Preventing people from connecting to our SFS 2X server

[warhell]

Hi, I'm trying to figure out how to prevent people who don't have our app (we are making a mobile app) from connecting to our servers and sending messages.

Since it looks like all you need to do to connect to any SmartFoxServer is have the ip address, and from there you can just make a config file and join rooms and such.

How do we verify that our client is valid, and not someone just trying to connect?

[rjgtav]

hi. Well that.s an interesting question.. Currently i cant get a way that cant be hacked..

[rjgtav]

well, it looks that there are some methods, but only hard ones. The only one that i think that is hack free is the binary code comparison of the client file, but this may only work on AIR. Does anyone else have other ideas? Specially not so heavy ones?

[rjgtav]

Hi. I just realized that the method i mentioned can also be hacked.

So, instead of preventing the hacked client from logging in, what about if you just ban players when you find out that they're hacking? For example, via a server-side extension, you could verify the data sent by the client, and if it has some unexpected data, you could ban him.

[Lapo]

There is no way, actually
It's like asking how do you prevent people with a face that you don't like to enter your coffee shop See what I mean?
A server is a public service, just like a public office or shop. Anyone can at least enter and ask for something ... then if their request doesn't make sense or they are misbehaving you can show them the door. Right?

Same concept applies here.
Any client can connect to SFS2X's port 9933. The door is always open (in fact you open the door via the firewall ).
From that moment they need to handshake correctly and perform a valid login. That's where the "filtering" starts. Only those who speak the proper protocol and send requests that make sense will be able to use the service.

In addition to this we provide tools to further enhance the security like:
- IP Filters, to block unwanted client
- Banning, to remove bad users
- Word filters
- Anti-flood filters
- Idle users auto-disconnections
- Privilege levels, to give special permissions only to trusted users

All this and more is configurable from our visual AdminTool
Check the docs for all the details

[rav]

Just check all requests from client for ability. So if request could be performed (from servers view point) it means that client is valid (even if your client was hacked or this is some another client)

[warhell]

There is no way, actually
It's like asking how do you prevent people with a face that you don't like to enter your coffee shop See what I mean?
A server is a public service, just like a public office or shop. Anyone can at least enter and ask for something ... then if their request doesn't make sense or they are misbehaving you can show them the door. Right?

Same concept applies here.
Any client can connect to SFS2X's port 9933. The door is always open (in fact you open the door via the firewall ).
From that moment they need to handshake correctly and perform a valid login. That's where the "filtering" starts. Only those who speak the proper protocol and send requests that make sense will be able to use the service.

In addition to this we provide tools to further enhance the security like:
- IP Filters, to block unwanted client
- Banning, to remove bad users
- Word filters
- Anti-flood filters
- Idle users auto-disconnections
- Privilege levels, to give special permissions only to trusted users

All this and more is configurable from our visual AdminTool
Check the docs for all the details

So there is no way to say store a "key" on the client end, and then send that key over to the server to check that they are a "valid" client?

[rjgtav]

hi. You could do that, but any user that has your app can decompile it and get that key. Then that user can create an hacked client and use the retrieved key to connect.

I.m pretty sure the only way is to look for unexpected behaviours (like sending the wrong extension commands, trying to talk with extensions that wasn.t supposed to, etc) via server side and then apply the necessary action, such as kick, temp. ban, perma. ban, ip ban and so on.

[Lapo]

So there is no way to say store a "key" on the client end, and then send that key over to the server to check that they are a "valid" client?

Sure... but this does not prevent a bad client to get a connection to the server and hold resources.
In order to validate the key you must allow ANY client to establish a connection and talk to the server, AFTER that you decide who can stay and who can't.
Also I second rjgtav comments. Signing a client with a key hardcoded in the SWF is not so secure. Maybe adding a 2nd layer of protection with an obfuscator might help.

A more advanced approach is that the key is generated randomly by the client using a special algorithm which is then obfuscated.
And to make things even more complex the part of code that contains the algorithm should be loaded dynamically via socket by the main "shell" of your application.

I'll stop here... we could go on for hours discussing more sophisticated layes of protection. The bottom line IS, there's no 100% bullet proof system, you just need to make it hard enough so that crackers will desist. If your game is money based it's okay to get paranoid, otherwise I wouldn't get too crazy with extra complexity.

Cheers