[Ex1T]

Hey guys,

I know, there is support forum for amxbans, but they have stupid registration system and i started raging after XYZ unsuccessful attempts for register.

So, I have specially problem. Someone (doesn't metter who) has game servers and they want connect to my banlist with classic banlist functions. I don't know, how to protect MySQL database against a potential attack (because they will see MySQL access data in sql.cfg file) so they can connect to PhpMyAdmin and see passwords, delete all database, editing database etc.

Is there any option how to make it? Maybe somehow encode password to database? So in sql.cfg he will see only encoded password and he don't get physical access to database. Or forbid some permissions on database user?

Is there any option, please?

Thank you for every advice! Have a nice day.

[wickedd]

Why bother if you don't trust them??

[Ex1T]

Hi!
Thank you for your reply.

It's question of security ... People are bad and not everyone have good intentions. I am scared, because if they want, they can easily make big problems for me with this database and database access.

[fysiks]

The simplest answer is to not do it. The best that you could do is to create a user that has as little access as possible. The most strict access while still having access is usually "read only" access. I've never needed more than a single user to my databases so I'm not sure if that's even possible. You'd have to learn more about mySQL and your host's availability to do such things.

[gabuch2]

The most you can do it's to create an user for a single table only (amxbans). But with the nature of the plugin, they will still need write permissions in order for the plugin to work correctly. (meaning they will have the power to add and drop data at will)

[Ex1T]

Hey hou,

fysiks - I am communicating with my webhosting, so I can creating DB user and edit his privilegies. But, I need to know how is AmxBans working with MySQL and what privilegies I can allow and what I must ban.

Gabe Iggy - Oh damn. Always is some problem here. What would you do on my place? What do you suggest? Thank you.

[JusTGo]

i suggest to make a backup for your database evry week/month like you want.

[Ex1T]

Hi JusTGo,

my webhosting is automatically creating backups everyday, but ... what level of security is that? Is this really prevention from attack/hack? But thank you for your answer. I know you try help If anything comes to your mind, please let me know.

[aron9forever]

I'll weigh in on the issue based on personal experience

You have two possible choices:

1) Create a public mysql user for outside access. You can set it in such a way that they only have access to some commands such as SELECT if they can't add bans or SELECT, INSERT if they need to insert bans as well. This will stop anyone from instantly deleting your database. You need to be careful with the INSERT as well as someone could potentially flood your table with garbage or ban every single IP and/or STEAMID combination (that would take a while). You can also issue user access on a specific IP address only. This can help to avoid DOS attacks on your database, as well as other people accessing it, it will only let that server connect to the DB and not other servers or people with desktop sql clients.

2)Create a web API using sockets
You could just create your own API for fetching and maybe adding bans. You can make use of the new JSON module added to 1.8.3, it really is a beauty for this kind of stuff. This requires considerable effort to implement, but allows you to set whatever constraints you want(for example, don't let any single server add more than 5 bans in a minute).

If you only need to let them read your banlist and not actually modify it, then great, just create another mysql user with only SELECT privilege and give them that.

[gameplayonline]

Hello,
Im his webhosting provider.
I will try better evaulate what we need to do.
He is owner of gamingportal webpages and have some servers.
He have offer people with game servers are able to join to his portal and his amxbans online banlist.
Problem is there:
He will be not owner of all servers. This means other persons have full access to all directories on gameserver and they see login details for mysql database in sql.cfg.
We have IP restrict function to allow DB connect from outside only from IP addresses which we have approved. But we are shared hosting and somebody can create account and add IP to whitelist and he is able to mysql connect...
Next problem is in this:
Other owner of server can create script and run it on gameserver which will save or show password from database of amxbans admin because it is not encoded in database table. I think one solution is to recode amxbans to use encoding like md5 but for reason we need allow editing or deleting bans DB user must have right to modify or delete tables and i think he is able to code his own password to md5 and replace amxbans master admin password in db and get access to banlist with full access rights...
We need allow show, add, edit and delete bans and for this reason we must know which functions mysql user needs.