SRCDS Windows Firewall Security / Hardening
10 Attachment(s)
Since i noticed nobody has yet to share anything to do with IPSEC, or DOS on windows i thought i would be there first to share what i use in the way of security concepts and methods with the world and hopefully open the door to others.
I have uploaded all the pictures i can since the forum has capped me at 10 pictures but it should be enough to help you out. Also this is a server level fix if you are in fact under any form of Distributed denial of service you are best to block it at a network level before it hits the server preferably at the router or network adapters. (Contact your hosting provider if you do not have access to any of that i am sure they will sort it out with the data center.) F.A.Q (Frequently Asked Questions) : What is the diffrence between a DoS attack and DDoS attack ? DoS (Denial of Service) : A DoS Attack is a Denial of Service attack. This means that one computer and one internet connection is used to flood a server with packets (TCP / UDP). The point of such a denial of service attack is to overload the targeted server’s bandwidth and other resources. This will make the server inaccessible to others, thereby blocking the website or whatever else is hosted there. DDoS (Distributed denial of service) : A DDoS Attack is a Distributed Denial of Service Attack. In most respects it is similar to a DoS attack but the results are much, much different. Instead of one computer and one internet connection the DDoS attack utilizes many computers and many connections. The computers behind such an attack are often distributed around the whole world and will be part of what is known as a bot-net. The main difference between a DDoS attack vs a DoS attack, therefore, is that the target server will be overload by hundreds or even thousands of requests in the case of the former as opposed to just one attacker in the case of the latter. Therefore it is much, much harder for a server to withstand a DDoS attack as opposed to the simpler DoS incursion. If you are under any form of DDoS i urge you to inform your hosting provider or datacenter to deal with the matter accordingly since it can not be stopped at a server or software level, DDoS attacks need to be blocked before they even hit the server at a network level via the routers. I will split this post up into stages because there is allot of security methods here allot of references to plugins / addons for your servers and of-course there are diffrent versions of windows server, I will be giving instruction on mainly Windows Server 2008 and 2003. (But everything should also work with local lan machines such as windows 7, XP, Vista etc.) Stage 1 : This is basicly the setup for the rest of the configurations and settings that shall follow. In your server.cfg the following commands are recommended for best security and stability of your server. Disable rcon (rcon does nothing special and if your running sourcemod you can use it to change cvar's and values the same as rcon does via the use of sm_rcon "") To disable rcon add this to your server.cfg file. Code:
rcon_password "" Code:
sv_pausable 0 Code:
sv_cheats 0 No doubt most people already have set srcds to reboot automatically upon a crash but for other reasons and for your own help we will specify here a couple of ports so you know what ports your game server is running. We will also add a few command line properties to increase the perfomance of our server. In your startup.bat/cmd file. Code:
@echo off Now i know allot of people like to turn there windows firewall off but in my opinion it is the best bit of free kit at blocking ports, IP addresses and different types of incoming packets when you know how to use it. Step 1 : Before enabling windows firewall or anything else we need to make sure we have a constant connection to our remote machine / server for those who are doing this for lan use you should not have to follow this step if you do not use windows remote desktop protocol. NOTE : You may have to change the port depending on if your remote desktop connection for your server has a diffrent port set to the default. Go to Start >> Run >> CMD (Right click and Run the command prompt as Administrator) Then enter the following commands into them. Windows Server 2008 Code:
netsh advfirewall firewall add rule name="Remote Desktop Protocol" program=System profile=public,private,domain dir=in localport=3389 protocol=tcp action=allow Code:
netsh firewall set portopening protocol=TCP port=3389 name="Remote Desktop Protocol" mode=ENABLE First thing to do is enable windows firewall. Go to Start >> Run >> CMD (Right click and Run the command prompt as Administrator) Then enter the following commands into them. Windows Server 2008 Code:
netsh advfirewall set domainprofile state on Code:
netsh firewall set opmode mode=enable profile=ALL Step 3 : The first DOS attack to block is all incoming ICMP Packets. (If you like to ping your server then don't follow this step.) Side note : You can change the Protocol type to other formats that are unused by srcds such as IGMP. Go to Start >> Run >> CMD (Right click and Run the command prompt as Administrator) Then enter the following commands into them. Windows Server 2008 Block all ICMPV4 Requests : Code:
