Back to Board Index
Back to Board Index
Forum help
| FSOpen Server Admins | |
Spencer Morgan   11th Jun 2013 16:37:01 | Dave,
I am running an FSOpen server (Delta Pro ATC) for my virtual airline, and the high ranked staff have been giving admin in my session. The problem is that many peoples IP continues to change so I am forced to use the admin key option from the website. I don't use the gamespy ID anymore because then anyone could use their name. The problem is people keep releasing the master admin key to others and unauthorized users are getting admin in my session. Can you look into alternative administration methods such as verification through pilot assistant? Thanks Dave! Sincerely, Chase Morgan Delta Airlines Virtual ceo@deltaairlinesvirtual.com |
| Spencer Morgan 11th Jun 2013 16:38:23 | Dave,
I just wanted to let you know that I was using my brothers account because I forgot to log out of his and login to mine. -Chase |
Steff Missot 11th Jun 2013 17:05:15 | "people keep releasing the master admin key"
Don't give it to people who can't be trusted.(ie releasing the key without authorisation to do so) Maybe give it to one admin who is always online who can grant admin in-game using !admin <name> |
| Steff Missot 11th Jun 2013 17:07:10 | Dave, is it possible to have the FSOpen Software read a text file from the web which contains all the IP's of the admins so it can be altered from a PHP script? |
| Spencer Morgan 11th Jun 2013 17:15:40 | Thanks Steve, yeah that idea of a text file would be helpful as well. |
Joe Clifford  11th Jun 2013 18:28:20 | I too would like to see what Steff has mentioned. (I suppose that pretty obvious really haha)
The ability to insert a URL to a text file into FSOpen software would enable us to incorporate it all into one big permissions system. One where when people that are trusted to be given 'admin' are granted it through Teamspeak, and automatically therefore added to the Session admin list. When someone of this teamspeak server group first joins teamspeak we take their IP and add it to the text file. Obviously we would make this system ourselfs, but just explaining how a text file would be helpful by use of an example. Regards Joe |
| Chase Morgan 11th Jun 2013 19:55:08 | Great Points Joe,
From what I understand, you are saying if you are granted admin in Teamspeak, you also are granted admin is the FSX session. That would be awesome considering you could make a group called FSX Admin. Kind Regards, Chase |
| Joe Clifford 11th Jun 2013 20:11:12 | Hello Chase,
Precisely what I'm saying! Obviously I wouldn't expect Dave to write such a system, thats up to the individual sessions to do. Its something Steff and I have been talking about it for a number of months now as something we would like to do. We just want to be able to create a one stop shop for our session permissions, currenty our system only allows us to control Website and Forum permissions. We would like to be able to incorporate TeamSpeak and FSOpen server as well. This is why we would like the ability to link a text file. It would enable us to do that. FSOpen server would just need to maybe re download the content from the text file every five mins. Alternatively (more complicated but possible) the ability for us to send a packet to the server that triggers the download of the new text file. Just some ideas but one that I'm sure would be greatley appreciated. This Dave too could remove any future requirements to edit or even run the 'admin code' service you currently provide, if sessions are seriously worried about security or how admin tokens are granted this new feature would allow them to do it themselves. Joe |
Curley Campbell  11th Jun 2013 22:18:08 | Suggestions are always great.. so not intending to discourage them. You might want to rethink PHP... known and very hacking potential . I personally would not advise it.
When I finish the rest of my data gathering for my legal action.... on the person that gained access to my server yesterday.. I will advise further. Seems a certain IP address loved to use my Nick about 10 times.. then logged in with their own nick. Funny... my bot message was changed after that.. interesting. I wouldn't suggest making it any easier for hacking purposes. I will look to Dave's input, when he returns. |
| Steff Missot 11th Jun 2013 23:05:51 | "You might want to rethink PHP... known and very hacking potential . I personally would not advise it."
1. You can use ANY scripting language of your choice to edit the file. 2. The file can be a cron job as well that runs outside apache's access, unless your whole VPS or serverhost loses his root access there is just no way to even see that file if you have configured your system correctly. 3. PHP is not "Hacking Potential", it's the way you use it, if you don't know how to secure your script then it can be "injected", but there is no way to "hack" a PHP script. It's all running serverside so you can't edit any parameters. therefor, if you know how to use it I would say that's it's (almost) unhackable |
| Curley Campbell 11th Jun 2013 23:36:39 | When used properly, PHP can be a very powerful and useful tool for a number of different applications. Perhaps because of its popularity, it’s also an enticing target for hackers to find exploits. The PHP function allow_url_fopen is a favorite for hackers not only because it allows them to run their scripts on your site, but also because it is enabled by default.
