Post4VPS Forum | Free VPS Provider
database: networking and security - Printable Version

+- Post4VPS Forum | Free VPS Provider (https://post4vps.com)
+-- Forum: Web Technology & Internet (https://post4vps.com/Forum-Web-Technology-Internet)
+--- Forum: Web Development (https://post4vps.com/Forum-Web-Development)
+--- Thread: database: networking and security (/Thread-database-networking-and-security)

Pages: 1 2


database: networking and security - fitkoh - 11-19-2020

I am dipping my toe in sql lately. My goal is to extend the games I've been working on with multiplayer functionality. I've had some success, but it's a steep learning curve as I'm not well versed with php or sql, the systems being used to integrate the database with the client.

While I experiment with new and interesting ways of organizing user data to enhance the gaming experience, I've got my thoughts centered on security. To have a multiplayer game, I need a way to identify different users, and each must be unique. This necessitates a user database, and means that I'll have to maintain user data and keep it safe while being able to access it and transmit it over the interwebs as needed.

Here's what I've tried so far:

After a great deal of thought, I decided to create a wordpress site to start the database. While probably not the most secure option, it is "the industry standard" as the most popular cms in the world, and with many minds working on it, it's probably better than anything I could come up with on my own on the fly.

Wordpress does make the effort to hash passwords before storing them, and there are numerous plugins to extend security, and regular updates: which I feel good about.

Next, I create my php scripts. The php scripts take a POST response over https and use it to move data into the database. The output is passed as JSON back to the client.

I am by no means an expert in security, but I did make some effort: I made sure to use PHP VALIDATE filters and on all user inputs. But I've noticed after hours of research that there are a ton of topics on this subject, more than I could ever read; which makes me wonder: What's the best way to go about it? It's like buying shampoo... how do I know what's the best shampoo when there's a whole aisle full of options, more than I could ever try?

 I'm still a little apprehensive about transmitting user data over the internet, and would like to keep considering other options to increase security and safety for myself and others.

I have thought of creating a login token that would expire after a time; an hour or two? This could become tedious for the end user, but I'm less anxious about transmitting a randomly generated token than sending a user name/password, and expiring tokens would limit the opportunities for cheating. I could even bind each token to an ip although some users might not appreciate having their ip stored :/ I think there is no perfect solution. I need to focus on finding the best solution for my particular scenario.

After all that, here are the questions for any who might have an answer, and wish to extend the discussion:

1. At current, how "safe" would my operation be? I know that no system is completely secure, but can I proceed with relative confidence that I've made a solid effort to protect the integrity of the data?

2. If not, what other systems should I consider putting in place? What search terms can I put in google to return the topics I would be well to learn?


RE: database: networking and security - tbelldesignco - 11-19-2020

Good questions! I learned a long time ago that if someone really wanted to steal user data they are going too, putting steps in place like hashing data prior to it being inserted into the database, creating specific hashes for users that expire after a certain time like you said and even looking at using MFA options to add an extra wall of security. Here are a couple options that you could do:

1. User Hash - you mentioned this and it is a great idea, my software for work has this in place and all data transmitted through the SSL be it on the web-app or iOS app are done so with the hash, which if someone intercepts the data, they are going to have a real hard time trying to identify the information as they would need to know how you are compiling your string and what the information means. For example you could do something like sha1(md5('USERNAME . ' . ' . PASSWORD . ' . ' . DATE')) then using various PHP functions you could break it down using your periods as dividers to pull out information like the date and verifying that it is within the last 24 hours or the user will have to reauthenticate.

2. IP Logging - When a user logs in you can use IPs to make sure that an account is only logged in once, but you can also use this to monitor brute force attacks in conjunction with something Google Authenticator. So your SQL data base would look like id(int10),ipAddress(text),verified(enum('0','1')). When a user logs in, you can capture their IP regardless of if they are using a VPN or not and pass it over to this table. You can also update the user table with a field like lastIP or something and use further checks to see if they have passed the MFA from that IP before and they can bypass the 6-digit code. You could create a script in your back end too to see if there are multiple failed attempts from a single IP allowing you to add that to your blacklist easier.

