Security: Difference between revisions
No edit summary |
No edit summary |
||
(4 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
There are many options you have to better secure your client and server from exploiting or tampering. | |||
__TOC__ | |||
== Securing the client == | |||
TODO | |||
== Securing RCCService == | |||
Keeping your RCC instance secure should be your top-priority. Unsolicited [[SOAP]] requests can be used to crash games, steal games, run server-sided scripts, and much more malicious acts. | |||
=== Firewalls === | |||
=== | Keeping your RCC ports available to the entire internet is an extremely risky action to do. Due to their ports being open and the combination of no firewall, anybody can access your RCC and execute code, create [[RCCService Jobs]], steal games, and much more. | ||
Keeping your RCC ports available to the entire internet is an extremely risky action to do | |||
Using Windows, you could use the Windows Defender Firewall utility ''(found in Control Panel -> System and Security -> Windows Defender Firewall -> Advanced Settings)''. | Using Windows, you could use the Windows Defender Firewall utility ''(found in Control Panel -> System and Security -> Windows Defender Firewall -> Advanced Settings)''. | ||
Line 12: | Line 18: | ||
Using Linux ''(yes, you can run RCC under WINE)'', you can use the <code>ufw</code> command to create firewall rules on your server. | Using Linux ''(yes, you can run RCC under WINE)'', you can use the <code>ufw</code> command to create firewall rules on your server. | ||
Dedicating a specific port range to be allowed inbound is very helpful in securing your RCC against attackers. For example, you can dedicate ports <code>10000-20000</code> for [[ | Dedicating a specific port range to be allowed inbound is very helpful in securing your RCC against attackers. For example, you can dedicate ports <code>10000-20000</code> for [[SOAP]], and <code>53640-63640</code> to gameservers. | ||
=== Securing games === | |||
RCCService requires pulling the game RBXL from somewhere and if the endpoint you use is exposed to anyone, it could risk having places leaked. | |||
= | ==== IP-whitelisted game fetching (preferred) ==== | ||
=== IP-whitelisted game fetching (preferred) === | |||
Throwing a <code>403</code> when somebody tries to fetch your games is preferred when it is '''NOT''' a gameserver IP. Having this prevents unsolicited downloads and prevents games from leaking if the original endpoint used to fetch games for gameservers had leaked. Even if your RCC was breached and they snatched your endpoint used for getting games, they will not be able to download your games. | Throwing a <code>403</code> when somebody tries to fetch your games is preferred when it is '''NOT''' a gameserver IP. Having this prevents unsolicited downloads and prevents games from leaking if the original endpoint used to fetch games for gameservers had leaked. Even if your RCC was breached and they snatched your endpoint used for getting games, they will not be able to download your games. | ||
This is a '''safe''' method of securing your games. It is recommended. | This is a '''safe''' method of securing your games. It is recommended. | ||
=== Key-whitelisted game fetching (bad) === | ==== Key-whitelisted game fetching (bad) ==== | ||
Using a key as a <code>GET</code> parameter ''(such as /yourgameendpoint?key=ajsdijasiodja)'' to secure your endpoint would work, but it is still extremely unsafe. Any rogue admin gets the key, they could download any game. Any site source leak, they could download any game. | Using a key as a <code>GET</code> parameter ''(such as /yourgameendpoint?key=ajsdijasiodja)'' to secure your endpoint would work, but it is still extremely unsafe. Any rogue admin gets the key, they could download any game. Any site source leak (and you have bad security on the website), they could download any game. | ||
This is an '''extremely bad''' method of securing your games. It is not recommended. | This is an '''extremely bad''' method of securing your games. It is not recommended. |
Latest revision as of 21:41, 2 July 2023
There are many options you have to better secure your client and server from exploiting or tampering.
Securing the client
TODO
Securing RCCService
Keeping your RCC instance secure should be your top-priority. Unsolicited SOAP requests can be used to crash games, steal games, run server-sided scripts, and much more malicious acts.
Firewalls
Keeping your RCC ports available to the entire internet is an extremely risky action to do. Due to their ports being open and the combination of no firewall, anybody can access your RCC and execute code, create RCCService Jobs, steal games, and much more.
Using Windows, you could use the Windows Defender Firewall utility (found in Control Panel -> System and Security -> Windows Defender Firewall -> Advanced Settings).
Using Linux (yes, you can run RCC under WINE), you can use the ufw
command to create firewall rules on your server.
Dedicating a specific port range to be allowed inbound is very helpful in securing your RCC against attackers. For example, you can dedicate ports 10000-20000
for SOAP, and 53640-63640
to gameservers.
Securing games
RCCService requires pulling the game RBXL from somewhere and if the endpoint you use is exposed to anyone, it could risk having places leaked.
IP-whitelisted game fetching (preferred)
Throwing a 403
when somebody tries to fetch your games is preferred when it is NOT a gameserver IP. Having this prevents unsolicited downloads and prevents games from leaking if the original endpoint used to fetch games for gameservers had leaked. Even if your RCC was breached and they snatched your endpoint used for getting games, they will not be able to download your games.
This is a safe method of securing your games. It is recommended.
Key-whitelisted game fetching (bad)
Using a key as a GET
parameter (such as /yourgameendpoint?key=ajsdijasiodja) to secure your endpoint would work, but it is still extremely unsafe. Any rogue admin gets the key, they could download any game. Any site source leak (and you have bad security on the website), they could download any game.
This is an extremely bad method of securing your games. It is not recommended.