Questions server security

Post here your questions about SFS2X. Here we discuss all server-side matters. For client API questions see the dedicated forums.

Moderators: Lapo, Bax

Ardito
Posts: 128
Joined: 12 Sep 2016, 11:26
Location: Italy

Questions server security

Postby Ardito » 07 Feb 2020, 17:03

Hello,
I am working on server security, I would like some clarifications that after long searches I have not yet found a valid answer:

1) Which encryption is better to use? (On the web they say SHA-512, but isn't it too heavy for performance and hardisk memory?)
2) Does the password have to be encrypted in the client and then sent to the server, or is it sent to the server normally, and the server encrypts it, in this case could someone read it while traveling on the web?
3) If someone enters my DataBase, how can I notice it?
4) If I enter a very complex password to access SmartFoxServer2x, can malicious people enter my database anyway?
5) What should I do to guarantee a minimum of security?
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Questions server security

Postby Lapo » 08 Feb 2020, 14:55

Hi,

1) Which encryption is better to use? (On the web they say SHA-512, but isn't it too heavy for performance and hardisk memory?)

It depends what you need to do. SHA is an hashing algorithm, so it's only useful for certain operations.
You can read this for more: https://medium.com/@zaid960928/cryptogr ... 896365a0c1

2) Does the password have to be encrypted in the client and then sent to the server, or is it sent to the server normally, and the server encrypts it, in this case could someone read it while traveling on the web?

Login passwords are never transmitted in clear, even when protocol encryption is not activated.
See here: https://smartfoxserver.com/blog/login-with-encryption/

3) If someone enters my DataBase, how can I notice it?

It's very difficult to say. There can be many ways. If you monitor the admin accesses you can detect suspect logins, for example.
However you can restrict admin access only to specific IP addresses via firewall and block anybody else, which is good practice.

4) If I enter a very complex password to access SmartFoxServer2x, can malicious people enter my database anyway?

The harder the password, the harder it is to crack it.

5) What should I do to guarantee a minimum of security?

1) Activate TLS encryption
2) Choose a strong admin password
3) Use a dedicated TCP port for SFS2X admin, in other words use a different port number exclusively for admin access
4) Filter that port via a firewall so that only your IP address(es) can access it.

Hope it helps
Lapo
--
gotoAndPlay()
...addicted to flash games
Ardito
Posts: 128
Joined: 12 Sep 2016, 11:26
Location: Italy

Re: Questions server security

Postby Ardito » 08 Feb 2020, 17:52

Thanks for the reply.
SSL certificates are very expensive, for now I am interested in a "Free" solution, both when a user logs in and when a user sets a new Password from the client. I understand that without an SSL certificate, I cannot use the SmartFoxServer2x TLS, right?

The idea of limiting Administrator access is brilliant!! Thank you very much!!
Ardito
Posts: 128
Joined: 12 Sep 2016, 11:26
Location: Italy

Re: Questions server security

Postby Ardito » 08 Feb 2020, 18:02

1) When an Administrator logs into the Server, can I intercept this event?
2) When an Administrator logs on to the Server, but the password is wrong, can I intercept this event?
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Questions server security

Postby Lapo » 10 Feb 2020, 15:11

Hi,
Ardito wrote:1) When an Administrator logs into the Server, can I intercept this event?
2) When an Administrator logs on to the Server, but the password is wrong, can I intercept this event?

no, you can't intercept admin login events.
Lapo

--

gotoAndPlay()

...addicted to flash games
Ardito
Posts: 128
Joined: 12 Sep 2016, 11:26
Location: Italy

Re: Questions server security

Postby Ardito » 10 Feb 2020, 17:43

If I don't use the TLS of SFS2x, do I have to encrypt the password in the client and send it to the server?
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Questions server security

Postby Lapo » 10 Feb 2020, 18:59

Ardito wrote:If I don't use the TLS of SFS2x, do I have to encrypt the password in the client and send it to the server?

For logins no, for anything else yes.
Side note: SSL certificates can be pretty affordable these days.
Your Italian as well, right? --> https://www.seeweb.it/prodotti/certificati-ssl

23€ is not that expensive :)

Cheers
Lapo

--

gotoAndPlay()

...addicted to flash games
Ardito
Posts: 128
Joined: 12 Sep 2016, 11:26
Location: Italy

Re: Questions server security

Postby Ardito » 10 Feb 2020, 19:16

Yes, 23€ is very good!! Thank's <3
Yes I am Italian :D

I have limited access to the adminTool on port 9935, everything works correctly.

It's very difficult to say. There can be many ways. If you monitor the admin accesses you can detect suspect logins, for example.

How can I do it?
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Questions server security

Postby Lapo » 11 Feb 2020, 07:54

Admin accesses are logged in the SmartFox's logs, so you can trace every login.
Cheers
Lapo

--

gotoAndPlay()

...addicted to flash games
Ardito
Posts: 128
Joined: 12 Sep 2016, 11:26
Location: Italy

Re: Questions server security

Postby Ardito » 11 Feb 2020, 17:59

Hello again,
I have encrypted the database passwords with BCrypt, but the Tokens to reset the password are also stored in my Database, do I have to encrypt these tokens too?
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Questions server security

Postby Lapo » 12 Feb 2020, 08:44

Probably not, otherwise if they attack your DB they have access to the keys that decrypt the data.
Maybe you could save those somewhere else, like in the local file system. Not an amazing solution, but at least they are not in the same place.

You could also encrypt those, but then you would have to store some other key to decrypt those tokens... it's a infinite loop :)
Lapo

--

gotoAndPlay()

...addicted to flash games
Ardito
Posts: 128
Joined: 12 Sep 2016, 11:26
Location: Italy

Re: Questions server security

Postby Ardito » 12 Feb 2020, 15:10

Many thanks Lapo
Ardito
Posts: 128
Joined: 12 Sep 2016, 11:26
Location: Italy

Re: Questions server security

Postby Ardito » 12 Feb 2020, 18:49

If I use SSL, to set a new password from the client, do I have to encrypt it in BCrypt on the client, and only then send it to the server?
Or since I use SSL there is no need?
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Questions server security

Postby Lapo » 13 Feb 2020, 08:39

No, SSL already does all the necessary encryption for you. That's why it is recommended to use it :)
You save yourself all the manual encryption work and it is more secure than any other encryption method.

Cheers
Lapo

--

gotoAndPlay()

...addicted to flash games
Ardito
Posts: 128
Joined: 12 Sep 2016, 11:26
Location: Italy

Re: Questions server security

Postby Ardito » 13 Feb 2020, 12:51

Very thanks

Return to “SFS2X Questions”

Who is online

Users browsing this forum: No registered users and 72 guests