netsh advfirewall firewall add rule name="All ICMP V4" protocol=icmpv4:any,any dir=in action=block Code:
netsh advfirewall firewall add rule name="All ICMP V6" protocol=icmpv6:any,any dir=in action=block Block all ICMPV4 Requests : Code:
netsh firewall set icmpsetting type=ALL mode=disable http://forums.alliedmods.net/attachm...1&d=1341594178 Optional : (The following firewall codes are optinal since all game server traffic is UDP and only rcon runs on TCP these are the only two packet types you should never block on your server) Side note : Web hosting servers use TCP for transferring web traffic including of file downloads if you are using your game server for web hosting as well do not block TCP or port(s) "80,8080". These are all the packet types that should be unused by everything and should be blocked upon your server. (Prevents people sending packets to your server and using up resources to respond to the packets when the only data you are using is TCP and UDP.) I have exlcluded IPv6 since it wont be that long until IPv6 becomes used by most servers (No point in blocking the future of the internet.) Windows Server 2008 Block all IGMP Requests : http://en.wikipedia.org/wiki/Interne...ement_Protocol Code:
netsh advfirewall firewall add rule name="All IGMP" protocol=2 dir=in action=block Code:
netsh advfirewall firewall add rule name="All GRE" protocol=47 dir=in action=block Code:
netsh advfirewall firewall add rule name="All VRRP" protocol=112 dir=in action=block Code:
netsh advfirewall firewall add rule name="All PGM" protocol=113 dir=in action=block Code:
netsh advfirewall firewall add rule name="All L2TP" protocol=115 dir=in action=block Securing srcds incoming ports and traffic. Now srcds uses allot of different ports but really you only need one port enabled in the windows firewall and you can gain access to connect to your server and display it on the Steam master server list. (The rest of the traffic is outgoing not incoming.) This will block all rcon hacks attacks and exploits just by blocking the rcon protocol for your srcds server. (The reason i do this is because i have rcon disabled and i use sourcemod for rcon related commands such as changing the sv_cheats value) The following setting is recommended ONLY for those have rcon disabled in your "server.cfg" NOTE : (Change the srcds location with your own) Go to Start >> Run >> CMD (Right click and Run the command prompt as Administrator) Code:
netsh advfirewall firewall add rule name="srcds block TCP" protocol=TCP dir=in action=block program="C:\srcds\srcds.exe" Step 5 : This is the same as the step above except we are allowing all incomming traffic on the specific UDP port of our game server. (Add extra ports if you need them for source TV, Rcon etc.) NOTE : (Change the srcds location with your own) Go to Start >> Run >> CMD (Right click and Run the command prompt as Administrator) Code:
netsh advfirewall firewall add rule name="srcds allow UDP" protocol=UDP dir=in action=allow program="C:\srcds\srcds.exe" localport=27015,27020 If you are having problems and error codes for blocking or specifying ports then "Block edge traversal" by right clicking the inbound rule in your windows firewall and going to properties >> Advanced. http://forums.alliedmods.net/attachm...1&d=1341598985 Stage 3 : Disabling server hanging / hung errors : Usualy when your game server crashes you get flagged the following error "srcds.exe has stopped working. Windows can check online for a solution to the problem" and even after disabling error reporting you will get the following message "srcds.exe has stopped working. A problem caused the program to stop working correctly. Please close the program" To fix this issue we do not have to disable error reporting but i will include it as a optional setting for those who have no use for windows error reports or logs. Another common srcds server error this will fix upon crash is the famous "threadtools.cpp" error by rebooting the server automatically upon crashing it does keep server uptime at a maximum. To disable windows error reporting : (Optional setting) Go to Start >> Run >> CMD (Right click and Run the command prompt as Administrator) Then enter the following commands into them. Code:
serverWerOptin /disable The default value data is 0 and we should change it to 2 to set all messages to be hidden. Go to Start >> Run >> regedit (Right click and Run regeditor as Administrator) Code:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Windows\ErrorMode Code:
HKEY_CURRENT_USER\Software\ Microsoft\Windows\Windows Error Reporting\DontShowUI This next step is very long and extensive and will take some time applying all the settings recommended if you are lazy and want the layman's way out i have provided a (.zip) archive that contains registry keys and a cmd/bat file that will allow you to execute and apply all these changes at once. Download : http://forums.alliedmods.net/attachm...1&d=1341550118 http://www.dslreports.com/drtcp Included in the download is a registry editing tool by speedguide this will allow you to optimize your servers registry all at once tunning it for best security and speed of your server since my server has a 100mb up and down speed thats what i have set it to as displayed in the picture bellow and the rest of the settings are optimal. http://forums.alliedmods.net/attachm...1&d=1341650469 