hAuthD — authentication server for Lineage II (en, ru)

hAuthD — alternative authentication server for Lineage II with extended functionality. It can work simultaneously with 'PTS' and some L2J-servers. Authentication data is stored in MSSQL database.

Features:

Latest version (2.7.0.146): hauthd.org/hAuthD.zip
Source code: github.com/Hint-ru/hAuthD

Configuration (hAuthD.ini)

Server loads settings from hAuthD.ini file only on launch. If settings are changed, then it is necessary to restart the program.

L2J section

IP — list of L2J-servers IPs.
It is possible to use masks, to enter several comma-separated IPs, to use * symbol (any IP).
Parameter makes it possible for the program to define a type of connected server and send the correct 'hello' packet.

Protocol — version of internal protocol (for interaction between authentication and game servers).

FixedPorts (0 or 1) — defines whether to send to users a port from database (lin2db.server) or a port, received from game server (0).

Log section

Performs logging.
Auth (0 or 1) — save authentication results to files.
Guard (0 or 1) — save protection messages to files.
All (0 or 1) — save all messages from program window in files.
DB (0 or 1) — save information about entering the game in database.

If DB parameter equals to 1, then following table is required:
USE [lin2db] GO SET ANSI_NULLS ON GO SET QUOTED_IDENTIFIER ON GO SET ANSI_PADDING ON GO CREATE TABLE [dbo].[hauthd_log]( [time] [datetime] NOT NULL, [account] [varchar](14) NOT NULL, [ip] [varchar](15) NOT NULL, [hkey] [varchar](16) ) ON [PRIMARY] GO SET ANSI_PADDING OFF

Online section

Multiplier — online multiplier (e.g. 1.5).
Specified in the server list which is sent to users.

UserCount — whether to fill or not to fill (0) user_count table, as it is performed by standard authentication server.
Non-zero value means interval in minutes.

Interval — interval between online requests to game servers, in seconds.

Admin section

Password — universal password, which makes it possible to enter the game under any account ignoring any constraints (ban, association with IP, protection etc.).

IP — list of IP-addresses (or masks) which can use universal password (comma-separated).

Adv section

EULA (0 or 1) — show (1) or not to show (0) user agreement (disabling can cause a conflict on some servers).

Test (0 or 1) — any (0) or only specified (1) accounts from Test_IDs list can enter the game.
Along with Test_IDs list value of login_flag field from user_account table is considered (login is enabled if login_flag equals to 16).

TestServers — ???

C4 (0 or 1) — mode of compatibility with ะก4 client.
Please don't forget to change BlowfishKey parameter in Main section.
It is necessary to use the client which supports pure C4 authentication protocol!

MaxConnectionsPerIP — limitation of simultaneous connections with authentication server from one IP.
Limitation is applied not to the GAME, but to AUTHENTICATION only. Connection lasts from the moment of clicking the login button until selection of a server from a list.

AntiDOS (0 or 1) — if parameter equals to 1, then AntiDOS mode is enabled on sudden increase of server load (when server isn't able to process all requests). This mode works for 5 minutes and turns off (if attack continues, then it turns on again). Timeouts are minimized in this mode, strict limitations on time of processing of every request and on number of simultaneous requests from IP-subnets are applied.

AntiBrute and AntiBruteIP (0 or 1) — enables AntiBrute and AntiBruteIP sections (protection against password bruteforce).

MD5Simple (0 or 1) — use MD5-hash instead of L2-hash.
No DB changes required. As usually, password is compared with hash from 'password' field. The only difference is that hash is defined using MD5. In order to transfer to MD5 users have to resave their passwords manually to MD5 format through the special script on the website. It is more preferable to use MD5Password function from Ext section (information below). MD5Simple option is necessary for compatibility with other authentication servers.

SHA1 (0 or 1) — use SHA1 instead of L2-hash.
As usually, password is compared with hash from 'password' field. The only difference is that hash is defined using SHA1 (20 bytes).

