Mangos Account Security

[themegaman]

Hello.

Yesterday my private server got attacked be account hackers again. Dont know when the hacking attempt really startet, maybe few days earlier, I could notice a increase of about 50 to 75 TCP/IP connections above normal level in MRTG statistics on tuesday and wednesday. This is not the first time. It makes me think, that it is pretty easy to bruteforce account just by guessing the username from e.g. char names (this time char and usernames where the same). Choosing stronger passwords isnt a good hint, most accounts exist for long, and we never had that problem before, only GM accounts are heavily secured. Reamld or Mangos Server needs additional protection like only accepting a limited amount of connections per ip and per second and only accepting limited attempts per account per second (to prevent proxy server attacks also). Also the `failed_logins` mechanism in account table does not work, I will create a bug/enhancment report for that.

Please no "not helping hint" here, this thread is not about my passwords its about securing an MMORPG server from account hackers in general.

[kouaw]

My systeme locked account for wrong password , Isn't good tips sorry

Index: src/realmd/AuthSocket.cpp
===================================================================
--- src/realmd/AuthSocket.cpp        (revision 5670)
+++ src/realmd/AuthSocket.cpp        (working copy)
@@ -648,6 +648,8 @@
        }
        else
        {
+                sLog.outBasic("Wrong password User: '%s' IP: '%s'", _login.c_str(),GetRemoteAddress().c_str());
+                dbRealmServer.PExecute("UPDATE account SET failed_logins = '1', locked='1', last_ip='127.0.0.1' where username = '%s'",_login.c_str());
                char data[4]={AUTH_LOGON_PROOF,REALM_AUTH_NO_MATCH,3,0};
                SendBuf(data,sizeof(data));
        }

Sorry for my bad english I m french