01 October 2008 ~ 52 Comments

Protecting your Home Gameserver

(Or what can go wrong)

(Real Case Study)

To begin with, this paper could be more like a practical guide than a theoretical one, describing what can go wrong, what are the differences from knowledge and experience and finally, help someone new to understand that security is not only about computers. It involves people, situations and numerous factors that we can’t fully control.

To begin with, this is a picture of the place of the “Crime” most of the computer used for the
server, are present.

The idea and early stages of development

It all began from an idea, passion for a game that I was playing for some time. Since the company that created the game announced that it will soon be p2p (Pay to play) I started searching for an alternate solution to play without having to pay for a game. I discovered the world of Private servers. This in a few words is the release of the official server files of the specific game (stolen of course) so that people can setup the server at their house and with some modifications to the Client files they would be able to make their home computers gateways for people to play that game.

At the beginning, I started playing at those servers and was glad I was able to enjoy my favourite game free of charge, but then, I started thinking “why not making my own server?” since many good private servers existed around but I didn’t fully like the settings of any of them. And then the whole story starts.

A good server needs money, and I understood that the moment I downloaded the server files. New ram was bought, and then some more, raising my ram to 1.5 Gigabytes total. 2 SATA hard drives were bought @ 1000 RPM to be able to make the game faster (Fast hard drives were needed for log making and processing and general speed of the game server it self.

Then came the web server part. Somehow people should be able to register in order to play the game, and be able to check their status, their ranking and be able to do more game required tasks from the web. As a web server, IIS was chosen as it was the best solution mentioned in the forums that period.

Finally, MSSQL personal edition 2000 was chosen for the database. No other solution could be chosen since the server had already a pre-made schema and many procedures that could not be transferred
to other databases easily.

So given all that (web server, database server, new machine and game server files) everything should be working correctly.

But it didn’t.

After spending 2 days trying to make a part working with everything else and after trying all different configurations, I came to the point of saying “I give up”. It was more than a relief as this whole server thing had become more like a headache than pleasure.

Days passed and finally the server I was playing to, closed. Well that’s when I said its time to work. And started reading about all the keywords that the “installation manual” had. Well I can admit that was the most creative week I have ever had in my computer career. DHCP, Dynamic ip, ODBC, System DSN, Port Forwarding, SQL Server operations and many more terms that until then seemed well not like “Greek to me” finally were part of my knowledge. As you can understand I finally did it, the server was online and waiting players to come and start playing. For the web page I used a ready-made template that I found from the forums. It had everything, from template to ranking. So I thought my days of worrying were over and my server was all ready. Well security is something I had never considered as an option, and as you can imagine I was a happy server owner without even a firewall. The happiness as you will soon see didn’t stay for too long.

Next step was promotion. That was an easy thing to accomplish since some servers closed that period and I had man people I know that played with me some time. So word of mouth was the best promoting solution for the time being. After 2 days I had more than 100 players ready to register and start playing.

That’s when the problems started.

Problems (what shouldn’t but did)

First of all I could never think that there are so many 13-15 years old that have so much free time to try to exploit everything on a server. And when I say everything, I mean it. Suddenly my system started malfunctioning. Accounts were deleted, some accounts went damn high (as those people were playing a year or so), some had administrative privileges, and system was keep crashing.

So suddenly the need of security came up.

  • First step: Firewall

Only solution I could think at that time was to install a firewall. But as we already know, things in reality are much more different from theory. After installing it and changing settings like Stealth mode browsing and automatic detection of intruders and ip ban, I thought I was “stealth”. But again, this made “hacker’s” life more challenging. Not only successful hacking attempts stopped, but became more frequent and more catastrophic.

My next thought since firewall seemed securing my server but still having intrusions, was MSSQL. Since the database was the one that suffered the most from “hackers” that would be the answer to my problems. Reading help files and Microsoft forum posts, I closed all possible connections that could be made from the internet to SQL database, since it didn’t need any connection open to public because everything that needed it was local (both web server and game server). One step closest to a more
secure environment but still far from it. Successful attacks continued. The bad things were not the attacks because I could recover damn fast but the reputation of the server that was going down and the 5000 subscribed players that started to leave server.