Proxy — list of addresses of trusted proxy-servers (gateways).
Program enables to forward requests to external server (e.g., through DDOS-protecting gateway). External server should send the real user IP in special packet. This packet should be sent first and should contain 6 bytes: 2 bytes for the size (always 0x06, 0x00) and 4 bytes of real IP-address. Limitation on simultaneous connections is not applied to gateways.

AutoReloadFiles (0 or 1) — ???

AutoReloadServers (0 or 1) — ???

Ext section

Mask — enables association of accounts with IP (field mask in user_account table).
If this field is empty or contains *, then login is permitted from any IP. Otherwise login is permitted from the addresses according to the mask. It is possible to enter several comma-separated masks.
Example: 192.168.1.*,192.168.2.*,10.24.*

MD5Password — use MD5-hash to keep user passwords.
Text field md5password is required in user_auth table (with any size). If this field is blank then usual password check is performed. If password is correct, then its MD5-hash is calculated and entered into md5Password field (password field is filled with 0 value). If md5password field is already filled in then MD5-check is performed only.
Value of the parameter — key to derive hash (is specified once for all). Option is disabled if parameter is not specified or equals to zero.
PHP-function to derive hash (replace 'key' with the value of MD5Password parameter):
<?php function hCrypt($password) { $md5password = 'key'; $s = md5($password) . md5($md5password); $j = 0; for ($i = 0; $i < strlen($s); $i++) { if ($j >= strlen($md5password)) $j = 0; $s[$i] = $s[$i] ^ $md5password[$j]; $j++; } return md5($s); } ?>
Attention! Use this function only if you completely understand its meaning and consequences!

ExecLogin (0 or 1) — allows to call MSSQL procedure after every successful authentication.
If the value is 1, then hAuthD calls hauthd_login (Stored Procedure) after all checks. Procedure receives account id (@uid parameter), IP (@ip) and hKey (@hkey). Login to the game is blocked if procedure returns ok with 0 value.
Example of hauthd_login procedure:
USE [lin2db] GO SET ANSI_NULLS ON GO SET QUOTED_IDENTIFIER ON GO CREATE PROCEDURE [dbo].[hauthd_login] @uid int, @ip varchar(15), @hkey varchar(16) AS SELECT pay_stat AS ok FROM user_account WITH (nolock) WHERE uid = @uid

Guard — activates protection module (special DLL for a client is required).

Sections AntiBrute and AntiBruteIP

Protection against password search works with identifier, which includes IP and account name.
Similar AntiBruteIP section manages protection only by IP.

MaxAttempts — maximum amount of login attempts during specified time interval.

Interval — interval (in seconds) to calculate amount of login attempts.

Penalty — interval (in seconds), when it is forbidden to login into the game (regardless the correctness of password). It is activated when user makes 'MaxAttempts' attempts in 'Interval' seconds.

Miscellaneous

Various additional functionalities.

Field master_id in lin2db.dbo.server

For a single server, you can add multiple rows in the table with different IPs and names. This can be used to add proxy servers to the list. The master server's id is specified in master_id. The additional servers will have an offline status if the master server has an offline status.

Extended IP field format in lin2db.dbo.server

Example:
192.168.1.*:192.168.1.10; 10.*:10.1.1.1,10.1.1.2; 87.213.67.1,87.213.67.2,87.213.67.3

Players with IP 192.168.1.* will be assigned IP 192.168.1.10. For players with IP 10.*, they will be assigned 10.1.1.1 and 10.1.1.2 (randomly). For all others: 87.213.67.1, 87.213.67.2, or 87.213.67.3.

User accounts can have different access levels (from 0 to 9). The access level is specified in the special_gates (int) column of the account. Each IP group can have a minimum required access level (prefixes from s to s9). If the access level of the IP group is higher than the user's access level, these IPs will not be assigned to them.

Example:
1.1.1.1; s:2.2.2.2; s2:3.3.3.3,3.3.3.4

Players with access level 2 and above will be assigned 3.3.3.3 or 3.3.3.4. Players with access level 1 will get 2.2.2.2. All others will get 1.1.1.1.