Hello,
I am working on server security, I would like some clarifications that after long searches I have not yet found a valid answer:
1) Which encryption is better to use? (On the web they say SHA-512, but isn't it too heavy for performance and hardisk memory?)
2) Does the password have to be encrypted in the client and then sent to the server, or is it sent to the server normally, and the server encrypts it, in this case could someone read it while traveling on the web?
3) If someone enters my DataBase, how can I notice it?
4) If I enter a very complex password to access SmartFoxServer2x, can malicious people enter my database anyway?
5) What should I do to guarantee a minimum of security?
Questions server security
Re: Questions server security
Hi,
It depends what you need to do. SHA is an hashing algorithm, so it's only useful for certain operations.
You can read this for more: https://medium.com/@zaid960928/cryptogr ... 896365a0c1
Login passwords are never transmitted in clear, even when protocol encryption is not activated.
See here: https://smartfoxserver.com/blog/login-with-encryption/
It's very difficult to say. There can be many ways. If you monitor the admin accesses you can detect suspect logins, for example.
However you can restrict admin access only to specific IP addresses via firewall and block anybody else, which is good practice.
The harder the password, the harder it is to crack it.
1) Activate TLS encryption
2) Choose a strong admin password
3) Use a dedicated TCP port for SFS2X admin, in other words use a different port number exclusively for admin access
4) Filter that port via a firewall so that only your IP address(es) can access it.
Hope it helps
1) Which encryption is better to use? (On the web they say SHA-512, but isn't it too heavy for performance and hardisk memory?)
It depends what you need to do. SHA is an hashing algorithm, so it's only useful for certain operations.
You can read this for more: https://medium.com/@zaid960928/cryptogr ... 896365a0c1
2) Does the password have to be encrypted in the client and then sent to the server, or is it sent to the server normally, and the server encrypts it, in this case could someone read it while traveling on the web?
Login passwords are never transmitted in clear, even when protocol encryption is not activated.
See here: https://smartfoxserver.com/blog/login-with-encryption/
3) If someone enters my DataBase, how can I notice it?
It's very difficult to say. There can be many ways. If you monitor the admin accesses you can detect suspect logins, for example.
However you can restrict admin access only to specific IP addresses via firewall and block anybody else, which is good practice.
4) If I enter a very complex password to access SmartFoxServer2x, can malicious people enter my database anyway?
The harder the password, the harder it is to crack it.
5) What should I do to guarantee a minimum of security?
1) Activate TLS encryption
2) Choose a strong admin password
3) Use a dedicated TCP port for SFS2X admin, in other words use a different port number exclusively for admin access
4) Filter that port via a firewall so that only your IP address(es) can access it.
Hope it helps
Re: Questions server security
Thanks for the reply.
SSL certificates are very expensive, for now I am interested in a "Free" solution, both when a user logs in and when a user sets a new Password from the client. I understand that without an SSL certificate, I cannot use the SmartFoxServer2x TLS, right?
The idea of limiting Administrator access is brilliant!! Thank you very much!!
SSL certificates are very expensive, for now I am interested in a "Free" solution, both when a user logs in and when a user sets a new Password from the client. I understand that without an SSL certificate, I cannot use the SmartFoxServer2x TLS, right?
The idea of limiting Administrator access is brilliant!! Thank you very much!!
Re: Questions server security
1) When an Administrator logs into the Server, can I intercept this event?
2) When an Administrator logs on to the Server, but the password is wrong, can I intercept this event?
2) When an Administrator logs on to the Server, but the password is wrong, can I intercept this event?
Re: Questions server security
Hi,
no, you can't intercept admin login events.
Ardito wrote:1) When an Administrator logs into the Server, can I intercept this event?
2) When an Administrator logs on to the Server, but the password is wrong, can I intercept this event?
no, you can't intercept admin login events.
Re: Questions server security
If I don't use the TLS of SFS2x, do I have to encrypt the password in the client and send it to the server?
Re: Questions server security
Ardito wrote:If I don't use the TLS of SFS2x, do I have to encrypt the password in the client and send it to the server?
For logins no, for anything else yes.
Side note: SSL certificates can be pretty affordable these days.
Your Italian as well, right? --> https://www.seeweb.it/prodotti/certificati-ssl
23€ is not that expensive
Cheers
Re: Questions server security
Yes, 23€ is very good!! Thank's <3
Yes I am Italian
I have limited access to the adminTool on port 9935, everything works correctly.
How can I do it?
Yes I am Italian
I have limited access to the adminTool on port 9935, everything works correctly.
It's very difficult to say. There can be many ways. If you monitor the admin accesses you can detect suspect logins, for example.
How can I do it?
Re: Questions server security
Admin accesses are logged in the SmartFox's logs, so you can trace every login.
Cheers
Cheers
Re: Questions server security
Hello again,
I have encrypted the database passwords with BCrypt, but the Tokens to reset the password are also stored in my Database, do I have to encrypt these tokens too?
I have encrypted the database passwords with BCrypt, but the Tokens to reset the password are also stored in my Database, do I have to encrypt these tokens too?
Re: Questions server security
Probably not, otherwise if they attack your DB they have access to the keys that decrypt the data.
Maybe you could save those somewhere else, like in the local file system. Not an amazing solution, but at least they are not in the same place.
You could also encrypt those, but then you would have to store some other key to decrypt those tokens... it's a infinite loop
Maybe you could save those somewhere else, like in the local file system. Not an amazing solution, but at least they are not in the same place.
You could also encrypt those, but then you would have to store some other key to decrypt those tokens... it's a infinite loop
Re: Questions server security
Many thanks Lapo
Re: Questions server security
If I use SSL, to set a new password from the client, do I have to encrypt it in BCrypt on the client, and only then send it to the server?
Or since I use SSL there is no need?
Or since I use SSL there is no need?
Re: Questions server security
No, SSL already does all the necessary encryption for you. That's why it is recommended to use it
You save yourself all the manual encryption work and it is more secure than any other encryption method.
Cheers
You save yourself all the manual encryption work and it is more secure than any other encryption method.
Cheers
Re: Questions server security
Very thanks
Who is online
Users browsing this forum: No registered users and 72 guests