Steps to help secure an EQEmu UNIX server:
The directory structure given here is just example, I put mine in /usr, you could use /home, or whatever. Put it wherever you want, and rearrange it however you want. The important part is what exists where, and with what permissions.
- Download and install daemontools. However makes you happy, just get it.
- Find a home for the server runtime.
Make a directory to run the server on. This should be owned by root.
mkdir /usr/eqemu
chown 0:0 /usr/eqemu
- Make an unprivileged user to run the emulator as. This user should have no password, no valid shell, and a home directory of the one created above.
FreeBSD: pw useradd eqemu –s /nonexistent –d /usr/eqemu
Linux: useradd eqemu –s /bin/nologin –d /usr/eqemu
- Install the emulator:
make a directory for the emu to live in, like:
mkdir /usr/eqemu/eqemu
Copy all the files needed to run the emu into that directory, including:
db.ini, quests, Maps, cfg, LoginServer.ini, spells*, zone, world, EMuShareMem, startup scripts, etc…
Personally, I would not put my source in /usr/eqemu at all.
- Make a logs directory for the server logs:
mkdir /usr/eqemu/eqemu/logs
- Get all the needed libraries into your little jail.
mkdir /usr/eqemu/lib
This is really the most difficult step, and I cannot give you exact info, as every OS is different. If you have a lot of spare HDD space to WASTE, just “cp –a” the contents of /lib, /usr/lib and /usr/local/lib into /usr/eqemu/lib. Otherwise, when you try to run world and zone, it will bitch about missing libraries, then find them, and copy them to /usr/eqemu/lib. If people provide me with lists, I will update this. Thanks to Doodman, a good way to get this list is to run ldd on zone and world. It will provide you with a list of each library file they depend on.
I will provide my FreeBSD list for reference:
/usr/local/lib/liblthread.so.3
/usr/local/lib/liblstdc++.so.4
/lib/libz.so.2
/lib/libcrypt.so.2
/lib/libm.so.2
/lib/libutil.so.4
/lib/libc.so.5
/usr/local/lib/mysql/libmysqlclient.so.12
/libexec/ld-elf.so.1 to /libexec
Example Linux list from Doodman:
/usr/lib/gcc-lib/i686-pc-linux-gnu/3.2.2/libstdc++.so.5
/lib/libdl.so.2
/usr/lib/libmysqlclient.so.12
/usr/lib/libz.so.1
/lib/libcrypt.so.1
/lib/libnsl.so.1
/lib/libm.so.6
/usr/lib/libssl.so.0.9.7
/usr/lib/libcrypto.so.0.9.7
/lib/libpthread.so.0
/lib/libc.so.6
/usr/lib/gcc-lib/i686-pc-linux-gnu/3.2.2/libgcc_s.so.1
/lib/ld-linux.so.2
- Copy perl. Sorry I am not able to give a better solution to this, perl is TOO messy for me to figure out what it really needs. You will need to figure out where your perl stuff lives. Mine is in /usr/local/lib/perl5. On linux it is prolly in /usr/lib/perl5. This will eat some disk space:
mkdir -p /usr/eqemu/usr/local/lib
cp -a /usr/local/lib/perl5 /usr/eqemu/usr/local/lib/
- Get a shell and some utils you prolly need (your set will vary with your startup scripts, sh and bash are prolly required, just edit the list after ‘for f in'):
mkdir -p /usr/eqemu/bin
for f in bash sh cut touch [ test echo mkdir pwd chroot setuidgid
do cp `which $f` /usr/eqemu/bin
done
- Copy device(s), alter your list as needed (use -a flag to cp on linux, -p on bsd):
mkdir -p /usr/eqemu/dev
cp -a /dev/null /usr/eqemu/dev/
- Make all these files owned by root, read only to others:
chown –R root /usr/eqemu/eqemu
chmod –R 755 /usr/eqemu/eqemu
chown eqemu /usr/eqemu/eqemu/logs
chmod 777 /usr/eqemu/dev/null
- Make a couple useful files:
mkdir -p /usr/eqemu/etc
cp /etc/resolv.conf /usr/eqemu/etc/
your milage may vary, dependant on OS, let me know what works for your OS, and I will update it. The goal is to get a minimal password database.
FreeBSD:
grep eqemu /etc/group >/usr/eqemu/etc/group
grep eqemu /etc/passwd >/usr/eqemu/etc/passwd
grep eqemu /etc/master.passwd >/usr/eqemu/etc/master.passwd
cp /usr/sbin/pwd_mkdb /usr/eqemu/bin/
chroot /usr/eqemu pwd_mkdb
rm /usr/eqemu/bin/pwd_mkdb
Linux (maybe):
grep eqemu /etc/group >/usr/eqemu/etc/group
grep eqemu /etc/passwd >/usr/eqemu/etc/passwd
grep eqemu /etc/shadow >/usr/eqemu/etc/shadow
- Make a script to run your server as eqemu, chrooted into your dir:
chroot /usr/eqemu setuidgid eqemu sh /eqemu/start
your /eqemu/start script should run: cd /eqemu after the #! line
- Partially securing MySQL:
NEVER, EVER connect to your mysql server as root, unless you are administering the DB server! Also, set a password on the root user!
Making the assumption that your DB is named ‘eq' and you want to access it with the user ‘eqemu' with the password ‘pass'. To be a little better, you can replace the % below with your eqemu server's OUTGOING IP address when talking to the mysql server, ‘localhost' if it is the same machine.
with that said, connect to your mysql server as root:
mysql -u root -p -h hostname #(or whatever you use)
run:
GRANT all ON eq.* TO eqemu@'%' IDENTIFIED BY ‘pass'
FLUSH PRIVILEGES;
Edit your db.ini to reflect the new changes.
- Run your server with much reduced fears of a remote exploit. Even if they do hack the server, they are running as an unprivileged user, and then need to figure out how to break the chroot and elevate privileges to have a chance of doing anything bad. Note: there is NO way to stop somebody who gains access as this unprivileged user from destroying your eq database. So make sure you make backups and keep them out of the /usr/eqemu directory.
- One way to increase security is to completely disable logging, pipe all output to /dev/null, and not give eqemu write access to the logs directory (no chown above). This also entails compiling zone and world without EQDEBUG I think. This means that an attacker has nowhere to write temporary files to the disk, and reduces their chance of a successful exploit.
- FreeBSd note: if you are running FreeBSD (prolly nobody!), you can use jail instead of chroot in your startup script… it is much more effective!