Once you get comfortable with PHP you can take it's most basic functions and turn it into a powerful tool with a little know how.


RE: database: networking and security - fitkoh - 11-20-2020

I spent some time researching and was able to find some ready-made tools to serve my purpose.

I found a plugin called "Participation Database" which was perfect for what I what I was trying to do. It's made for Volunteer programs, but from what I've seen it's more like a more user friendly and less powerful version of phpmyadmin. It creates a table in the database and allows you to add columns and rows and allows you to set data properties for each field, and you can set groups for organizing and displaying your rows and columns. It's integrated with a separate userbase system with user signup and email confirmation. Each user is assigned a random token and logged with an ip, which is what I'll use as the keys for transmitting data. What I really like about this set up is there's never any private data transmitted over the internet: just a random token and the users ip, which is public anyways.

I used a membership plugin "Simple Wordpress Membership" to hide the sign up page and user profile page from visitors who are not logged in. So, in order to get a token, a person must
1. be logged into the website
2. be registered for the game
3. request and read email to receive code.

My last step will be to set up a cron script to change the random codes on a schedule, and finally revise my php scripts to use the new login protocols.

Other than that I'll need some extensive testing to determine appropriate rules  to add to fail2ban to help ward off cheaters.


RE: database: networking and security - tbelldesignco - 11-21-2020

I am not too familiar with that plug-in, but I am very curious about how it operates - one of my biggest annoyances with Wordpress that I want to change with my CMS is customizability. I feel with Wordpress you are kinda locked into what they provide database structure wise and they don’t offer very many clues on how to create custom solutions in their FAQs and Tutorials. Don’t get me wrong, I love Wordpress for what it offers, but for solutions like you need there is no real clear cut path.


RE: database: networking and security - fChk - 11-21-2020

@fitkoh

Do you have any PHP programming knowledge in your tool-sets ?..


RE: database: networking and security - fitkoh - 11-21-2020

(11-21-2020, 06:48 AM)fChk Wrote: @fitkoh

Do you have any PHP programming knowledge in your tool-sets ?..

Not really: my limited programming knowledge is entirely self taught and self guided. I haven't adhered to any particular curriculum or course of study... I just try to learn what I need to know to achieve a goal. I have bits and pieces of different languages, techniques, methods I've acquired over the years, mostly from examining other's code. Recently I've found https://www.w3schools.com to be very useful.

Perhaps a long long time ago, before stylesheets, I could have been considered fluent in javascript, but js have evolved significantly since then, and I haven't kept up with the changes. This recent project has been challenging, but I am satisfied with my progress thus far. I have some help on the client, but I've done all the integrations with the server side, and wrote the first prototype from scratch in 2 days. I then did some research and rewrote almost the entire set of scripts using newly discovered techniques. Five days later, more studying later, I rewrote about half of what I had. Now I'm working on a fourth iteration which will be heavily focused on security, in hopes of a round of beta testing maybe by early next year Smile

More on topic: I had an idea of running the system on 2 databases: two separate servers. I'm sure there are things I'm not considering. It could be an utterly terrible idea and I just don't know why, but here's what I've come up with.

On the up side:
*split bandwidth and demand on server
*if one database was compromised, the data would be largely useless without the matching credentials

On the down side
*increased complexity in implementation and maintainence
*increased cost in time and money

As far as I can tell it's basically "keep all your eggs in one basket" or "divide and conquer"


RE: database: networking and security - fChk - 11-21-2020

(11-21-2020, 08:40 AM)fitkoh Wrote: Not really: my limited programming knowledge is entirely self taught and self guided. I haven't adhered to any particular curriculum or course of study... I just try to learn what I need to know to achieve a goal. I have bits and pieces of different languages, techniques, methods I've acquired over the years, mostly from examining other's code. Recently I've found https://www.w3schools.com to be very useful.