After some more investigation it finally became obvious that either web server or database server were responsible for the attacks so dataserver was my problem. The actual problem was that people were able to inject to the dataserver packets that they had that stats and this in-game money for example and dataserver took it for granted as it was coming from the Game server it self. Using firewall again, I
closed every connection from the internet to dataserver too, as I did with database. Results were amazing, hacking attempts were stopped. And with pleasure I wiped the server once more (deleted all account and start registration from the beginning) and assured players that this was the last one.

Wondering what happened?

All seemed to be working correctly, more than 2000 people re-registered for the server. Until again one sunny day, all accounts were gone, people at forums were cursing heavens and chaos was dominant. Server closed for “maintenance”. Didn’t have much time and had many things to do. The bad thing was that I didn’t know exactly what needed to be done. Everything I could imagine I already have implemented it. After numerous hours of searching Google (Google and internet are two identical terms as it seems) I came up with two words: SQL Injection. It seemed that after closing all ports that didn’t need to be open and closing all SQL and dataserver ports, “hackers” started to exploit the site it self.

SQL Injection is an exploit where someone in a field of the web page, can insert whole queries (nested ones together with the normal ones that pass the fields themselves to the database) so it executes both. That way, if someone knew the structure of the database (that was known to all) he could with not much effort to modify delete and update everything at my database. Well this had to stop.

So, it was time for me to learn PHP since I heard it was better than ASP and more secure. Downloaded documentation and help files and started learning. Template was made fast and then the time for code came. Within a week, registration was ready. It might seem slow but if registration was ready and carefully written, all other pages could be done easily by changing the SQL statement. (Well not that easy but much easier than
writing them from scratch). Many people helped with the creation of the new page, mostly with ideas that were developed. After a month all the pages together with SQL Injection protection (filters that could understand if the user input was normal one or wanted to modify the contents of the database)

Wiped server again, promised people that that would be the last one (don’t know why but they always believed me even though I have made up to 12 wipes until now) and started server again.
Outcome was perfect! 99% of the known hacks for the server were not working, people could not change their level, could not get levels for free, could not wipe the whole character table. Even Administrators from other private servers, came in-game to ask me what I did to create that security.

Well, even with that security established, maintaining and controlling a server is not about computer security only. And many more issues needed to be solved.

Special Issue: Mother

Since computer security was at a very good level, it was time to start thinking about uptime. Since many servers could not compete to the security issues, they started advertising that they are 24/7. At least that’s what they advertised. Except security needed to accomplish that, many other factors helped in order to prevent me from that goal. First and more important was my mother (external factors). To understand that, you have to see my room. The most untidy thing someone can have. Full of things thrown here and there. So, my mother prefers to clean it herself than telling me to do it every single time she sees me. That created one big problem. Since my mother and technology haven’t met together, while cleaning the room she pressed keys that she shouldn’t, she put her hands where she shouldn’t (open computer cases), she removed cables while cleaning the floor and many more.

For that, there were 2 options. Either prevent access to it (witch is out of the question since I hate cockroaches) or train the personnel together with some arrangements that had to be made.

To start with, all computer cases were closed, towers with lock in front were bought so I can at least be sure that she would not be able to reboot the machine, cables were grouped together and lifted up from the floor and I trained her not to touch keyboard mouse and everything that it was green and had pins. So training those who are involved with the server even physically is a must if we want the results to be good.

Special Issue: Availability

As you can already understand, server was taking all my time when I was at home. But what could be done to ensure uptime when I was not at home? First of all a script had to be made so that when Windows start, all 8 servers needed for the Game server to operate will start. Then, changes were made to the start page so when someone tries to access the main page, it will check from what type of browser he/she tries to
access it so it redirects him to the right page. By that I made a very simple page that had the name of the server as title and the people connected at that type. After that, by enabling gprs, I was able to check when I was not at home, if server was up and running. If not, a call was made and my father (who had a key to open the front panel of the tower) rebooted it and it automatically started operating again. Someone has to be at the server place or at least near enough so he can do even simple functions in order for server to work again
after a crash or failure.

With that solution, I could go on summer vacations (thank god).

Special Issue: Acts of God

By that I mean all things that we can’t control and can happen any time, any place. As an example, power failures that started occurring frequently at autumn this year when Electricity Company faced many problems. Since I couldn’t change that, and power failures lasted not more than five minutes, ups was bought to ensure a better uptime and a much better protection of server’s hardware.