The Fix: Turning off allow_url_fopen is the most obvious fix, but if that isn’t an option, you can try turning on PHP’s safe mode to prevent the most common malicious functions from executing on your server. Keep PHP updated with the latest security patches and be aware of emerging threats by following tech news outlets. |
| Joe Clifford 11th Jun 2013 23:43:31 | Curley,
I, like Steff, struggle to understand "You might want to rethink PHP... known and very hacking potential . I personally would not advise it." PHP is the scripting language of choice for 99.9999999999% of web developers looking to protect their data. FSOpen itself (or atleast it did when I had access to a certain parts of the site) uses PHP to call data. As Steff said, PHP is a server side scripting language which means that you can not edit anything that will have an effect on the data being stored. Have a look at the code behind this very forum topic. You cant see any references to the database, tables, field names that this is pulled from. Try to download any .php file from any website and all you'll see is HTML no php code at all. Im not sure of your setup however from other topic posts of yours i understand that it is a hosted rack machine. If you are running FSX on this as well as using it as a web server and database then It would be very easy to work out how to load up your database web interface. (Im of course making the assumption that this is what you are doing, although if your not doing this you may want to consider it as you could save yourself some money!) The only way you can prevent people gaining access to your database through this is by ensuring that you have a very secure password. I dont know what experience you have in this area so sorry if you already know this. Most people assume that no one will be able to gain access to the web interface of the database however if you know the IP address its hosted from and you havent changed the port that it is accessed from then anyone that wants to get to it can. All they then have to do is guess the username and password which if you havent changed it from default or have but its not very secure isnt going to take someone that wants to get in very long to do it. I personally think that PHP is an incredibly safe way of doing things, this is backed up by the fact that there are very few sites (even online banking sites) that dont use PHP. Once again, im sorry if you do infact have experience in this area. We're are not trying to be irritable but rather expressing our opinion on the matter. If you ever want any help with anything im sure Steff would join me in saying that you can email either of us. We are, at the end of the day, trying to achieve the same outcome with regards to FSX Multiplayer sessions. We are in the same boat so should be there to help each other out where we can. We have been involved with a number of sessions in the last few months helping them out with bits and pieces. Regards Joe Clifford |
| Joe Clifford 11th Jun 2013 23:46:04 | Sorry, I
was typing whilst you posted your reply. It seems you have knowledge in the area, therefore I aim most of the stuff in my post to anyone else that in the future happens to be reading this topic that is maybe less sure of how things work |
| Curley Campbell 12th Jun 2013 00:32:24 | No worries Joe.. and Sorry guys... I was just adding a little caution out there. Dave "Knows his stuff"... as I stated.. I will wait on his reply to the suggestion. The only issue I see is the "potiential" hacks of sessions.. as the majority of FSX folks I have helped set up their sessions... really would scratch ther heads at this conversation.
FYi.. I do keep up with stuff.. as I did this for a living for many years. and If you interested.. Here's the Top 5 hack list: 1) Injection Attacks - The most common form is SQL Injection, where the hacker passes a SQL command to your database. 2) PHP Remote File Includes - my post. 3) Cross Site Scripting (XSS) - occurs when a website takes malicious user input and, without question, posts the input to their page. The most common reason for a web application to do this is capturing user feedback: product reviews, blog comments, etc. 4) Cross Site Request Forgeries (CSRF) - a hacker uses a cross-site script to hijack a logged-in user’s credentials 5) Insecure Communications - one of the oldest tricks in the book, site operators and visitors often forget that everything transmitted across an insecure protocol—including FTP and HTTP Aain... I apologize for taking this off topic... it just "turned on" the old "Concerned" button in my head.. |
Dave Wave  14th Jun 2013 11:48:08 | Guys, teamspeak links with scripts to text files all sounds very clunky and won't be of use to many people lacking the expertise or time to integrate a solution.
I think we can now expect admins to use pilot assistant/log on to the website to authenticate in a session. I just need to add the functionality to grant admins to a specific user within fsopen server. This would then work for anyone. |
| Steff Missot 14th Jun 2013 14:50:15 | "teamspeak links with scripts to text files all sounds"
Just an example given of the capabilities of it. It is still possible to make this text file thingy optional. you only have to change the source of the IP List in term of scripting which won't take long dave |
| Steff Missot 14th Jun 2013 16:09:42 | And I do plan to release some PHP Scripts in the future. |
You need to Log on to post a reply. |
Forum help