Questions server security

Post here your questions about SFS2X. Here we discuss all server-side matters. For client API questions see the dedicated forums.

Moderators: Lapo, Bax

User avatar
coolboy714cp
Posts: 323
Joined: 06 Feb 2010, 02:45
Contact:

Re: Questions server security

Postby coolboy714cp » 12 Mar 2020, 19:15

Lapo wrote:Hi,
Ardito wrote:1) When an Administrator logs into the Server, can I intercept this event?
2) When an Administrator logs on to the Server, but the password is wrong, can I intercept this event?

no, you can't intercept admin login events.



Could I suggest this as a feature for a future update? If people could process these kind of events in their own ways, it would make it easier to get notified of such things if you have a popular server that gets continuous logs. If we could write our own extensions to handle these commands I'd definitely write own that makes these events write the IP, Date/Time, and attempted Username (so I know to change the username in the admin tool if it is a real one trying to be guessed) into their own log files and then potentially ban the IP. I know I would rather notice these events more immediately than having to find each attempt in each log file, I would rather have 1 dedicated for that purpose as it would just be much more immediately noticeable.
User avatar
Lapo
Site Admin
Posts: 21588
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Questions server security

Postby Lapo » 13 Mar 2020, 09:16

Hi,
you can already log and process every login attempt via your own Extensions.

As regards the AdminTool... Security is not about using a weak username and password and then monitoring if someone is trying to guess it :) You must choose a strong username and password from the beginning, so you don't have to worry that anyone will ever guess it.

What we can do, is detecting incorrect Admin login attempts and maybe auto-ban the client IP address after a number of failed attempts. This can be useful but it can also work against you, if you don't remember your own password.

However I think it could be useful to avoid brute-force Admin attacks, so I still think it could be done. After all, if you're the legitimate admin of the server and you've lost your Admin Password, you can still log into your server via SSH or Remote Desktop and manually check the server configuration.

Hope it helps
Lapo
--
gotoAndPlay()
...addicted to flash games

Return to “SFS2X Questions”

Who is online

Users browsing this forum: No registered users and 21 guests