Windows Server 2008 TCP/IP Stack Registry Configuration Tweaks : The following registry settings are to help harden your TCP/IP Stack from denial of service SYN, ACK, TCP, UDP, ICMP attacks and throttling issues, As well as to reduce CPU load on the machine itself and leave the handling of incoming connections to the network cards / adapters. To change / edit the registry values Go to Start >> Run >> regedit (Right click and Run as Administrator) Check the TCP/IP state To check the current status of the Vista TCP/IP tweakable parameters, in elevated command prompt type the following command: netsh int tcp show globalhttp://forums.alliedmods.net/attachm...1&d=1341600213 The settings, as well as their default and recommended state are explained below. The two most important tweakable parameters are "Auto-Tuning Level" and "Congestion Control Provider". When checking the TCP state with the "netsh int tcp show global" command, it is also possible to see the following message below all those parameters: ** The above autotuninglevel setting is the result of Windows Scaling heuristics overriding any local/policy configuration on at least one profile.It is displayed when the "Receive Window Auto-Tuning Level" is not explicitly set, or if the system deemed it necessary to make a change because of user prompted "repairing" of your network connection, for example. Disable Windows Scaling heuristics Windows Vista/7 has the ability to automatically change its own TCP Window auto-tuning behavior to a more conservative state regardless of any user settings. It is possible for Windows to override the autotuninlevel even after an user sets their custom TCP auto-tuning level. When that behavior occurs, the "netsh int tcp show global" command displays the following message: ** The above autotuninglevel setting is the result of Windows Scaling heuristicsTo prevent that behavior and enforce any user-set TCP Window auto-tunning level, you should execute the following command: netsh int tcp set heuristics disabledNote this should be executed in elevated command prompt (with admin priviledges) before setting the autotuninlevel in next section. If the command is accepted by the OS you will see an "Ok." on a new line. The corresponding Registry value (not necessary to edit if setting via netsh) is located in: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\s ervices\Tcpip\Parameters EnableWsd=0 (default: 1, recommended: 0) TCP Auto-Tuning To turn off the default RWIN auto tuning behavior, (in elevated command prompt) type: netsh int tcp set global autotuninglevel=disabledThe default auto-tuning level is "normal", and the possible settings for the above command are: disabled: uses a fixed value for the tcp receive window. Limits it to 64KB (limited at 65535).Our recommendation: normal (unless you're experiencing problems). If you're experiencing problems with your NAT router or SPI firewall, try the "restricted", "highlyrestricted", or even "disabled" state. Notes: - Reportedly, some older residential NAT routers with a SPI firewall may have problems with enabled tcp auto-tuning in it's "normal" state, resulting in slow speeds, packet loss, reduced network performance in general. - auto-tuning also causes problems with really old routers that do not support TCP Windows scaling. See MSKB 935400 - netsh set commands take effect immediately after executing, there is no need to reboot. - sometimes when using "normal" mode and long lasting connections (p2p software / torrents), tcp windows can get very large and consume too much resources, if you're experiencing problems try a more conservative (restricted) setting. If you're experiencing problems with Auto-Tuning, see also: MSKB 835400 - email issues MSKB 934430 - network connectivity behind firewall problems MSKB 940646 - 3G WWAN throughput issues MSKB 929868 - web browsing issues MSKB 932170 - slow network file transfer Compound TCP - Improve throughput Add-On Congestion Control Provider The traditional slow-start and congestion avoidance algorithms in TCP help avoid network congestion by gradually increasing the TCP window at the beginning of transfers until the TCP Receive Window boundary is reached, or packet loss occurs. For broadband internet connections that combine high TCP Window with higher latency (high BDP), these algorithms do not increase the TCP windows fast enough to fully utilize the bandwidth of the connection. Compound TCP (CTCP) is a newer method, available in Vista and Server 2008 (there is also a hotfix available for XP x64 and 2003 Server - MSKB 949316). CTCP increases the TCP send window more aggressively for broadband connections (with large RWIN and BDP). CTCP attempts to maximize throughput by monitoring delay variations and packet loss. It also ensures that its behavior does not impact other TCP connections negatively. By default, Vista and Windows 7 have CTCP turned off, it is only on by default under Server 2008. Turning this option on can significantly increase throughput and packet loss recovery. To enable CTCP, in elevated command prompt type: netsh int tcp set global congestionprovider=ctcpTo disable CTCP: netsh int tcp set global congestionprovider=nonePossible options are: ctcp, none, default (restores the system default value). Recommended setting: