Login Server Insanity

HurtinuDaily · #1 03-25-2009, 04:20 PM

Siempre podria ir consigue algun sol en la piel blanca pastosa mientras las L son hacia abajo. Pero concuerdo con usted, nosotros los joder pago dinero bueno para esta mierda que debe estar trabajando

shalll · #2 03-25-2009, 04:25 PM

Well i just started having the password issue. It's weird though, i have the issue at work on my new cpu, but i do not have it while i am at home on another cpu.

Think it could be a security issue with ip address's?

**trevius** · #3 03-25-2009, 05:01 PM

It is just a sporadic issue, most likely caused by someone intentionally crashing it. A plan to replace the current LS is already in process and it shouldn't be much longer before a good solution is in place. Also, alternate LS options are starting to pop up and I think we may still see 1 or 2 more LS options sometime soon. Just hang in there. This is a bad time for EQEmu but the smoke will clear soon enough and things will be better than they have for a very long time.

WillowyLady · #4 03-25-2009, 09:56 PM

Can the source of these attacks be traced and the culprits identified?

**trevius** · #5 03-25-2009, 10:16 PM

It is my understanding that the attacks were coming from multiple IPs all over the world originally. I am not sure exactly what doodman had to do to make them stop, but I think he was able to mitigate most or all of the actual attacks by tightening up security considerably. Unfortunately, whatever he had to do to remove the possible attacks may be attributed to the new bad username/password issue we have been seeing for a couple of weeks now. I am not exactly sure what triggers it, but it seems like MySQL isn't communicating properly. I am unsure what is breaking MySQL at this point, but I wouldn't be entirely surprised if it was still attack related. The original attacks were DoS (Denial of Service) attacks, which basically means someone was flooding the server or trying to make a ton of requests that the server just wasn't able to handle. If attacks are still happening, then I don't think they are DoS attacks anymore, they are probably exploit attacks. If someone was aware of loopholes in the LS code, they could exploit those loopholes to crash the server. We know for a fact that this has happened recently and resulted in LS crashes. If someone is still using similar exploits to keep crashing it now, I am not sure.

Hopefully the loopholes in the code can be worked out to remove all possible crash exploits. This was probably one of the good reasons not to open source the Login Server. For someone to exploit it, they would need to have a copy of it, but unfortunately I believe the current LS is based on one that was shared publicly years ago and some of the same loopholes still exist.

Only Doodman can really answer that question for sure though. I am just speculating from what I have heard through different forums, PMs and IRC. Either way, the team is working on a permanent and stable solution for the Login Server. It shouldn't be too much longer, but I don't have any kind of ETA since I am not directly involved in the solution.

Aergad · #6 03-25-2009, 10:58 PM

that is EXACTALLY Why i say a new hunk of hardware is NOT the answer you profess it to be trevius. No offense but you keep telling us how a new server being purchased will solve all our problems, yet now you admit that its caused by software loopholes, well I can tell you this a busted hunk of code is a busted hunk of code and no ammount of hardware upgrades will fix that

Aergad · #7 03-25-2009, 11:08 PM

Dumb 5 minute rule lol

really? then explain how people exploit windows without ever having the source? you dont need source to find exploits. The software as keeps being posted is old apparently very old and very little work is being done to it. I also have to say the emu server source is released and people dont spend all their time trying to explot that, All im saying is that new hardware isnt going to fix this issue at all, thats like a bandaid on a gunshot. The code needs to be updated and activly developed Backup redundancy is needed because as has been pointed out this is a software vulnerability issue, while yeah a new server platform will be helpfull in the long run currently it will do no good whatsoever other then keeping the server running a bit longer before it crashes

I have alot to say about it cause ive done an ungoddly ammount of reading since i joined(Cant play most of the time so might as well read lol) to answer your question in another post trevius

image · #8 03-25-2009, 11:11 PM

What kind of redundancy are you talking about..?

Mindbom · #9 03-26-2009, 12:17 AM

Quote:

Originally Posted by trevius

Hopefully the loopholes in the code can be worked out to remove all possible crash exploits. This was probably one of the good reasons not to open source the Login Server. For someone to exploit it, they would need to have a copy of it, but unfortunately I believe the current LS is based on one that was shared publicly years ago and some of the same loopholes still exist.

OpenBSD, OpenSSH and OpenSSL all disagree with you.

