Adobe Flash cross-domain-policy Socket Delivering Server
Focused (but not limited to) on IRC environments with isolation capabilities, protection against flood connect and IRC Bot for IRCops.
Xtreme Flash Policy Server, although it's designed to be used in conjunction with LightIRC (http://www.lightirc.com/) it's suitable for many other environments which needs to serve cross-domain-policy files through network as long as meets Adobe specifications (more info about Adobe cross-domain-policy: http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html).
Xtreme Flash Policy Server includes some additional (and optional) useful features:
- Three peer connection pool methods: QUEUE, FORK and THREAD.
- Flood connect protection by using max-conn and time thresholds (detect and blacklist).
- IRC Bot to monitor service activity.
- !Fantasy commands for IRCops to interact with IRC Bot.
- Logging activity to a file (server-side).
- Lightweight and Portable.
Install Xtreme Flash Policy Server
Xtreme Flash Policy Server is released under the terms and conditions of GNU GENERAL PUBLIC LICENCE v2.
If you download, install and run Xtreme Flash Policy Server, it's mean that you're in agree with these terms and conditions.
Xtreme Flash Policy Server Requeriments
Xtreme Flash Policy Server is coded in Perl (http://www.perl.org/) language and doesn't requires aditional modules. Our goal is you can run this software out of the box, it's mean you only need a Perl interpreter with core-modules (perl-core-modules) generally supplied by perl meta-package.
However, you must use Perl version 5.6.0 or higher, since from this version Perl's threads implemetation has several changes and Xtreme Flash Policy Server may not work correctly under previous versions.
Check out your system installed Perl's version with:
# perl -version
It's not required to install aditional software and you may run Xtreme Flash Policy Server as unprivileged user or root (but not recomended due security issues).
Download Xtreme Flash Policy Server
Untar, configure and verify
Untar Xtreme Flash Policy Server package at your home directory:
# tar -xvvzf lookflashpolicy-1.2.tgz
A new folder named lookflashpolicy-1.2 will be created. Join the new folder:
# cd lookflashpolicy-1.2
Open with your prefered command line editor (emacs, vim, nano, etc.) the file named config.pm-dist and customize according your needs. The customization constants are between the blocks:
# ------------------------------------ # Config Start for Xtreme Flash Policy # ------------------------------------ .. # ---------------------------------- # Config end for Xtreme Flash Policy # ----------------------------------
Read attentively every description given before modify parameters and take care of not to modify or delete those lines indicated as "system stuff".
When customization complete save changes and rename config.pm-dist to config.pm:
# mv config.pm-dist config.pm
Now verify if Xtreme Flash Policy Server is ready to run:
You can run this software as root user account if you want, but is isn't recommended, it's sane (and secure) to do under unprivileged user account. Take in consideration that to be able to listen a port below 1024 you must be root or make extra configuration at your system platform (OS).
To run in background you must execute:
# ./lookflashpolicy.pl start
# ./lookflashpolicy.pl stop
Xtreme Flash Policy Server Features
Here will explain some of the main Xtreme Flash Policy Server features with the purpose you can take advantage of this software usability and functionalities. It's recommended you spend a few minutes to learn more about and to understand better this, even more if you think to deploy it.
Client connection pool methods: QUEUE, FORK and THREAD.
Client connection methods refers to the manner in which each cross-domain-policy file request is attended by the daemon, as we know these requests are via socket through network. The ability of handle these requests with different mechanisms grants Xtreme Flash Policy Server to be more scalable, versatile and suitable for many -and different- production deployments scenaries.
It's the most basic mechanism, but may be the best option for some deployments with low load traffic. Every client connection is handled, enqueued and dispatched by the same process using FIFO (First-In First-Out) abstraction. This method consumes low memory and low resources but isolation is not present (it may be or not be important depending on how paranoid you're).
This method handles every connection encapsulating each one in a detached sub-process fork(). We have a very promising results about scaling in our lab testings even knowing than fork() is overhead resources, because the system make it cloning the parent process and child inherits all its memory descriptors. This method may be suitable for medium load servers, is more fault tolerant and has isolation, but the platform (OS) may limit the number of child processes that you can create simultaneously.
Each client connection is handled by a thread. A thread (for non-software development oriented users) is like a "light" sub-process running in the same parent process. Threads are lower memory footprint and spawn faster and ligther than fork(). This is the indicated method for servers with high load and it has isolation per connection also.
If you are using THREAD may be experience some memory leak depending on which version of Perl interpreter you have: This issue is supposed to be fixed since version 5.13.5 (https://rt.perl.org/rt3/Public/Bug/Display.html?id=69598) this is a Perl fail, but not Xtreme Flash Policy Server.
Flash Policy Flood connect protection
Xtreme Flash Policy Server has built-in protection against flood connect fully functional in all supported connection pool methods (QUEUE, FORK y THREAD). This feature works by pre-configuring "max connections per client" in a "lapse of time" thresholds and works by doing checking per IP address.
When an IP address is detected overflowing these limits, it's added to an internal blacklist resulting to be ignored for a limited (or unlimited) amount of time (pre-configured). This blacklist is "volatile", it's mean it will be clean every time you restart Xtreme Flash Policy Server since it's allocated in RAM memory. The goal is to stop flood connect attacks trying to destabilize or get over the service from a remote host.
Also, experienced users may configure an external program or script to be executed every time that an IP address is blacklisted. By example, you can add an iptables rule to drop packets from attacker's IP at network layer 3.
Flash Policy IRC Bot for IRCops
Due the naturality of this software, oriented (but not limited to) IRC environments, it gives the posibility to connect an IRC Bot to your IRCops channel room to show the activity by Xtreme Flash Policy Server.
The IRC Bot will show every event succeeded into the assigned channel room:
*** Joins: PolicyServ (Xtreme@policy.nandox.com) has joined #Services
<PolicyServ> Xtreme Flash Policy [looksharp+endurance] v1.2 is UP!
<PolicyServ> Trigger is: !policy
<PolicyServ> Connection from [xx.xx.xxx.xxx:3103] - Valid request, policy sent - tid(6)
<PolicyServ> Connection from [xx.xx.xxx.xxx:3208] - Invalid request. Ignoring - tid(7)
<PolicyServ> Connection from [xxx.xxx.xx.xx:6060] - Waiting request timeout - tid(8)
<PolicyServ> Blacklist: xxx.xxx.xxx.xxx Added! (21 attempt/s in less than 1 minute/s) Expires in 10 minute/s
<PolicyServ> Blacklist: xxx.xxx.xxx.xxx Removed! (Expired)
<PolicyServ> Options for !policy are: <alive|stats>
Also it implements some !fantasy commands: Use !policy to view available commands.
The IRC Bot feature is optional and you may disable if you don't want it.
We're always trying to improve our free services in order to innovate everywhere.
If you enjoy our services you can always support us throughout donations.