Forums Developers mIRC Remote Access Server

I'm creating a basic remote access server type script for mIRC that will allow a user to access mIRC's command line from a remote computer. The script will use mIRC's socket support and a standard telnet client to connect to the remote server. I would like for the veteran mIRC scripters to suggest how I to handle the logon sequence. It's a password only type of login, no user name.

Thats a bit of a touchy script, so I wouldn't expect much help when you get into the actual 'remote access' part of scripting it. As for the login sequence, this seems fairly harmless and generic.

You say the login sequence will require a Password only. With this, I can make the following recommendations as how to handle it.

1. Don't provide a "Password?:" prompt. If you do, it could become target to port scanners looking for something to do. If this will be for personal use, you should Know that you have to enter your password upon connecting.

2. Ignore connection attempts from an IP mask who fails to enter the correct password after N attempts, for N minutes. This will dissuade flood attempts / dictionary attacks.

3. In lieu of #2, only allow connection attempts from a specific IP mask or masks. This will allow you to log in from specific computers, like at work, but may deny access if you're at the library or a random friend's house.

4. Log all activity. This may seem simple enough, but often forgotten about until the need arrises and it's too late.

How 'secure' you want to make this, is up to you. You could hardcode a password in the script, or read from a .ini file... to the extreme of SSL encryption with a blowfish password.

Hope this helps. Good luck.

- Raccoon

Three words, ACL, ACL, ACL!

Don't just use a password, especially not for something as dangerous as this can be (remember, if you remotely access mIRC, someone can wipe your entire harddrive!)

If you're not familiar with ACL it is Access Control List, basically it is a list of hostnames/IP addresses. If the person trying to connect doesn't have a host/IP that appears on the ACL the connection is dropped immediately, you only ask for a password (and only accept a password) if the person is on the ACL. This can signifigantly help limit the number of potential security breaches, because simply guessing a password is not enough. Also when storing the password locally, make sure it is encrypted, using $md5 is probably the best bet. MD5 isn't super strong, but it is the best mIRC has to offer. Also as far as the password goes, make some checking on it, ensure it is > 8 characters, and contains at least 3 numbers, but must also contain letters. Forcing it to contain both numbers and letters helps limit the risk of someone using a dictionary based attack.