**trevius** · #10 03-26-2009, 01:23 AM

To quote a post I made today on the PEQ forums on this same topic:

Quote:

Keep in mind that what you are asking for, while reasonable, isn't exactly as easy as just flipping a switch. A new private LS would have to be written to allow it to be used as a backup connection option for when the Public one goes down. Preferably, servers would be able to be connected to both the Public LS and their own private backup LS as well. That would require writing new server code as well to make that feature possible. While other LS's are starting to pop up, none of them have been able to do exactly what we would require to do what you are wanting and they aren't open source. That means if we wanted to do it, we would have to basically write our own from scratch or from a very old release of the LS source. If you feel you can write one, then feel free to give it a shot, but it isn't really something that just anyone can do. Since there are few people in this project with the knowledge to even know where to start working on such a backup LS (maybe 5 or so), it is going to take some patience. We should focus on 1 issue at a time IMO, and the current issue is the Public Login Server. What happens after that problem is resolved, we will see. I too hope that there is eventually a backup solution, but for now, I would be extremely happy to just have a public LS that was up > 95% of the time, and that is what is being focused on right now. Believe me when I say that the EQEmu team stays very busy between RL and working on stuff for the emulator. Everyone has limited time and certain things should take priority. Right now, the main priority is getting a very stable Public Login Server. After that point, I think people will have to consider if spending alot of time to make a backup LS option to handle the hopefully less than 1% downtime of the new Public LS, or if that time would be better used to add many new features and fixes to the emulator. Either way, I imagine we will have a good backup solution at some point in the near future.

That said, I also want to touch on the stats of the current Login Server. It is handing a 100K+ forums with up to dozens of people browsing it at a time. Also on the same host server is the Login Server, which probably actually uses only a small percentage of the system resources. All of this is running on a server that I believe only has 256MBs of RAM and a CPU that is comparable to that. No matter what our issues are, it wouldn't take much to push the server to the point that it is unusable. Even before any attacks or anything like that began, we had issues with the Login Server/Forums due to the extremely limited hardware. We cannot and will not have a reliable LS and Forums until the hardware is either upgraded by a large amount or it is moved to a completely new host with considerably better stats. So, if we want to have a stable Login Server, the first step is to get the hardware issue resolved and that is in progress right now.

The second step would be to clear up issues with the code that might allow exploits and also add security where needed to limit possible attacks. Right now with only 1 person (who has very little free-time) really having access to do that, we have little control over it to help improve it. Once ownership is moved, we should have considerably better support for ensuring that the code is up to par. KLS is one of the most knowledgeable people on the project at least as far as code goes, and if anyone can fix it, I am sure she can. And if she needs help, I am sure there are plenty ready and willing to help her. The best part is that she is an active member of the team, which is not the case with the current owner. If you read the changelog for the source for the past 2 years, you will see probably 100+ changes done by her alone. And many of those changes were HUGE for the emu to help it get to the state it is at today.

The project basically lost almost all of it's core developers a couple of years ago (not at once, but over time). Everything was setup for just them and the right people didn't have access to get things changed to add add more members to the dev team or even change the status of accounts in the forums. Slowly, but surely, we have been getting control over more and more things. If you are aware of our current google SVN setup, then you should be able to easily see how quickly things are updated on it. For probably a year+, I think KLS was the only one who had access to the old SVN and so she was the only person able to make updates. That was a very slow process because we had no easy way for people to get new code updates in. Everyone had to submit their code changes in a post in the forums and KLS would have to try to go through each person's code, and try to get it working, which I am sure was frustrating to her. Since then, we setup the google SVN which allows us (the team) to finally control everything that goes into the server. Updates have been flying every since. It is not surprising to see at least 1 new good update every day now.

The reason I mentioned the new SVN is because I apply that idea to the Login Server. Once it is in our hands (even if only KLS has direct access to it), we will finally have the means to fix the issues that exist with it. If the move to the new SVN sets any type of example of what we can do once we get our hands on things, then I am confident that people can fully expect a nothing but exceptional Public Login Server once it is all done.

Depending on who is allowed access to the new host, we may even have the option to get new features added to the forums and finally get the website updated so that it is current. I know everyone would love to have an option to reset Login Server passwords if they are lost/forgotten, which there is currently no option for. I would personally also love to see a server status page that would show which servers were up and connected to the Login Server and how many players were on them. There are quite a few other additions that we could add that I think would be great additions. Nothing has been changed here in years and it will be nice to at least have the option available to get some new features in and update some of the stuff that is no longer current (donations link on the main page, playguide link on the main page, etc etc).

All I am is asking is for people to have a little patience. Believe me, as much as you think this is frustrating to you, I can promise you it is just as frustrating if not more frustrating to all of us on the team. We all hate to see the emulator in the state it is today and we do actually care about the players. We want things to be perfect just as much as you do!