Jump to content
Sign in to follow this  
anzu (DayZ)

Please Take Security Seriously

Recommended Posts

Hello dayzdevteam, as my first post here, I must start out by saying I absolutely love the DayZ mod and have been really impressed with the amount of detail and effort that has gone into this project. I've pretty much been playing nonstop 24/7 since DayZ came out, and having so much fun as well :)

As a group leader and server administrator, I am very interested in getting my own DayZ server setup. However, as a networking enthusiast with a strong interest in security, I am also quite cautious about the software and access restrictions that I put on my servers. Unfortunate to say, I have noticed some disturbing trends by the dayzdevteam when it comes to security.

Upon looking in to setting up my own DayZ server, I read online here that dayzdevteam requires Remote Desktop access to independently run DayZ servers. As illogical as this seemed to me, I thought maybe there is some kind of method to their madness. After all, the mod is hugely popular and there are many servers running already.

Well, in light of this recent event:

http://www.dayzmod.com/forum/showthread.php?tid=9123

I now have some serious concerns about the security policies of the dayzdevteam.

Using email as a way of storing passwords doesn't sound like the best practice :-\

I really hope the dayzdevteam starts taking security more seriously from this point forward, because I can guarantee you will see more idiots like this guy trying to mess things up. You're mod has become so popular that you attract the good ppl along with the bad, so you need to be prepared for the worst.

Sorry if this sounded like just a rant. I don't mean it to be, I just don't want to see this awesome mod be overrun by script kiddies and griefers :-\

---

P.S.: You could avoid a lot of security issues if you switched servers to linux ;) (or at least supported linux servers)

Share this post


Link to post
Share on other sites

P.S.: You could avoid a lot of security issues if you switched servers to linux ;) (or at least supported linux servers)

So now your true motives come into light.

In all seriousness though, you raise a good point. I can't stand when people don't realise/brush off the seriousness of things like this.

Share this post


Link to post
Share on other sites

Also, we don't require RDP access. In fact, it is discouraged. We currently only have RDP details stored for around 15% of servers.

Share this post


Link to post
Share on other sites

Also' date=' we don't require RDP access. In fact, it is discouraged. We currently only have RDP details stored for around 15% of servers.

[/quote']

Discouraged? Anything I have read about getting a server up tells me to send the dev or admin team rdp details, one post said it's not needed but is encouraged.

I've tried getting a server up, i've emailed details but nothing is being done. I tried askng for instructions to set it up myself due to security reasons but i got an email telling me rdp details was needed, so i sent them, but no server was set up for me. So now I have a windows server with arma ready and it's been doing nothing for a couple of weeks.

You should really revamp how you handle servers. Why can't you put up instructions and a download link to get servers up, and when it's ready you submit a request for a hive instance id and you set it up on your end? Just an idea.

Sorry for the rant, but i'm a professional server admin and it tech and i've been twitching about how the servers are handled since i started playong this wonderful game.

Share this post


Link to post
Share on other sites

Server setup is transitioning to an entirely community run affair. This is because myself and the others assisting with core development issues do not have the time, nor want the risk of dealing with the potential for such an issue as the suggested "zombie mod server zombie botnet".

As I understand it, those assisting with server setup will often get the RDP details to help with the setup. However, these RDP details even if given are not recorded for the DayZ dev team to use. They're a one-time thing, its not part of any process any longer to store these details. The vast majority of new server providers are simply given instructions, download links, and instance files.

I've been advocating putting the instructions for setting a server up along with all the files public, but there are some security issues present with this.

The server side of the mod has been under the most significant revamp of any area of the code between me and viper, so it hasn't been practical to consider this issue. An example of this is the movement from HIVE from a standalone console app (exe) to a dll loaded directly within the ArmA2 server exe.

We're currently running around 9000 peak, and 5000 offpeak for concurrent users. That's enough for capacity testing. We have around 400 servers, which is a nightmare for coordination. The main thrust of my server admin efforts have been to partner with large organizations which can host 10 or more servers and self-manage them. I am sure you can appreciate this makes the task much easier.

How this whole process will work is being looked into, but rushing into process changes in this area is not a good idea and will just make matters worse.

Share this post


Link to post
Share on other sites

Yes I understand that and i'm glad changes are being made, i'm just a bit upset that i got a somewhat, how to put it, "fuck off" from the server admin email. Not that harsh, but it was the result, and I can't see why.

I have years of experience in hosting and managing servers, I emailed rdp details to a server on my lab hardware because I wanted to see if it could pull 30-50 players, which I think it can. If not, I can just move the vm to my corporate datacenter, where we have plenty of room on our hardware since we shipped our most critical systems to "cloud"-based solutions, but nothing was done.

I love that you're taking time to answer the community here by the way. My point in this sort of ranting is that there's alot of people that want to help but can't due to lack of information. If I had what was needed to set up a server I could do it easily and I'd help others get started aswell via this forum, but I can't because no one is telling me how, it's all a secret and that is annoying.

Since you're going with dlls in arma2, will linux be supported? Because I will trash my windows server and fire up a linux one the second it's possible :)

Share this post


Link to post
Share on other sites

Also' date=' we don't require RDP access. In fact, it is discouraged. We currently only have RDP details stored for around 15% of servers.

[/quote']

Oh okay, kool. That makes me feel better about setting up my own DayZ server.

Server setup is transitioning to an entirely community run affair. This is because myself and the others assisting with core development issues do not have the time' date=' nor want the risk of dealing with the potential for such an issue as the suggested "zombie mod server zombie botnet".

[/quote']

Awesome news.

As I understand it' date=' those assisting with server setup will often get the RDP details to help with the setup. However, these RDP details even if given are not recorded for the DayZ dev team to use. They're a one-time thing, its not part of any process any longer to store these details. The vast majority of new server providers are simply given instructions, download links, and instance files.

[/quote']

Oh I see. I was under the assumption that the dayzdevteam had all these RDP details stored somewhere for use in getting servers setup and that all these credentials were compromised. This is why I was a bit shocked when I read the original post.

I've been advocating putting the instructions for setting a server up along with all the files public' date=' but there are some security issues present with this.

The server side of the mod has been under the most significant revamp of any area of the code between me and viper, so it hasn't been practical to consider this issue. An example of this is the movement from HIVE from a standalone console app (exe) to a dll loaded directly within the ArmA2 server exe.

We're currently running around 9000 peak, and 5000 offpeak for concurrent users. That's enough for capacity testing. We have around 400 servers, which is a nightmare for coordination. The main thrust of my server admin efforts have been to partner with large organizations which can host 10 or more servers and self-manage them. I am sure you can appreciate this makes the task much easier.

How this whole process will work is being looked into, but rushing into process changes in this area is not a good idea and will just make matters worse.

[/quote']

You guys have really made huge improvements since the alpha was first released, and I appreciate all the hard work and dedication you guys put in to this mod (and its community!) :) I understand it's an alpha and a work in progress, so there are things that are still being ironed out. I just wanted to bring some attention to the security implications of some of the things it seemed like you guys were doing (namely the RDP thing).

From what you've said, it sounds like you guys have great plans for DayZ's future. Looking forward to see it develop further :)

Share this post


Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×