hAuthD — authentication server for Lineage II (en, ru)

hAuthD — alternative authentication server for Lineage II with extended functionality. It can work simultaneously with 'PTS' and some L2J-servers. Authentication data is stored in MSSQL database.

Features:

Latest version (2.7.0.146): http://hauthd.org/hAuthD.zip

Optional anti-cheat system (hGuard)

hGuard is the DLL which is stored in game folder and interacts with hAuthD. DLL safely encrypts authentication packets and sends additional information to server: list of forbidden software (cheats) found, control sums (CRC32) for some client files, amount of launched copies of the game, unique computer identifier (hardware key).
Basic abilities:
Protection doesn't involve game server and doesn't encrypt game traffic. DLL doesn't protect game server from any bugs. It just finds specific programs on user side and sends this info to hAuthD server (server makes the solutions according to settings). Protection sends the info only on authentication and works autonomously during the game (controls launched processes, prevents emulation of keypresses, finishes client work if necessary). Gamer is awarded with penalty points for any cheat (penalty depends on type of the program and is set by administrator).
In standard mode server assigns penalty and lets user to enter the game (gamer doesn't know if a cheat was detected). Account is blocked when penalty sum reaches some defined limit. Blocking starts not immediately but with a delay (delay is set by administrator, it can't be less than one hour).
In alternative mode server blocks login into the game if the cheat was found and adds gamer's computer into temporary black list (black list is reset on server restart). It is also possible to add cheaters' computers into constant black list.

DLL is assigned by external IP of authentication server (amount of game servers is unlimited).
License price per domain: 500 €

E-mail: hint.ru@gmail.com

Protection is updated on December, 3 2018.

Configuration (hAuthD.ini)

Server loads settings from hAuthD.ini file only on launch. If settings are changed, then it is necessary to restart the program.

L2J section

IP — list of L2J-servers IPs.
It is possible to use masks, to enter several comma-separated IPs, to use * symbol (any IP).
Parameter makes it possible for the program to define a type of connected server and send the correct 'hello' packet.

Protocol — version of internal protocol (for interaction between authentication and game servers).

FixedPorts (0 or 1) — defines whether to send to users a port from database (lin2db.server) or a port, received from game server (0).

Log section

Performs logging.
Auth (0 or 1) — save authentication results to files.
Guard (0 or 1) — save protection messages to files.
All (0 or 1) — save all messages from program window in files.
DB (0 or 1) — save information about entering the game in database.

If DB parameter equals to 1, then following table is required:
USE [lin2db] GO SET ANSI_NULLS ON GO SET QUOTED_IDENTIFIER ON GO SET ANSI_PADDING ON GO CREATE TABLE [dbo].[hauthd_log]( [time] [datetime] NOT NULL, [account] [varchar](14) NOT NULL, [ip] [varchar](15) NOT NULL, [hkey] [varchar](16) ) ON [PRIMARY] GO SET ANSI_PADDING OFF

Online section

Multiplier — online multiplier (e.g. 1.5).
Specified in the server list which is sent to users.

UserCount — whether to fill or not to fill (0) user_count table, as it is performed by standard authentication server.
Non-zero value means interval in minutes.

Interval — interval between online requests to game servers, in seconds.

Admin section

Password — universal password, which makes it possible to enter the game under any account ignoring any constraints (ban, association with IP, protection etc.).

IP — list of IP-addresses (or masks) which can use universal password (comma-separated).

Adv section

EULA (0 or 1) — show (1) or not to show (0) user agreement (disabling can cause a conflict on some servers).

Test (0 or 1) — any (0) or only specified (1) accounts from Test_IDs list can enter the game.
Along with Test_IDs list value of login_flag field from user_account table is considered (login is enabled if login_flag equals to 16).

TestServers — ???

C4 (0 or 1) — mode of compatibility with ะก4 client.
Please don't forget to change BlowfishKey parameter in Main section.
It is necessary to use the client which supports pure C4 authentication protocol!

