Home | News | Articles | About Palace security and Fears

About Palace security and Fears

Font size: Decrease font Enlarge font

Opening your own Palace can expose you to multiple dangers that may impair your project. If you keep it private, your risks are minimal but the day you go public it becomes a whole new ball game. I will explain some potential hazards and suggest simple solutions to better protect your Palace server. I can't make any warranties that this will cover every aspect of Palace security because there are no ways to be perfectly shielded against malicious attacks.

Setting protection on your computer

You cannot aspire to gain traffic if no one knows where to find you. Unfortunately by advertising yourself, you are exposing the location of your system to everyone. If you are using a hosting service, it is their responsibility to protect your account against attacks from the outside world. Be sure that such protection is included in your service contract and that they take appropriate measures to enforce it. Once you have been provided with the right tools, you are responsible for the administration and operation of your own Palace. If you are hosting yourself then you should consider a firewall. The specifics of firewalls are beyond the scope of this article. However, if you want to know more read "Firewall and Proxy Server HOWTO" at http://www.ibiblio.org/mdw/HOWTO/Firewall-HOWTO.html. Any protection comes with a certain cost and may affect the general performance of your computer but it is better than waking up in the morning with a freshly reformatted hard drive.

Be careful with your inner organization
Manage those you select

Hackers do not always perform Palace damage. It is more often the result of a lack of Palace ownership "hygiene". Borg flooders, ban jumpers and social misfits are wrongly called hackers even if they never cause any real damages that proper Palace maintenance can't prevent. They can be very difficult to get rid of and trying to deal with them can be nerve cracking. But they are more a social problem than a real security issue.

Getting organize

As soon as traffic starts to pick up, most Palace owners will build a team to help them in the administration and surveillance of their server. If some collect operators (wizards) like baby spoons, others are careful in their selections and for good reasons. Appointing anyone as a wizard involves a privilege access to commands that can prove very damaging for your precious pat file. The latest version of the Palace server running on Linux gives you the opportunity to confine your wizards to some selected commands. To see the ranking of the commands just use `showranks where 0 = guest, 1 = member, 2 = wizard and 3 = god. You can learn more about the setrank command by consulting the Palace online help by typing `help `setrank. Also, It would be a good practice to use the password lock in all the rooms where important scripts are installed.

Password mishandling has been involved in the destruction of many Palaces in the past. Only the owners should transmit any password and it should never be done in public where misleading identities can be so easily used. If you are running your server under Linux, it is a very good idea to install, or ask your hosting service to install, the gatekeeper or hostkeeper plugins. It will help you to manage your staff list by restricting password privilege to those who are listed, diminishing the consequences of password being transmitted to the wrong hands. Unfortunately, at the time of publishing, no such plugin was available for the Mac and the Windows versions of the server.

Carefully choosing scripts

Once we feel that we are secure enough, we tend to play some magic tricks to impress the crowd. Most Palaces offer the allscray-scripting feature to move guests around, send them to rooms or other Palaces. It can be fun to use for those who share that kind of humor, it can be useful sometimes in helping others and it can turn a Palace owner into a puppet against his own server. In the last year, allscray usefulness has diminish because of the wide distribution of anti-allscray borgs. Allscray was designed to work only for users wearing the exclusive wizard's star and should remain that way. If you have to keep allscray at your Palace, you should take some easy measures to prevent any improper use. Every owners or gods should be protected with an anti-allscray script in their borg. They are available everywhere and some can be turn on and off at will. To provide an overall protection at your Palace without adding anti-allscray in all your staff's borgs, you should had a look at Allscray Security Fix at http://eagles.chatserve.com/ipscript.html#ALFX and apply the simple but efficient solutions that are suggested.

Tempering with scripts, your own or borrowed, can be very tricky and open some dangerous doors since it can put you into deep trouble. Any measures intended to manage and control guests on your Palace will have the same effect on you if you don't embed exceptions for gods and wizards. It makes you wonder how many Palace owners have sent by their staff to "kids nation" (giggles).

Improving your overall protection.
Legends or proven facts?

It's always been the fear of all Palace owners that someday some uncontrollable beast would destroy their home. I used to laugh at all those ICQ messages telling the tales of their sightings and the damages they have caused. From a definition point of view, the so-called hacker is more likely to be writing computer programs for enjoyment instead of performing illegal acts. If crackers would be the right way to call them, the name got confused in the Internet legend and hacker is now used indifferently. Legends or proven facts, they are to be taken seriously and simple measures can help you to prevent some unpleasant experiences.

A world without the benefits of plugins

For owners running their servers under Windows or Mac Os, you have to be aware that you are pretty much on your own since there is no more support available from Communities.com. Therefore, you will need to detect all the suspicious behaviors that are associated with troublemakers and act upon them as swiftly as you can. There is no written rule against the login from non-designated dropzones and the command to achieve it is simple and well explained in the Palace user guide. However, for most Palace owners, entering in such a manner is considered as a possible attack and apply immediate ban on anyone doing so. Restricting borg use in public rooms may help to prevent intensive borg users to lag your guests off. It is to the owners to determine what is acceptable on their Palaces and to act accordingly. If no plugins are available, some scripts are easy enough to find and will offer some protections.

Plugins for the Linux Palace server

For owners running their Palace on Linux, some help is available to manage Palace security in the form of plugins. However, everyone seems to have his own recipe of combine plugins and settings making the whole issue a lot more confusing than it should be. For clarity purposes, lets talk about the tree main plugins available for the Linux Palace server.

GateKeeper Server plugin, and its sibling hostkeeper, as I mentioned earlier is designed to block the access to the owner and operator privileges to those who haven't been designated.

PlugAll Server plugin is useful to limit the number of events a user can cause and reduce the actions of flooders and borg abusers. The parameters that are controlled are the following; prop drop, spoofing, chat (whispered or to the whole room), repeated chat (whispered, to the whole room, and duplicate `page), room messages, face / color changing, movement, sliding, spotstate changing. All of the above can be limited or totally stopped by setting the right parameters in a configuration file. It may require some skills from the owners and you should make sure.

Sound Limit Plugin's main purpose is to put limits to the use of sound commands that might cause certain clients to crash.

Of course there is a lot more Palace security issues than those mentioned here. It is obvious that in the near future we will see more people causing a lot more damages for no valuable reason. Our hope lies in the hands of a few brave plugin developers left on Palace.


Many thanks to maart and Glide for their inputs and to ~=Anick=~, Karen, =Sa7ra= and Lynley from The Midnight Rambler for their help and support.

Subscribe to comments feed Comments (0 posted):

Post your comment comment

Please enter the code you see in the image:

  • email Email to a friend
  • print Print version
  • Plain text Plain text
No tags for this article
Rate this article