Source Servers Security Guide
Hi, I've decided to write a security guide for gameservers in hope of helping new people around the community with some advices to prevent ddos, exploits, etc.
If you know anyting that could be added in this guide please let me know and leave a reply here. Summary: 1) Fastdownload setup 2) Rcon hacking attempt / DoS 3) [CSGO] Server Lagger Exploit Security Patch [3/7/2020] 4) [CSGO] Server Lagger Exploit Security Patch [5/28/2021] 5) [Root access needed] Rcon (27015/tcp) DoS 6) [Root access needed] Ip rate limitting error / A2S (aka VSE) DoS attack 7) NetMessages crasher exploit 1. Fastdownload setup If you are using a fastdownload (aka downloadurl) most of the people will usually put "sv_allowdownload 1" and "sv_allowupload 1". Those settings don't affect fastdl, its recommended to keep them on 0 (disabled) because of the game exploits people can use. Should be put inside file "server.cfg" Message in console you get when this exploit is used: Code:
CreateFragmentsFromFile: '.txt' doesn't exist. Code:
// FastDownload 2. Rcon hacking attempt / DoS If you are using rcon and most probably you do I recommend you to limit the number of wrong rcon password in a period of time. Should be put inside file "server.cfg" Here are my settings: Code:
// Rcon hacking attempt / DoS 3. [CSGO] Server Lagger Exploit Security Patch [3/7/2020] This is an exploit that usually makes your server laggy and your console to spam this error: IPADDRESS : PORT:reliable state invalid (0).. Solution is here: https://forums.alliedmods.net/showthread.php?p=2686176 4. [CSGO] Server Lagger Exploit Security Patch [5/28/2021] This plugin patches an DoS exploit that increases pings on the server. https://forums.alliedmods.net/showthread.php?t=332721 Attention! The next guides can be done only if you have a root access to the dedicated server. If you have a simple gamehost package you can't do this. 5. [Root access needed] Rcon (27015/tcp) DoS As backwards recommends too ( https://forums.alliedmods.net/showthread.php?p=2730982 ) its a good practice to cut down port 27015/tcp (it will affect only rcon) and give access only to some whitelisted IPs (for example your webhost, for sourcebans, etc) You can do this via a firewall or simply using iptables. Example of iptables rules: Code:
/usr/sbin/iptables -A INPUT -p tcp --dport 27015 -j DROP # DROP PORT 27015/TCP 6. [Root access needed] Ip rate limitting error / A2S (aka VSE) DoS attack Maybe you've seen this error in your console: Code:
IP rate limiting client xxxxxx:29823 at 305 hits (14 buckets, 136 global count). - Caching the A2S Query response instead of asking the gameserver everytime someone requests it. Why not rate limitting? Limit the response at 1 request/second for each IP address. Well, you can't since most of the a2s ddos scripts are using Spoofed ip addresses ( https://en.wikipedia.org/wiki/IP_address_spoofing ) hyperxpro built a good cacher in Java: https://github.com/hyperxpro/SourceEngineQueryCacher [isnt finished at the moment] Note: You will need to run a cacher for each gameserver you have. I will show you how to do it. 1. Please install the latest version of java11 on your system. A search on google will help you with this since are thousands of tutorials about this. 2. You will have to redirect all a2s traffic from port 27015 to the cacher's port to handle the queries. Easiest way is to do it via iptables: Code:
# server 1 3. At the moment, latest version is not finished and doesn't work in CSGO. I recommend you using this one instead, log4j is fixed too. https://github.com/xSL0W/SourceEngineQueryCacher Download both source & java file. From source code archive you only need Cacher.conf 4. Once you have both Cacher.conf and SourceEngineQueryCacher-1.6.6.jar we can start configuring. Open Cacher.conf Code:
Threads=2 5. Once you saved the file you can run the cacher. If you want to run it in background you can use screen. https://linuxize.com/post/how-to-use-linux-screen/ Code:
screen -S cacher1 You could also try using my config, security might be improved: Code:
Threads=8 # Your number of CPU Threads 7. You can also do a cronjob to automatically start everything on server reboot. Code:
crontab -e Code:
# server 1 7. NetMessages crasher exploit There is a server crasher exploit that sends a lot of netmessages packets in a tick and the server spends too much time processing them. The solution is to limit packets per client using convar "net_chan_limit_msec". As far as I know limiting to 100 packets/tick seems a reasonable value. More testing is needed so I recommend you to monitor your server. - In server.cfg: Code:
net_chan_limit_msec "100" Reference: https://blog.counter-strike.net/inde...2019/07/24922/ https://www.unknowncheats.me/forum/c...asher-fix.html Last update: 25/11/2021 |
Re: Source Servers Security Guide
Added #7 guide -> NetMessages crasher exploit
|
Re: Source Servers Security Guide
Good guide, will probably help alot of people thanks xSLOW
|
Re: Source Servers Security Guide
Quote:
|
Re: Source Servers Security Guide
Updated #6 - Source Query Cacher (for a2s attacks)
Please install the new files to avoid log4j attacks and make it compatible with a2s challenges. |
Re: Source Servers Security Guide
Actually loving this, hope you can continue this thread when needed. :up:
|
Re: Source Servers Security Guide
6. Ip rate limitting error / A2S (aka VSE) DoS attack
works fine at one of my dedicated server, at my second dedicated server the csgo server on port 27015 becomes invisible in steam and connecting is not possible, when the cacher is running (i do the same as in dedicated 1). |
Re: Source Servers Security Guide
[Root access needed] Ip rate limitting error / A2S (aka VSE) DoS attack
After doing this I can no longer see my servers in the community servers list. How do I fix this? |
Re: Source Servers Security Guide
Quote:
Quote:
Please install my version and read the github thread Attention! This version doesn't support A2S Challenges yet, you need to use LEGACY A2S Protocol nano /etc/environment # paste and save: STEAM_GAMESERVER_A2S_INFO_STRICT_LEGACY_PROTO COL=1 # AND RESTART CSGO SERVER https://github.com/xSL0W/SourceEngineQueryCacher |
All times are GMT -4. The time now is 22:53. |
Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.