Author Topic: Is bot.conf a save place? (Read 8786 times)

rmb · « **on:** January 22, 2009, 11:10:56 pm »

Hi, Im total newbie in terms of online services and security thus my questions my sounds fun for experts but I just want to make sure.

I manage to configure BeBot on localhost and it works fine (would be perfect with guest channel but I understand it is on FC side).
Now I come to the point that I would like to set up the bot on an external host. I manage to find shell account provider with correct PHP version and MySQL support.
And at that point I start thinking is it safe to put AoC account username and password in bot.conf?

How much secure this is?
Is there any think I can / should do to increase the security?
Maybe it is possible to rebuild the program that it would ask me for login name and password at start and not store them in a file?

Temar · « **Reply #1 on:** January 23, 2009, 12:32:15 am »

Quote

Maybe it is possible to rebuild the program that it would ask me for login name and password at start and not store them in a file?

that is a good idea , especially with AoC, with AO bots are usually on froob account with nothing but bots and nothing to lose

but!
the issue would i have been unable to get a input feature working for Main.php when running from StartBot.php
now running from Main.php is doable
but if u restart etc ur bot will simply die and not reload
doing it in StartBot.php doesnt seem doable cuz i only know of 1 way to pass it on and thats with the command to start Main.php and altho this will make it work and alow restarts you can see the password on the running process screen
1 other alternative is to use a file to temporarily store the password that u input into StartBot.php and then Main.php gets and removed
unless any1 thinks of anything better i will do the last thing i said which is to ask in StartBot.php and use a file for passing it on, ofc it will only be in that file for a micro sec or somit

Temar · « **Reply #2 on:** January 23, 2009, 09:24:13 am »

that is now done in the latest SVN version of iver 0.7(/trunk) or 0.6(/branches/0.6)
it will now ask for a password when u start StartBot.php if it hasnt been set in the config
restarts/crashes etc should work fine with out needing to enter pw again

rmb · « **Reply #3 on:** January 23, 2009, 12:41:57 pm »

Thank you.
Just downloaded modified files and tested the change. It does almost exactly what I imagin it will.

Almost because I have noticed that password is visible on a screen.
Im not sure if that is still a security problem or jus a cosmetic, but I know that other software shows blank " " or asterix "*" instead of the password content.
Is is possible to chage it or is it save now and no need for additional work?

Temar · « **Reply #4 on:** January 23, 2009, 07:11:35 pm »

best i came up with was to disable the echo during entering of password
but this only works for linux

rmb · « **Reply #5 on:** January 23, 2009, 10:22:37 pm »

Should not be a problem since for online host I'm getting a shell acount on some unix server.

Alreadythere · « **Reply #6 on:** January 24, 2009, 09:13:28 pm »

If you can't trust your server you got even more troubles.

Entering the pw on console on restart doesn't really solve the security problem. If someone is reading the config files they could theoretical most likely read input sent over network too.