Special Issue: Script Kiddies

After all that were done, what was better to do than eliminating script kiddies? Some people because they wanted to get many levels in no time, used an application that was running on the background and when they hit something, that application sent the same message x times so it was like that player hit the monsters many times at the same time instead of one. That was creating a serious problem to server since one “Hit Hacker” used the same bandwidth with almost ten players did at the same time. As a result two to three hit hackers were enough to create lag to the whole server. And of course destroy server economy and balance.

To solve that, I downloaded that application and a packet sniffer-logger. Since the application multiplied hits, after numerous tests from other computers I understood what packets were sent from a “normal” player and what from hit hacker, so I made some “Rules” to the packet sniffer in order to be able to
find their ip, delete their character and ip-ban them.

fame, comes trouble

After all this reading and time spent, I can say that the server was the safest it can be. Don’t forget that nothing is “unbreakable”. For example, after all the changes, many people tried to “hack” it but not succeeded, so they made a post at a hack forum with title XXX Server is unbreakable. Results were: about ten
posts, yes nothing could be done any suggestions? And the 11th post was the passwords of my Admin and the 3 game masters. I was informed very fast about that (public relations help a lot in security) and changed them, e-mailing the poster asking for what backdoor he used to enter. He helped.

After some time server become famous about his uptime, security and Events that my Game masters did with players, so many people came to play to my server. It was ranked 3rd private server worldwide for that game for some time. Trouble was that my DSL could only hold 60 people at the same time only so server was always full and started complaining.

Solution: Outsourcing

One of the players in my server worked at an internet cafe in Romania and was responsible about
it’s server and internet security, so after knowing him for some time, I offered him the opportunity to transfer some of Server’s workload to the internet cafe that had a much better internet connection. Since all the people at that internet cafe were playing at my server he accepted and not only that, but his boss paid me to do the installation. So still I had control of everything and could hold 250-300 players at the same time. But that created another problem. What would happen if the guy from there started to “distort” the server files that he had there for his in-game benefit? Answer was a page at the web server that copied the last backup before an incident and transferred that backup to my ftp so I can ip-ban him from using my database and continuing to server the users from my home. Hopefully that didn’t happen and i still can say he’s my favourite ****** (Censored) :P.

Server became full even with the better speed but as the title says, more trouble came. Many server owners (that were loosing subscribers) and many people that wanted better stats in-game, started to attack me with Distributed DOS attacks. At the beginning I was unable to do something since they were using proxy servers and many computers but tracing every time the source of the dos attacks I made a list from the most common ip’s that attacked and ip-banned them from firewall. That helped a lot since dos attacks were much “softer” and server could stand them.


Having a server that people other than you use, is a great responsibility. It has to be updated frequently; many new options and enhancements have to be added to keep the players-customers (depending on the situation) happy, and secure. The last part is also the most important and the most difficult. Because no-matter what product or service someone offers, no matter the price or the benefits from using it, having the web server let’s say hacked very frequently, will unfortunately lead to extinction. People have patience, but the more they pay for something the more professional they expect it to be and more secure.

The benefits from having a server are many, depending on what the server owner aims for. At least for me, server has helped me gain knowledge that otherwise I would never have heard of if I didn’t have this server. PHP, Database queries, database administration and web server administration, together with security are some of them. A server except from all that can bring money too. Sources of income can be many, from sales of a specific product or service through it or even if it’s free, targeted advertising can pay a lot of money. At least that’s what I preferred in my situation. I don’t like the idea of pay to play.

What I will never forget about all this experience, even when the server sometime closes, is the interactivity with the players and the different people I’ve met, and the debug state of many things that I have implemented. To explain my self, it was an awesome experience when I made the first draft of the new PHP page that from the 30.000 of the registered users, a great proportion when I announced the beta, went immediately and started testing the web page about bugs so that they can inform me about them at forum. 1000 are better than one after all. I am sure that this dropped the time that the page needed for debugging of every single problem a page can have to one fifth. Even if someone seeks profits through the creation of a server, knowledge gained and experience would pay much more in long-terms and make him more confident about what someone can accomplish and knowing what he/she can do.

Warning: No Hamsters Were Harmed for the Creation of This Article!

52 Responses to “Protecting your Home Gameserver”

  1. Joomla Template Crea 11 May 2009 at 2:38 am Permalink

    Joomla is a top notch CMS and this post is a perfect example why. Thank you for this information.

    • 6 July 2017 at 1:05 pm Permalink

      Am I able to cancel the order inside thirty days if I decide to not keep it?

