dif website just used for crons for my website. runs very perfect :P Quote
Guest Anonymous Posted March 17, 2008 Posted March 17, 2008 Re: Secure Your Crons. Be careful with that IP trick... AOL users notably seem to be served via a rotating proxy server which means they generate a different IP every request - A royal pain in the a** - but a judicious use of cookies here would perform a similar function (assuming of course the user has cookies enabled...) Quote
Isomerizer Posted March 17, 2008 Posted March 17, 2008 Re: Secure Your Crons. ISO the mysql query is to insert into the database to check what ur host cron ip is. Then you can update it to set it so that only your host can run the crons. Yes, but the IP inserted will just be $_SERVER['SERVER_ADDR'] as this predefined php variable will auto detect your server IP... and yes nyna. My crons are running on a dif website just used for crons for my website. runs very perfect :P I think she meant to run the cron somewhere not public on your server.. cgi-bin/ maybe other then public_html / httpdocs. Not a completely different site. :s Quote
Guest Anonymous Posted March 17, 2008 Posted March 17, 2008 Re: Secure Your Crons. $_SERVER['REMOTE_ADDR'] is spoofable... Very! And yes Iso... /home/nyna/my-site/crons -- where any crons are stored... /home/nyna/my-site/webroot -- where my php files are stored... the "webroot" is the only thing visible from the outside world via HTTP, but as I say, this can be tricky to setup depending on your host, plus it needs modifications (albeit minor ones) to the cron files themselves. Quote
Haunted Dawg Posted March 17, 2008 Author Posted March 17, 2008 Re: Secure Your Crons. I actualy pay $20 a month just to host 1 of my sites this is because i pay 2 different hosts. 1 host i use just for running crons and no one will be able to figure out the url because its like in 2 dif folders then ip protected then still code protected so as far as i know my game crons are secure from outsiders. and another thing is this code is worth the use for v1 users because v1 crons do not use a code they are just in folders but how many of us dont know the folders: home/root/username/public_html/crons/are/not/4u/ and the crons are here. But now some people change it and they dont do much of a change they normaly change to: home/root/username/public_html/crons/are/sacred/ and the crons are here So even if they use the old fashion way of using the crons/are/not/4u/ and with this code basicly they wont need to worry about outsiders touching there crons. I used this type when i was a total newbie about 1 year and a half back when i first started my first game. I used this method to keep outsiders away and it worked. Its just a little bit of help to keep those away from your crons. OH btw iso your $_SERVER['REMOTE_ADDR']; is not so secure. i can go to a test.php file make it go to test2.php file but with in test.php it has a field of what ip i want to use right? so then in test2.php i run $IP = $_SERVER['REMOTE_ADDR']; but instead of grabing your actual ip it grabs the ip you inputed in test.php trust me ive tried that and i got it to work for some reason. Quote
Ragnar Posted March 17, 2008 Posted March 17, 2008 Re: Secure Your Crons. Ok im posting this because previusly ive seen some games have problems with other people running there crons. Why don't you/they simply require something like cron_XXX.php?code=5e76gf8fg6fg1d-die-cheater-die-bc9JH783d28gl89U-p0wned0-Hbb0b in the URL??!! Version 2 already comes with this. Edit it in the database to make it even harder to figure out. Quote
Haunted Dawg Posted March 17, 2008 Author Posted March 17, 2008 Re: Secure Your Crons. Thats the problem v1 does not come with it and this is more secure than using a ?code=blah Quote
Decepti0n Posted March 18, 2008 Posted March 18, 2008 Re: Secure Your Crons. Just put them outside the web root. Done. No need for IP checks or passwords or extra servers (<-- what the hell?). No matter how many folders deep or how long your password someone would be able to get it after a while. If its outside the web root they can't even access the page unless they're on your server, in which case you have bigger problems. Quote
Haunted Dawg Posted March 18, 2008 Author Posted March 18, 2008 Re: Secure Your Crons. Well deception its just an exception on ways to secure your crons from outsiders. Quote
John1 Posted March 18, 2008 Posted March 18, 2008 Re: Secure Your Crons. in V2 they are secure anyway as no one can execute them manually unless the have they have the code Quote
Haunted Dawg Posted March 18, 2008 Author Posted March 18, 2008 Re: Secure Your Crons. And didnt you read at the bottom FOR V1 USERS! :x Quote
John1 Posted March 19, 2008 Posted March 19, 2008 Re: Secure Your Crons. if thats the case y wouldn't u just find a copy of a V1 global_func.php and edit it to so the same as V2 globals? Quote
Haunted Dawg Posted March 19, 2008 Author Posted March 19, 2008 Re: Secure Your Crons. Because if you look carefully v2 global_func.php is WAY different than v1 global_func.php Quote
jay-dogg2006 Posted March 19, 2008 Posted March 19, 2008 Re: Secure Your Crons. well you can secure your V1 crons with code like V2 killah helped with this! Open up the cron: Find: You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. Add This before the <?php You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. the change the "enter a key here" to and keycode you would like i would suggest generating a password with consits of letter and numbers as its less likely to get discoverd then go to cron manager and add after the .php curl http://gamename.com/crons/are/not/4u/cr ... key=youkey change the your key to the ley you set in the cron and there you are a little security for you! please do not repl with negative comments Quote
Guest Anonymous Posted March 19, 2008 Posted March 19, 2008 Re: Secure Your Crons. Security by obscurity is seldom sufficent... Were a person able to gain access to the server and see the httpd log files (s)he would instantly get the key. I've said it before, ... place your crons OUTSIDE of the web root and use a proper crontab to call them rather than using curl. Quote
AlabamaHit Posted March 20, 2008 Posted March 20, 2008 Re: Secure Your Crons. Would not just changing your folder names not be secure. so instead on crons/are/not/4u/ make something like change/to/what/the/heck/ever/ make up a bunch of useless crap for a name...dont think anyone would guess if you was to just change the folders to differnet names that made no since at all. Quote
Guest Anonymous Posted March 20, 2008 Posted March 20, 2008 Re: Secure Your Crons. In general - no. Given the restricted character set permitted by most operating systems for folder and file names, it would be fairly easy to "script" an attack against this. Granted you could go fairly deep - 20+ folders, all with long names, but it's just security through obscurity. Quote
curious4moreknowledge Posted March 21, 2008 Posted March 21, 2008 Re: Secure Your Crons. Seems to me that this function would be more practical to use as an IP tracker and log system if you have ppl trying to run your crons. Then you can IP ban and fedjail the user. I may add this to my files just for this purpose although I doubt it would ever be an issue anyway. Good way to find out though :-D Quote
HITMAN 17 Posted October 25, 2008 Posted October 25, 2008 Re: Secure Your Crons. ahh now my crons are secure Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.