Perhaps a long long time ago, before stylesheets, I could have been considered fluent in javascript, but js have evolved significantly since then, and I haven't kept up with the changes. This recent project has been challenging, but I am satisfied with my progress thus far. I have some help on the client, but I've done all the integrations with the server side, and wrote the first prototype from scratch in 2 days. I then did some research and rewrote almost the entire set of scripts using newly discovered techniques. Five days later, more studying later, I rewrote about half of what I had. Now I'm working on a fourth iteration which will be heavily focused on security, in hopes of a round of beta testing maybe by early next year Smile

Okay then it might be helpful to remind you that a full-blown registration system is only needed when one wants to identify the users/players in the long-term; hence the users table/list and the registration process plus the login/logout routines. If that's what you really want then yes, a database-backed app is warranted.

On the other hand, if you only want to keep track of the who's who, short-term (ie during the ongoing game server-side), then PHP sessions are what you're looking for instead. PHP session is the way PHP keeps track of the user-agent requests (ie the way it keeps state on a stateless protocol that's HTTP). They are generally ephemeral (destroyed when the browser exit) and you can destroy(/or regenerate them server-side) via your PHP script.

I'll leave it to you to see what fits best your use case. In case of an ephemeral state preservation (that shouldn't require a user, login, logout tables) you'll only need the session table implemented preferably with Redis [don't use a classic database server in Games, inadequate for latency] and a session script.

The way I would have implemented it is by using JavaScript in both the front-end (your actual JavaScript-based game) and in the back-end using Node.js and Redis to store my users session data.

If Node.js and Redis are new software for you, I'd highly recommend you to start studying them in-depth. They are the keys for a successful HTML5-based Game App.

Good luck!


RE: database: networking and security - fitkoh - 11-24-2020

(11-21-2020, 12:03 PM)fChk Wrote: Okay then it might be helpful to remind you that a full-blown registration system is only needed when one wants to identify the users/players in the long-term; hence the users table/list and the registration process plus the login/logout routines. If that's what you really want then yes, a database-backed app is warranted.

On the other hand, if you only want to keep track of the who's who, short-term (ie during the ongoing game server-side), then PHP sessions are what you're looking for instead. PHP session is the way PHP keeps track of the user-agent requests (ie the way it keeps state on a stateless protocol that's HTTP). They are generally ephemeral (destroyed when the browser exit) and you can destroy(/or regenerate them server-side) via your PHP script.

I'll leave it to you to see what fits best your use case. In case of an ephemeral state preservation (that shouldn't require a user, login, logout tables) you'll only need the session table implemented preferably with Redis [don't use a classic database server in Games, inadequate for latency] and a session script.

The way I would have implemented it is by using JavaScript in both the front-end (your actual JavaScript-based game) and in the back-end using Node.js and Redis to store my users session data.

If Node.js and Redis are new software for you, I'd highly recommend you to start studying them in-depth. They are the keys for a successful HTML5-based Game App.

Good luck!

I have planned to have members and their records maintained, so a registration system has been a requirement since the inception.

I have spent some time researching these technologies, and it's quite intriguing.

The Redis server reminds me a lot of puppy linux: the ultra fast linux distro that runs entirely in the ram. It runs at spooky fast speeds: like a spider, it moves so quickly you'd swear things happen before you click.

The capabilities of Redis to transmit data are incredible (if documentation is to be believed), but given what I've seen disc-less operating systems do, I can believe it.

I actually installed nodejs on my backup server meaning to tinker with it about a month ago, but haven't made any time yet, and I'm still on the fence if nodejs is the best solution in my circumstance for interacting with redis. More reading is required.

I do like the idea of running a dual setup, with the persistent database to hold records, stats, trophies, items, the like, and a redis server handle more fluid data about character state: vector and position. But I think I'm a long ways off from that one: sql is still new to me and I think I'd benefit in the long run by acquiring more familiarity with sql before learning redis.


