[Alastair]

It seems one of the most recurring posts made on admin, legal and ethical forums either here or on TMC is a cry for help: Help, a former staff member has stolen my MUD or wiped my files, what can I do?

It seems the obvious needs to be stated from time to time. To be safe rather than sorry, you should get a few very simple security habits, and fortunately, most of those require no coding at all.

Security is not reserved to major corporate networks. It's a safety net to avoid some problems. The few measures below won't stop a determined hacker, but will slow down the casual self-righteous avenger.

Five steps to prevent a lot of future trouble:

1. Use at least basic password encryption instead of plain text. If you want to be able to help out players who lost their password, implement a command allowing staff to set a new password, and e-mail it to the addy the player used when creating their char.
2. When ordinary staff member resign, back up their work, then delete their account. You can always restore it if they return at a later date.
3. When staff members with shell accounts leave, immediately change the shell password. If you can't do that yourself, ensure the hoster does it immediately.
4. Ask your hoster to log IPs to shell access.
5. Backup your MUD as often as possible. Ideally once a day, in the worst case before and after any change is introduced. Don't leave the backups on the shell, ftp them to your private computer and delete them.

Now that was simple, wasn't it? Of those five steps, only the first one might involve actual coding, if it isn't shipped out of your codebase's distribution.

If you ever experience a disgruntled staff member wreaking havoc on your MUD or simply stealing the code, while you didn't implement those five steps, post your horror stories if you want, but remember: you have been warned.

[Koryon]

6. Use a secure version of telnet and ftp (SecureCRT, OpenSSH, many others) when connecting to your shell account, otherwise your password is liable to be intercepted, it's not a fairy tale, it happened to an unfortunate customer of mine.

[Seth]

Alternatively, code an SSH socket in your codebase because telnet is known to be insecure. The most ideal thing being a codebase only accepting SSH connections for imps/imms. Telnet connections for anyone but players would/should be refused.

[Alastair]

Quote:

Originally Posted by (Seth @ May 02 2002,2:37 pm) Alternatively, code an SSH socket in your codebase because telnet is known to be insecure. The most ideal thing being a codebase only accepting SSH connections for imps/imms. Telnet connections for anyone but players would/should be refused.

Certainly good advice, though probably not quite as easy to implement for novices...

I'd rather venture that the people who know how to do that are not likely to post their pleas for help anyway.

[Seth]

Quote:

Originally Posted by (Alastair @ May 02 2002,3:02 pm) Certainly good advice, though probably not quite as easy to implement for novices... I'd rather venture that the people who know how to do that are not likely to post their pleas for help anyway.

Still tho, for people who can do some advanced coding, it would be worthwhile to make snippets for every codebase/engine to include an SSH connection socket. I think SSHd, the deamon used on *NIX machines to accept SSH connections, is Open Source and that with some searching you could find the source code for it.

Altho this does give a problem with non-opensource codebases/engines...