  2. Joomla Theme Creator 11 May 2009 at 2:38 am Permalink

    Joomla is a top notch CMS and this post is a perfect example why. Thank you for this information.

  3. tower 200 5 March 2010 at 9:13 pm Permalink

    Am I able to cancel the order inside thirty days if I decide to not keep it?

  4. Tim van Dalen 24 April 2010 at 2:45 pm Permalink

    Nice article!

    I have one question though: Wouldn't it be easier to have just used *UNIX for a server?

    • Daveigh 7 August 2011 at 6:27 pm Permalink

      This does look poirsming. I’ll keep coming back for more.

  5. Susan G 2 May 2010 at 8:45 pm Permalink

    I have been to your port before. The more I learn, the more I keep coming back! ;-P

  6. celine wallet 17 August 2013 at 12:57 am Permalink

    トートバッグ メンズ

  7. essayland 15 December 2014 at 12:08 pm Permalink

    Essayland is specially made for the comfort of students who need assistance in their academic life in each and every step.

  8. essays help online 30 January 2015 at 3:39 pm Permalink

    Joomla is a top notch CMS and this post is a perfect example why , thanks for this information

  9. website 7 July 2015 at 5:12 am Permalink

    Excellent work here, Your website is so impressive and I am very thankful to you that you are shred informative post like this keep it up and give more information like this

  10. sticker printing 7 July 2015 at 6:50 am Permalink

    This is an awesome post. Really very informative and creative. This sharing concept is a good way to enhance the knowledge. I want to say thanks for this informative stuff.

  11. james 7 July 2015 at 8:48 am Permalink

    looks amazing game server, keep it up the good work happy to find this . looking forward for more information..

  12. jenifer1doll 27 July 2015 at 2:37 pm Permalink

    I think it was great event. Thanks for sharing! http://essayhelperonline.com/

  13. Alex Clark 29 July 2015 at 5:37 am Permalink

    You are GOD gifted I have become addictive to your blog whenever go online I visit your blog because it keeps me updated.
    Custom Made Cardboard Boxes

  14. apzhfiudf 29 July 2015 at 6:21 am Permalink


  15. Custom Roll Stickers 6 August 2015 at 7:33 am Permalink

    You are natural there is something in your blog which is driving me I always your posts thank you for updating us.
    An intelligent way of conveying your point, a must read I suggest everyone to read this.

  16. website 12 August 2015 at 4:54 am Permalink

    I am very thankful to you for this nice post. You have done a superb job. I like it very much and I will be sharing more post like this. thanks for this nice post

  17. Bespoke Stickers UK 18 August 2015 at 6:56 am Permalink

    A friend of mine told me about this website it is my first visit it is very informative and increase my knowledge.I was fooling around for a long period of time finally got something which is both interesting and informative.

  18. johnny 1 September 2015 at 5:44 am Permalink

    I am addictive to your blog whenever go online I visit your blog because it keeps me updated.You always write about current issues your analysis is always unbiased and very factual.
    Online Purchase Good Quality Custom Box for Candies

  19. valdezmadeline 10 September 2015 at 5:37 am Permalink

    ooo man…this is really helpful. You have taken good effort to do this post i think. Any way thank you so much for this paper

  20. Horent Halley 15 September 2015 at 11:28 am Permalink

    What a lovely article you share I am following these guidelines to protect my data and gaming server. I also subscribe this post.
    Purchase horse mats from horserubbermatting.co.uk

  21. Obat Stroke Ringan 28 September 2015 at 7:44 am Permalink

    I have become addictive to your blog whenever go online I visit your blog because it keeps me updated. – See more at http://goo.gl/p4BB3K

  22. letty carano 28 September 2015 at 11:02 am Permalink

    Everyone wants that they looks fresh & beautiful. So, if your weight is over you can visit this site and loss their weight easily weight loss tips

  23. 26 November 2015 at 9:50 am Permalink

    good post, found a lot of useful information

  24. desert safari deal 22 January 2016 at 5:14 pm Permalink

    I wish more authors of this type of content would take the time you did to research and write so well. I am very impressed with your vision and insight. You did a great job and thanks for sharing.

  25. phoenix desert 22 June 2016 at 7:57 am Permalink

    Much obliged to you for this data, this is something I've been looking for a considerable amount.