ctcp It is better to use this newer generation CTCP congestion control algorithm for most broadband connections, we highly recommend it being turned on. ECN Capability ECN (Explicit Congestion Notification, RFC 3168) is a mechanism that provides routers with an alternate method of communicating network congestion. It is aimed to decrease retransmissions. In essence, ECN assumes that the cause of any packet loss is router congestion. It allows routers experiencing congestion to mark packets and allow clients to automatically lower their transfer rate to prevent further packet loss. Traditionally, TCP/IP networks signal congestion by dropping packets. When ECN is successfully negotiated, an ECN-aware router may set a bit in the IP header (in the DiffServ field) instead of dropping a packet in order to signal congestion. The receiver echoes the congestion indication to the sender, which must react as though a packet drop were detected. ECN is disabled by default in Vista and other modern TCP/IP implementations, as it is possible that it may cause problems with some outdated routers that drop packets with the ECN bit set, rather than ignoring the bit. To check whether your router supports ECN, you can use the Microsoft Internet Connectivity Evaluation Tool. The results will be displayed under "Traffic Congestion Test". To change ECN, in elevated command prompt type: netsh int tcp set global ecncapability=defaultNotes: ECN is only effective in combination with AQM (Active Queue Management) router policy. It has more noticeable effect on performance with interactive connections and HTTP requests, in the presense of router congestion/packet loss. Its effect on bulk throughput with large TCP Window are less clear. Currently, we do not recommend enabling this setting, as reportedly it has negative impact on throughput with some residential US ISPs. EA multiplayer games that require a profile logon do not support ECN as well (you will not be able to logon). RSS - Receive-side Scaling The receive-side scaling setting enables parallelized processing of received packets on multiple processors, while avoiding packet reordering. It avoids packet reordering y separating packets into "flows", and using a single processor for processing all the packets for a given flow. Packets are separated into flows by computing a hash value based on specific fields in each packet, and the resulting hash values are used to select a processor for processing the flow. This approach ensures that all packets belonging to a given TCP connection will be queued to the same processor, in the same order that they were received by the network adapter. To set RSS: netsh int tcp set global rss=enabledPossible rss settings are: disabled, enabled, default (restores rss state to the system default). Default state is: enabled Recommended: enabled (if you have 2 or more processor cores and a NIC that can handle RSS) TCP Chimney Offload TCP chimney offload enables Windows to offload all TCP processing for a connection to a network adapter. Offloads are initiated on a per-connection basis. Compared to task offload, TCP chimney offload further reduces networking-related CPU overhead, enabling better overall system performance by freeing up CPU time for other tasks. To set TCP Chimney Offload: netsh int tcp set global chimney=enabledThe possible states are disabled, enabled, default (Vista), automatic (only Windows 7 and 2008 Server) as follows: automatic - This default setting is only available under Windows 7 and 2008 Server, it is not available udner Vista. It offloads if the connection is 10 GbE, has a RTT < 20ms, and the connection has exchanged at least 130KB of data. The device driver must also have TCP Chimney enabled.Notes: Under Windows 7 and Server 2008 the "default" and the additional "automatic" parameter set the system to the same "automatic" state. For Chimney Offload to work, it needs to be enabled in both the OS and NIC. To enable the "TCP Offloading" setting in your NIC, navigate to the Device Manager, under Network Adapters, in the Advanced tab, and check "Enabled" in the box next to the TCP offload entry. Direct Cache Access (DCA) Windows 7 and 2008 Server (but not Vista) add NETDMA 2.0 Direct cache access support. Direct Cache Access (DCA) allows a capable I/O device, such as a network controller, to deliver data directly into a CPU cache. The objective of DCA is to reduce memory latency and the memory bandwidth requirement in high bandwidth (Gigabit) environments. DCA requires support from the I/O device, system chipset, and CPUs. To enable DCA: netsh int tcp set global dca=enabledIt is also possible to enable this setting by editing the Windows Registry instead of using netsh as follows: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\S ervices\Tcpip\Parameters EnableDCA=1 (DWORD, entry does not exist by default. Set to 1 to enable, 0 to disable) Setting MTU It is sometimes useful to view and set the MTU value for a specific network interface manually. To view a list of active network interfaces and their MTU values in Vista using netsh, open command prompt as administrator and execute the following command: netsh interface ipv4 show subinterfacehttp://forums.alliedmods.net/attachm...1&d=1341600213 To change the MTU value of a specific network card, type the