SFS Spamming
SFS Spamming
So someone created something like a spamming program that connects to the server using python file and spams packets, here's the code, is there any way I can fix it?
Re: SFS Spamming
Hi,
for starters, I have removed the script from your post. It doesn't look like a great idea to put it out in the public, doesn't it?
The main problem I see here is that the attacker can gain access to your server by passing an empty String as username, in other words you don't seem to have a credential check for people logging into the server.
I highly recommend that you implement a login system so that users can gain access only with a valid login/password pair. This alone will render the attack useless.
Also you could track down the IP address of the attacker and block it, either via the IP blacklist in SmartFoxServer or, even better, at firewall level.
cheers
for starters, I have removed the script from your post. It doesn't look like a great idea to put it out in the public, doesn't it?
The main problem I see here is that the attacker can gain access to your server by passing an empty String as username, in other words you don't seem to have a credential check for people logging into the server.
I highly recommend that you implement a login system so that users can gain access only with a valid login/password pair. This alone will render the attack useless.
Also you could track down the IP address of the attacker and block it, either via the IP blacklist in SmartFoxServer or, even better, at firewall level.
cheers
Re: SFS Spamming
Hello Lapo, thank you for answering me and I apologize for posting the script.
The username isn't an empty string, he generates it as random strings here
he uses that to register to the mysql database connecting to the "signup.php" file and then he just defines them
and so heres the login code once he connects to the server
The username isn't an empty string, he generates it as random strings here
Code: Select all
"strUsername": self.randomString(9),
"strPassword": self.randomString(9),
he uses that to register to the mysql database connecting to the "signup.php" file and then he just defines them
Code: Select all
self.Username = params["strUsername"]
self.Hash = params["strPassword"]
and so heres the login code once he connects to the server
Code: Select all
self.sendData("<msg t='sys'><body action='login' r='0'><login z='zone_master'><nick><![CDATA["+self.Key+"~"+self.Username+"]]></nick><pword><![CDATA["+self.Hash+"]]></pword></login></body></msg>")
Re: SFS Spamming
I suggest you block automated user registrations in the first place.
Add a CAPTCHA in your sign up form and also make sure you request a valid email address where to send a confirmation link for the user.
This will help ensure only humans will be able to create new users in the system with the added bonus of requiring further confirmation via a valid email address.
cheers
Add a CAPTCHA in your sign up form and also make sure you request a valid email address where to send a confirmation link for the user.
This will help ensure only humans will be able to create new users in the system with the added bonus of requiring further confirmation via a valid email address.
cheers
Re: SFS Spamming
Once again you are amazing, thank you Lapo <3 much love
Return to “SmartFoxServer 1.x Discussions and Help”
Who is online
Users browsing this forum: No registered users and 54 guests