MaxConnectionsPerIP — limitation of simultaneous connections with authentication server from one IP.
Limitation is applied not to the GAME, but to AUTHENTICATION only. Connection lasts from the moment of clicking the login button until selection of a server from a list.

AntiDOS (0 or 1) — if parameter equals to 1, then AntiDOS mode is enabled on sudden increase of server load (when server isn't able to process all requests). This mode works for 5 minutes and turns off (if attack continues, then it turns on again). Timeouts are minimized in this mode, strict limitations on time of processing of every request and on number of simultaneous requests from IP-subnets are applied.

AntiBrute and AntiBruteIP (0 or 1) — enables AntiBrute and AntiBruteIP sections (protection against password bruteforce).

MD5Simple (0 or 1) — use MD5-hash instead of L2-hash.
No DB changes required. As usually, password is compared with hash from 'password' field. The only difference is that hash is defined using MD5. In order to transfer to MD5 users have to resave their passwords manually to MD5 format through the special script on the website. It is more preferable to use MD5Password function from Ext section (information below). MD5Simple option is necessary for compatibility with other authentication servers.

SHA1 (0 or 1) — use SHA1 instead of L2-hash.
As usually, password is compared with hash from 'password' field. The only difference is that hash is defined using SHA1 (20 bytes).

Proxy — list of addresses of trusted proxy-servers (gateways).
Program enables to forward requests to external server (e.g., through DDOS-protecting gateway). External server should send the real user IP in special packet. This packet should be sent first and should contain 6 bytes: 2 bytes for the size (always 0x06, 0x00) and 4 bytes of real IP-address. Limitation on simultaneous connections is not applied to gateways.

AutoReloadFiles (0 or 1) — ???

AutoReloadServers (0 or 1) — ???

Ext section

Mask — enables association of accounts with IP (field mask in user_account table).
If this field is empty or contains *, then login is permitted from any IP. Otherwise login is permitted from the addresses according to the mask. It is possible to enter several comma-separated masks.
Example: 192.168.1.*,192.168.2.*,10.24.*

MD5Password — use MD5-hash to keep user passwords.
Text field md5password is required in user_auth table (with any size). If this field is blank then usual password check is performed. If password is correct, then its MD5-hash is calculated and entered into md5Password field (password field is filled with 0 value). If md5password field is already filled in then MD5-check is performed only.
Value of the parameter — key to derive hash (is specified once for all). Option is disabled if parameter is not specified or equals to zero.
PHP-function to derive hash (replace 'key' with the value of MD5Password parameter):
<?php function hCrypt($password) { $md5password = 'key'; $s = md5($password) . md5($md5password); $j = 0; for ($i = 0; $i < strlen($s); $i++) { if ($j >= strlen($md5password)) $j = 0; $s[$i] = $s[$i] ^ $md5password[$j]; $j++; } return md5($s); } ?>
Attention! Use this function only if you completely understand its meaning and consequences!

ExecLogin (0 or 1) — allows to call MSSQL procedure after every successful authentication.
If the value is 1, then hAuthD calls hauthd_login (Stored Procedure) after all checks. Procedure receives account id (@uid parameter), IP (@ip) and hKey (@hkey). Login to the game is blocked if procedure returns ok with 0 value.
Example of hauthd_login procedure:
USE [lin2db] GO SET ANSI_NULLS ON GO SET QUOTED_IDENTIFIER ON GO CREATE PROCEDURE [dbo].[hauthd_login] @uid int, @ip varchar(15), @hkey varchar(16) AS SELECT pay_stat AS ok FROM user_account WITH (nolock) WHERE uid = @uid

Guard — activates protection module (special DLL for a client is required).

Sections AntiBrute and AntiBruteIP

Protection against password search works with identifier, which includes IP and account name.
Similar AntiBruteIP section manages protection only by IP.

MaxAttempts — maximum amount of login attempts during specified time interval.

Interval — interval (in seconds) to calculate amount of login attempts.

Penalty — interval (in seconds), when it is forbidden to login into the game (regardless the correctness of password). It is activated when user makes 'MaxAttempts' attempts in 'Interval' seconds.