Page 1 of 1

Securing SF2 and best practices

Posted: 30 Aug 2011, 15:48
by levancho
Hi,

We are dealing with a game that requires user to deposite money from their CC or bank account. and further us it in a game, so user balance has to become a part of the game- user state.

now all none SF2 related tasks are taken care of proper way,like deposit, etc .. which go through secured blazeds chanells.
but I would like to ask any suggestions or links to ways to secure SF2 server,gameplay and also ways to avoid situations where "hackers" trying to act as another user and access their balance etc ... and what measures work and dont work, in securing smartfox server and its games?
kind of like best practices

Kind Regards
Levan

Posted: 30 Aug 2011, 16:05
by rjgtav
Hi. I'm not a security expert, but I can give you some suggestions:

1. Send the minimal information to the client - What I mean is that you may not send some important information (for example database information) such as user ID, the bank account, etc. so you can send just the name and the amount of money the user has.

To still access these data from the server, you can use the User.setProperty and getProperty methods, as these are custom data that you can store in the user Object and that are NEVER send to the client.

2. Add some methods to your extensions to monitor users behavior and ban/kick the suspects of hacking/cheating the game.

3. Can't remember of more :-P

Posted: 31 Aug 2011, 18:28
by tchen
Adding....

1. Unfortunately, checkSecurePassword is not the best way to authenticate as it requires plain-text storage on the server. I would say best practice is to use a separate authentication server with a secure transport like HTTPS; using a hashed password check, get a one-time use token tied to the requesting IP, and use that token when authenticating with the SFS2X server.

2. Reiterating rjgtav’s log log log log… and log some more.

3. On the server side of things, be sure to use iptables. Lock out almost everything but the SFS2X ports.