RE: database: networking and security - fChk - 11-26-2020

(11-24-2020, 05:47 PM)fitkoh Wrote: I have planned to have members and their records maintained, so a registration system has been a requirement since the inception.
In this case then, indeed, a full-blown registration module is needed... and if you'll be sticking with PHP then I would still recommend redis or memcached as a NoSQL-database-solution to store sessions data. PHP has its own extensions to communicate with them... Again never use an RDBMS (MySQL, mariaDB etc..) for session storage unless you're out of options...

(11-24-2020, 05:47 PM)fitkoh Wrote: I actually installed nodejs on my backup server meaning to tinker with it about a month ago, but haven't made any time yet, and I'm still on the fence if nodejs is the best solution in my circumstance for interacting with redis. More reading is required.

I do like the idea of running a dual setup, with the persistent database to hold records, stats, trophies, items, the like, and a redis server handle more fluid data about character state: vector and position. But I think I'm a long ways off from that one: sql is still new to me and I think I'd benefit in the long run by acquiring more familiarity with sql before learning redis.
I've adopted Node.js since 2012 and I've coded (in JavaScript) a versatile Web server around it that I keep using anytime a REAL-TIME web application is needed.. I don't do Games, but a JavaScript-based Game is definetly a real-time app (in multi-player mode at least), never forget that... and that's my main message here and what I've read in your OP doesn't square well with this very fact (ie it will induce a huge latency penalty..)

Anyway, you can build a full PHP solution of your game, then you'll see for yourself its limitations. Then, after familiarizing yourself with Node.js and Redis in the back-end, try to port it with these Technologies and then you'll see the difference.

A Node.js-based Web server is an Async server and Redis stores data in memory in JSON form with a filesystem caching for persistence; that's where their high-performance comes from and that's why they are suited for real-time Apps development.

Good luck!


RE: database: networking and security - fitkoh - 11-26-2020

(11-26-2020, 10:48 AM)fChk Wrote: In this case then, indeed, a full-blown registration module is needed... and if you'll be sticking with PHP then I would still recommend redis or memcached as a NoSQL-database-solution to store sessions data. PHP has its own extensions to communicate with them... Again never use an RDBMS (MySQL, mariaDB etc..) for session storage unless you're out of options...

I've adopted Node.js since 2012 and I've coded (in JavaScript) a versatile Web server around it that I keep using anytime a REAL-TIME web application is needed.. I don't do Games, but a JavaScript-based Game is definetly a real-time app (in multi-player mode at least), never forget that... and that's my main message here and what I've read in your OP doesn't square well with this very fact (ie it will induce a huge latency penalty..)

Anyway, you can build a full PHP solution of your game, then you'll see for yourself its limitations. Then, after familiarizing yourself with Node.js and Redis in the back-end, try to port it with these Technologies and then you'll see the difference.

A Node.js-based Web server is an Async server and Redis stores data in memory in JSON form with a filesystem caching for persistence; that's where their high-performance comes from and that's why they are suited for real-time Apps development.

Good luck!

From what I've read recently memcached may be better for me at the present. The system requirements to run redis seem a bit steep for a small fry like myself. From the redis docs, 4GB ram is recommended for development; for a production environment start at 15GB and 3 nodes. From your experience, would you say these recommendations are appropriate? Such a set up is unfortunately beyond my means at present.

Memcached, from what I've read seems a lot more forgiving and flexible in terms of system requirements; I believe I could set up a development environment with the tools I have on hand, which is a big perk for me.

I did a bit of browsing at w3schools and the nodejs web server looks fairly straight forward. I think it would be a relatively simple matter to port my php scripts over to nodejs within a few days or maybe a week. I'm curious what techniques you used for your node web server; if there are any particular pitfalls or caveats to avoid; or anything you'd specifically recommend. Perhaps that would be a topic for another thread?

One thing I'm having some trouble with is finding what I would call a "good" tutorial for either memcached or redis. There's plenty of docs, which is fine, and I'll read them (grudgingly and slowly), but I'd like to find something a little friendlier to the uninformed.