X-Ray Dog at 18:16, 22 April 2012

2012-04-22T18:16:28Z

Apollo at 06:28, 24 June 2010

2010-06-24T06:28:54Z

Flowtron: import from previous wiki

2010-06-20T13:36:53Z

import from previous wiki

New page

{{ Language | pagename=Server security }}

==General==
It is easy to set up a minimal server, however if you plan to host a server over a long time you should consider some security aspects. General goals:

# Run the server with an underprivileged user account. This reduces the applications access to local system resources such as the filesystem
# Run the server in a way that does not require an interactive session. This ensures that the server keeps running independent of any user session.
# Run the server in a sandbox. Isolate the server process to minimize its ability to affect the local system

The following sections describe these measurements on different platforms. It is presumed that the reader knows how to perform basic administrative tasks such as creating new user accounts.

==Microsoft Windows==
This section covers the following Windows platforms:

* Windows Server 2000
* Windows Server 2003
* Windows XP Professional Edition
* Windows XP Professional x64 Edition
* Windows XP Media Center Edition 2005

Unfortunately, Windows XP Home Edition is missing some necessary features, so you will be unable to run a server as a service if you are running XP Home.

===Running the AC server as a service===
Creating an own service for the AC server is a good way to achieve the goals 1. and 2. : It runs the AC server using a configurable user credential and keeps it running independent of any user session.

Start > Run > ''lusrmgr.msc'' to access ''Local Users and Groups''.
[[Image:New-ac-user.gif|thumbnail|right|The newly created ''ACserver'' account listed in the ''Local Users and Groups'' window, on Windows XP Professional]]
# Create a new user account for the AC server, e.g. a local user account named ''ACserver''.
# Remove the account from the ''Users'' group.
# Create a new group for game servers, e.g. ''Gameservers'' and add the ''ACserver'' account to it.
# Set the correct filesystem permissions, as described below. To enable the ''Security'' tab on folder properties, go to My Computer > Tools > Folder Options... > View and '''uncheck''' ''Use simple file sharing (Recommended)''.
## Deny write permission on the system drive (C:\)
## Grant execute permission on the ''\bin_win32'' folder
## Grant execute permission on the ''\assaultcube_server.bat'' file
## Grant Read permission on the ''\config\maprot.cfg'' file

==Linux/Unix==
For maximum security - on a machine you have root access to - you should create a dedicated user with no group memberships (except it's own group, of course).
If you can and think it safer you might consider using some form of [http://en.wikipedia.org/wiki/Chroot chroot].
'''chown''' and '''chmod''' the files appropriately .. either accessible only for the user as owner and group ''chown -R acs:acs *'' (if your user is '''acs''') or maybe you ''do'' trust your staff/admins - but be careful with any logfiles and extra careful ('''chmod 600''') with config/serverpwd.cfg.
Run the server inside a [http://en.wikipedia.org/wiki/GNU_Screen screen-session].
There are also a number of ways to keep a server alive in case it crashes without having to manually interact with the machine.
One of the most straight-forward methods is to have some script like the following run periodically via something like [http://en.wikipedia.org/wiki/Cron cron].
#!/bin/sh

ACdir="/usr/local/games/AC"
ACpsi=`ps aux | grep "bin_unix.\+_server" | grep -v grep | awk '{print $2,$3,$4,$8,$11}'`
ACpid=`echo "$ACpsi"|awk '{print $1}'`
ACstat=`echo "$ACpsi"|awk '{print $4}'`
# you might even want to check $ACstat doesn't contain "Z" .. as in zombie

if [ -z "$ACpid" ]; then

echo "Couldn't find AC server running, restarting it."
cd "$ACdir"
# run the screen session:
/usr/local/bin/my_screen_session_for_an_AC_server
# or just try this:
#nohup ./server.sh &
echo ""

fi

Very advanced users may even poll the infoport to check for responsiveness and/or gamestate sanity - we leave that as an exercise to you ;-)

[[Category:English]]
[[Category:Server]]
[[Category:Configuration]]

← Older revision		Revision as of 06:28, 24 June 2010
Line 1:		Line 1:
−	~~{{ Language \| pagename=Server security }}~~
−
−
	==General==		==General==
	It is easy to set up a minimal server, however if you plan to host a server over a long time you should consider some security aspects. General goals:		It is easy to set up a minimal server, however if you plan to host a server over a long time you should consider some security aspects. General goals:

@@ Line 1: / Line 1: @@
 ==General==
-It is easy to set up a minimal server, however if you plan to host a server over a long time you should consider some security aspects. General goals:
+It is easy to [[Server_setup|set up a minimal server]], however if you plan to host a server over a long time you should consider some security aspects. General goals:
 # Run the server with an underprivileged user account. This reduces the applications access to local system resources such as the filesystem

Server security - Revision history

X-Ray Dog at 18:16, 22 April 2012

Apollo at 06:28, 24 June 2010

Flowtron: import from previous wiki