  26. nox app player 1 August 2016 at 11:22 am Permalink

    good It plays the files in sorted order. It supports types like mp3, mp4, flac, ogg, wma, wav, mpc, tta, aiff, etc. This app offers an unique treble and bass adjustment. great.

  27. Aptoide 20 August 2016 at 8:50 am Permalink

    What a lovely article you share I am following these guidelines to protect my data and gaming server. I also subscribe this post. …. Thanks for Share ….

  28. bertjhon06 18 September 2016 at 6:16 am Permalink

    Most interesting Post I have found in my day searches.I am highly thankful to you that you have shared it with me and i got knowledge that i want to get.You have done an impressive job. http://callcaliforniaplumber.com/

  29. Bobby 22 September 2016 at 6:24 pm Permalink

    Gameservers are not the only thing prone to hacking. Everybody should also check whether their twitter accounts can be hacked . The simplest way to do this is to check with the hacktwitter website.

  30. bertjhon06 25 September 2016 at 5:34 am Permalink

    Most interesting Post I have found in my day searches.I am highly thankful to you that you have shared it with me and i got knowledge that i want to get.You have done an impressive job. http://callcaliforniaplumber.com/

  31. Mobdro 30 September 2016 at 5:05 pm Permalink

    an outstanding article.
    mobdro is hd video app.

  32. bertjhon06 22 October 2016 at 5:10 pm Permalink

    An excellent type of posting, you have used to make this post. I have visited this post firs time, so, you have to know almost almost everything about these. I want to say thanks for sharing this post.I truly esteem your kind thoughts.this is a truly incredible article.Hope you continue to share more of your ideas.I will definitely love to read.

  33. Mobdro for PC 29 October 2016 at 10:52 am Permalink

    amazing After the procedure of setup, you could drag the symbol to the desktop computer as well as begin utilizing.great.

  34. Wilson 23 November 2016 at 9:33 am Permalink

    Most informative post you have shared to us. Thanks for sharing best stuff.
    click here

  35. Gardenscapes 17 December 2016 at 10:11 pm Permalink

    Great Post Thnaks!

  36. Mobdro for PC 12 February 2017 at 11:20 am Permalink

    awesome After the setup procedure is completed after that click on Bluestack symbol to open up the application Now you able to see Mobdro app icon after that double click it nice.

  37. aa54445555 10 March 2017 at 1:54 am Permalink


  38. Tubi-TV 22 March 2017 at 3:11 pm Permalink

    Good to visit and gain some valuable information here. basically nice to introduce this one.

  39. waterbuffalo54 1 April 2017 at 5:46 am Permalink

    smart electronic controls developed to increase energy performance and security. The fundamental point is that it is mostly used in sectors. Hot beginning shows nice.

  40. check cashing 9 June 2017 at 11:17 am Permalink

    We are able to serve you what you are wanting like take a look at cashing near American nation it's very smooth to are searching for out U.S.A. At your nearest locations. Our workplace is opened 24/7.
    check cashing Edison

  41. Jack 4 July 2017 at 7:16 pm Permalink

    The Just amazing job you have done by sharing valuable stuff. I would like to say please share your next posts in future. I would like to check your site in future.
    plumbing miami

  42. Jack 4 July 2017 at 7:31 pm Permalink

    Just amazing job you have done by sharing valuable stuff. I would like to say please share your next posts in future. I would like to check your site in future.
    plumbing miami

  43. check casher 7 August 2017 at 12:42 pm Permalink

    It may be very onerous to mention once exactly ought to be pressured to cash your test.

  44. krakazyabrabest 10 August 2017 at 10:42 am Permalink

    good info thx

  45. leviafanspace 11 August 2017 at 2:10 pm Permalink

    so interesting

  46. Tubi TV download Apk 21 August 2017 at 10:59 am Permalink

    Great Post, Thank you'
    Tubi Tv is an awesome watch the online TV free of Windows, Androids.

  47. rutwarcast 27 August 2017 at 9:34 am Permalink

    cool post

  48. Install Show box app 30 August 2017 at 10:38 am Permalink

    Good post and watch the free Movies in online in Show box phone number

  49. check cashing 5 September 2017 at 10:38 am Permalink

    It's terribly simple to locating U.S. As we will be predisposed to location unit at your metropolis or nearest locations.
    check cashing Philadelphia

  50. yakutlook 7 September 2017 at 12:17 pm Permalink

    great post

Leave a Reply