Raised This Month: $7 Target: $400
 1% 

Rcon locker / exploit fix


Post New Thread Reply   
 
Thread Tools Display Modes
Author
devicenull
Veteran Member
Join Date: Mar 2004
Location: CT
Plugin ID:
917
Plugin Version:
0.6.7
Plugin Category:
General Purpose
Plugin Game:
Any
Plugin Dependencies:
    Servers with this Plugin:
    73 
    Plugin Description:
    Lock rcon password / prevent some exploits
    Unapprover:
    Reason for Unapproving:
    Causes issues with SM command permissions - also entirely(?) unnecessary nowadays
    Old 06-04-2009 , 14:53   Rcon locker / exploit fix
    Reply With Quote #1

    This plugin will prevent your rcon password from being changed. It uses whatever password you have set in server.cfg, and resetting the password will require the server to be updated in server.cfg, and then restarted.

    This fixes the following exploits:
    • Executing harmful commands via ent_fire/ent_create if cheats are on
    • Around 10 or so commands that can be used to lag the server (adds the cheats flag to them)
    • Loading plugins clientside, allowing you to use cheat commands
    • Clients would be able to teleport, regardless of cheats/plugins on server.
    • If Mani is detected, spammable commands will be blocked (this will break nextmap functionality, but its either that or risk server crashes)
    • Es_tools changelevel exploit
    • Cvar bounds are removed on sv_rcon_minfailures and sv_rcon_maxfailures. These are also set to 10,000 if they are not changed in your config file.
    • "unnamed" users will be kicked once they join.
    • Users with bell or % characters will be kicked when they join
    • Commands executed before a client has connected will be blocked.
    • Prevent logging from being disabled, if it is ever enabled while the plugin is active.
    • All commands on the server will be logged by default.

    No configuration is needed for this plugin.

    Note:This will leave your server vulnerable to brute force attacks, though that's easily fixed.. just use a secure rcon password. This was necessary to prevent a server crash that happens when a user is banned from accessing rcon.

    To generate a secure rcon password go here. These passwords are randomly generated and change each time you refresh the page. If you use these, there are 62^24 possible passwords, so they won't be brute forced any time soon.

    Donate

    If you wish to disable the command logging functionality, create a file in addons/sourcemod/configs named rcon_lock.cfg. It doesn't matter what this file contains, as long as it exists it will be disabled.

    I didn't want to add the ability to disable command logging as a cvar, as many rcon "hack" scripts already attempt to disable normal logs. Unless you are running old eventscripts plugins, you can safely leave command logging enabled.

    If you are running 1.3 or higher, you want the "rcon_lock" plugin.

    If you are running under 1.3, you want the "rcon_lock_legacy" plugin, or to upgrade sourcemod. Note that the legacy plugin is no longer being updated.
    Attached Files
    File Type: sp Get Plugin or Get Source (rcon_lock.sp - 22103 views - 13.2 KB)
    File Type: sp Get Plugin or Get Source (rcon_lock_legacy.sp - 7817 views - 10.4 KB)
    __________________
    Various bits of semi-useful code in a bunch of languages: http://code.devicenull.org/

    Last edited by devicenull; 06-01-2010 at 20:52.
    devicenull is offline
    Inflikted
    SourceMod Donor
    Join Date: Jan 2009
    Old 06-05-2009 , 00:00   Re: Rcon locker / exploit fix
    Reply With Quote #2

    which exploit is this prevelant in? CSS.. TF2 or all source games. not that i want to hack people just want to no if i need the protection for my servers
    Inflikted is offline
    bl4nk
    SourceMod Developer
    Join Date: Jul 2007
    Old 06-05-2009 , 00:08   Re: Rcon locker / exploit fix
    Reply With Quote #3

    This will work for all Source games.
    bl4nk is offline
    DontWannaName
    Veteran Member
    Join Date: Jun 2007
    Location: VALVe Land, WA
    Old 06-05-2009 , 00:27   Re: Rcon locker / exploit fix
    Reply With Quote #4

    So this is only need if we run an addon that messes with rcon? Be specific with who needs to use this, im pretty sure I dont since I run just SM and plugins added by me.
    __________________

    DontWannaName is offline
    Chris-_-
    SourceMod Donor
    Join Date: Oct 2008
    Old 06-05-2009 , 06:48   Re: Rcon locker / exploit fix
    Reply With Quote #5

    Quote:
    Originally Posted by DontWannaName View Post
    So this is only need if we run an addon that messes with rcon? Be specific with who needs to use this, im pretty sure I dont since I run just SM and plugins added by me.
    Quote:
    Also, this plugin will prevent people from adding admins or shutting down the server using the ent_fire exploits.
    If you at some point activate sv_cheats 1 on a server of yours, and someone runs an exploit based on that command then you might want to have this on :p
    Chris-_- is offline
    santaclaus
    Senior Member
    Join Date: Dec 2008
    Old 06-05-2009 , 12:30   Re: Rcon locker / exploit fix
    Reply With Quote #6

    Quote:
    Originally Posted by Chris-_- View Post
    If you at some point activate sv_cheats 1 on a server of yours, and someone runs an exploit based on that command then you might want to have this on :p
    Is that info true ?
    Do you mean that only those who put sv_cheats as 1 need this ?
    __________________

    santaclaus is offline
    devicenull
    Veteran Member
    Join Date: Mar 2004
    Location: CT
    Old 06-05-2009 , 13:23   Re: Rcon locker / exploit fix
    Reply With Quote #7

    If sv_cheats 1 is activated, players can execute rcon commands. This attempts to prevent them from doing permanent damage with it, but.. you still shouldn't turn cheats on.

    As far as the rcon exploit, it seems to be confined to servers running a malicious plugin.
    __________________
    Various bits of semi-useful code in a bunch of languages: http://code.devicenull.org/
    devicenull is offline
    Chris-_-
    SourceMod Donor
    Join Date: Oct 2008
    Old 06-05-2009 , 17:06   Re: Rcon locker / exploit fix
    Reply With Quote #8

    santaclaus:

    Quote:
    Originally Posted by devicenull View Post
    If sv_cheats 1 is activated, players can execute rcon commands. This attempts to prevent them from doing permanent damage with it, but.. you still shouldn't turn cheats on.
    Chris-_- is offline
    devicenull
    Veteran Member
    Join Date: Mar 2004
    Location: CT
    Old 06-10-2009 , 14:06   Re: Rcon locker / exploit fix
    Reply With Quote #9

    Updated to v0.2, fixes a bunch more exploits.
    __________________
    Various bits of semi-useful code in a bunch of languages: http://code.devicenull.org/
    devicenull is offline
    BAILOPAN
    Join Date: Jan 2004
    Old 06-10-2009 , 14:10   Re: Rcon locker / exploit fix
    Reply With Quote #10

    Nice work, devicenull.
    __________________
    egg
    BAILOPAN is offline
    Reply


    Thread Tools
    Display Modes

    Posting Rules
    You may not post new threads
    You may not post replies
    You may not post attachments
    You may not edit your posts

    BB code is On
    Smilies are On
    [IMG] code is On
    HTML code is Off

    Forum Jump


    All times are GMT -4. The time now is 06:05.


    Powered by vBulletin®
    Copyright ©2000 - 2024, vBulletin Solutions, Inc.
    Theme made by Freecode