[NightLinks]

Here are a few things that you can do and add to your game server to protect it from exploiters & hackers.

1) Do not give to anyone the RCON PASSWORD to your game server.

2) Never give out to anyone your game server FTP LOGIN NAME / FTP PASSWORD.

3) Never enable SV_CHEATS 1 in your game server change it to 0.

4) Add to your server.cfg file rcon authentication fail ban penalty. Copy & paste into your server.cfg file then make the necessary changes to your linkings.

Quote:

sv_rcon_banpenalty 5 --- Number of minutes that a player can be banned 1 - 60 max sv_rcon_maxfailures 10 --- Number of times a player can retry to enter a password 1 - 20 max before being banned. sv_rcon_minfailures 5 --- Number of times a player can retry to enter a password 1 - 20 max before being banned. sv_rcon_minfailuretime 30 --- Number of seconds that a player has to wait until entering a password again 1 second - 60 minutes max.

5) If you're using sourcemod you can add a plugin called "Forlix FloodCheck" to protect your game server from chat spam & command flood.

http://forums.alliedmods.net/showthread.php?t=87553

You can also add to your game server "Rcon Locker / exploit fix" it will prevent your rcon password from being changed.

http://forums.alliedmods.net/showthread.php?t=93934

( Thanks devicenull for letting me know about this plugin. )

There's another plugin for sourcemod admin mod that you can add called "Command Blocker" you can block players from using commands you specify in the server.cfg file.

http://forums.alliedmods.net/showthread.php?t=73828

6) If you're using mattie eventscripts there's quite a few addons that use can use to proctect your game server.

Miauw Mzx's Anti-Exploits -- It blocks players from doing command exploits.
http://addons.eventscripts.com/addon.../mizx_exploits

HackThis -- This plugin blocks unnconnected player names, protect rcon and channel overflow exploit.
http://addons.eventscripts.com/addons/view/HackThis

Exploit Coverup -- This plugin block players from known commands to crash your server.
http://addons.eventscripts.com/addons/view/exploit

IronWall -- Protects your game server from exploiters & hackers.
http://addons.eventscripts.com/addons/view/ironwall

Rcon LOCK -- Locks players from unloading the plugin and stops players changing your rcon password.
http://addons.eventscripts.com/addons/view/rcon_lock

Block crash -- Addon to stop players from using the reliable channel overflow exploit.
http://addons.eventscripts.com/addons/view/block_crash

Anti-cheat -- Addon to ban/kick players that use the unconnected exploit or sv_cheat 1
http://addons.eventscripts.com/addon.../es_anti-cheat

7) Do not add too many plugins or mods to your game server. If one of the plugins or mods has an exploit how will you know which one is? you may have to disable / enable all plugins & mods to know which one is the one with the exploit.

Do not give to anyone the Login Name / Password to your game server providers control panel.

9) Scan your computer regularly for viruses, key loggers, spyware... not only to proctect your rcon login / password but also to proctect your steam account from being stolen / hijacked.

10) Let me know what #10 is? If you know of a way to protect your game server and is not listed here share it with us.

The original can be found here: 10 things to protect your game server

[Dragonshadow]

This should go in sourcemod general, not extensions etc.

[Xp3r7]

Kigen's Anti-Cheat:
http://forums.alliedmods.net/showthread.php?t=72354

SourceOP DOS Attacker:
http://www.sourceop.com/modules.php?...download&cid=9

SRCDS DOS Protect (same as SourceOP but its a MetaMod plugin):
http://forums.alliedmods.net/showthread.php?t=95312

3 more that should be added.

Im sure there are others but its all I can think of right now.

[BrutalGoerge]

if you have linux, and shell access, nothing beats these iptables rules for rcon exploit protection
that way u block all tcp requests to the server, and have a white list of IP's that you allow to access rcon.

cmer is the one who originally posted it here.

eth0 assuming thats where ur internet lives

Code:

iptables -A INPUT -i eth0 -p tcp --dport 27015 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 27015 -s My_ip -j ACCEPT

iptables-save > /etc/sysconfig/iptables

[Hi, I'm John Smith]

I got confused from reading the description of the Rcon locker, as it says besides protecting the rcon password, it will also fix some exploits.

So can (or should) I use both Rcon locker and Kigen's Anti-Cheat? Or just either one of them?

Thanks!

[Xp3r7]

Yes, you can use them both at the same time.

I have for a long time with no problems.

[Sir Jake]

Quote:

Originally Posted by BrutalGoerge cmer is the one who originally posted it here. eth0 assuming thats where ur internet lives Code: iptables -A INPUT -i eth0 -p tcp --dport 27015 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 27015 -s My_ip -j ACCEPT iptables-save > /etc/sysconfig/iptables

Shouldn't Accept be before drop?

[Timiditas]

Quote:

Originally Posted by BrutalGoerge if you have linux, and shell access, nothing beats these iptables rules for rcon exploit protection that way u block all tcp requests to the server, and have a white list of IP's that you allow to access rcon. cmer is the one who originally posted it here. eth0 assuming thats where ur internet lives Code: iptables -A INPUT -i eth0 -p tcp --dport 27015 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 27015 -s My_ip -j ACCEPT iptables-save > /etc/sysconfig/iptables

This should have been built straight into the source engine!


/me wonders if this could be hacked in by an extension... most gameserver hosts do not allow shell access

[cmer]

If you have the opportunity to manage your firewalls there is also the rule

Code:

# Creation chaine rejet du flood udp 28
iptables -N REJECT_FLOOD28
iptables -A REJECT_FLOOD28 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 28: ' --log-level info
iptables -A REJECT_FLOOD28 -j DROP

# Drop des flood longueur paquet sur UDP
iptables -A INPUT -i eth0 -p udp --dport 27015 -m length --length 28 -j REJECT_FLOOD28
iptables -A INPUT -i eth0 -p udp --dport 27025 -m length --length 28 -j REJECT_FLOOD28
iptables -A INPUT -i eth0 -p udp --dport 27050 -m length --length 28 -j REJECT_FLOOD28
iptables -A INPUT -i eth0 -p udp --dport 28000 -m length --length 28 -j REJECT_FLOOD28
iptables -A INPUT -i eth0 -p udp --dport 29000 -m length --length 28 -j REJECT_FLOOD28


# Creation chaine rejet du flood udp 46
iptables -N REJECT_FLOOD46
iptables -A REJECT_FLOOD46 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 46: ' --log-level info
iptables -A REJECT_FLOOD46 -j DROP

# Drop des flood longueur paquet sur UDP
iptables -A INPUT -i eth0 -p udp --dport 27015 -m length --length 46 -j REJECT_FLOOD46
iptables -A INPUT -i eth0 -p udp --dport 27025 -m length --length 46 -j REJECT_FLOOD46
iptables -A INPUT -i eth0 -p udp --dport 27050 -m length --length 46 -j REJECT_FLOOD46
iptables -A INPUT -i eth0 -p udp --dport 28000 -m length --length 46 -j REJECT_FLOOD46
iptables -A INPUT -i eth0 -p udp --dport 29000 -m length --length 46 -j REJECT_FLOOD46

you have the ip of the people you DDOS in /var/log/message and someone will drop the firewalls