following in command prompt: netsh interface ipv4 set subinterface "network interface name" mtu=#### store=persistentWhere "network interface name" is your specific network adapter name as obtained above (or viewable under Network adapters), and mtu=#### is the desired MTU value. For example, if the name of your network card is "Wireless Network Connection" and you'd like to set its MTU to 1500, you'd have to type: netsh interface ipv4 set subinterface "Wireless Network Connection" mtu=1500 store=persistentNote: The maximum MTU value is usually 1500, and up to 1492 for PPPoE connections. TCP 1323 Options HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\S ervices\Tcpip\Parameters\ Tcp1323Opts=1 (DWORD, entry created automatically by Windows when you run the "netsh int tcp set global autotuninglvl=..." command, set to 0 by default). Setting this seems to have no effect, since auto-tuning uses the TCP 1323 scale factor and changes it on the fly, disregarding this setting. Additional testing may be required to determine it's effect if auto-tuning is turned off. Setting it to 1 is best for broadband connections. NetDMA (TCPA) NetDMA enables support for advanced direct memory access. In essence, it provides the ability to more efficiently move network data by minimizing CPU usage. NetDMA frees the CPU from handling memory data transfers between network card data buffers and application buffers by using a DMA engine. Under Windows 7, NetDMA can be set directly using the netsh interface (not available under Vista): netsh int tcp set global netdma=enabledUnder Vista/2008/7, you can set NetDMA/TCPA using the following Registry parameter: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\S ervices\Tcpip\Parameters EnableTCPA=1 (DWORD, not in registry by default. Set to 1 to enable, 0 to disable NetDMA) Recommended setting is 1 (if not using Chimney Offload), zero otherwise. A new DWORD value may need to be created if not already present in the registry. For NetDMA to work, it must be enabled in BIOS, your CPU must support Intel I/O Acceleration Technology (I/OAT), and it does not work together with Chimney Offload. Checksum Offloading (DisableTaskOffload) This NDIS 5 setting allows for reducing CPU load by offloading some tasks required to maintain the TCP/IP stack to the network card. Theoretically, Widnows should automatically detect capable network hardware. The tasks offloaded are as follows:To change the checksum offloading setting in the Windows Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\S ervices\Tcpip\Parameters DisableTaskOffload=0 (DWORD value, default: not set, recommended: 0=enable offload, 1=disable offload) DefaultTTL TTL can be safely left alone in many cases. It is a limit to the time and number of hops/routers a packet will travel before being discarded. A number that's too small risks packets being discarded before reaching their destination. A number that's too large (over 128) will cause delay in when lost IP packets are discarded. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\S ervices\Tcpip\Parameters DefaultTTL=64 (DWORD, set to a decimal value between 32 and 128. Recommended: 64) TcpMaxDataRetransmissions Determines how many times unacknowledged data (non-connect segment) is retransmitted before TCP aborts the connection. The retransmission timeout is doubled with each successive retransmission on a connection. It is reset when responses resume. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\S ervices\Tcpip\Parameters TCPMaxDataRetransmissions=7 (DWORD, recommended: between 3 and 10, not present in registry by default) Note: When not present in the registry, the default behavior is 255 retransmissions (5 in documentation). SynAttackProtect This undocumented setting provides protection against SYN denial of service (DoS) attacks. When enabled, connections timeout sooner if SYN attack is detected. When set at 1, TCPMaxDataRetransmissions can be lowered further. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\S ervices\Tcpip\Parameters SynAttackProtect=1 (DWORD, recommended: 1, not present in registry by default) Network Throttling Index By default, Windows Vista/7 implements a network throttling mechanism to restrict the processing of non-multimedia network traffic to 10 packets per millisecond (a bit over 100 Mbits/second). The idea behind such throttling is that processing of network packets can be a resource-intensive task, and it may need to be throttled to give prioritized CPU access to multimedia programs. In some cases, such as Gigabit networks and some online games, for example, it may be benefitial to turn off such throttling all together. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile NetworkThrottlingIndex=ffffffff (DWORD, default: 10 hex, recommended: 10 hex for media sharing, ffffffff for gaming and max throughput, valid range: 1 through 70 decimal or ffffffff to completely disable throttling) It is only recommended to change this setting in saturated Gigabit LAN environments, where you do not want to give priority to multimedia playback. Reportedly, disabling throttling by using ffffffff can also help reduce ping spikes in some online games. Notes: Setting is available in Windows 7, Vista (SP1), 2008 Server. Default value is 10 under Windows 7, similar behavior if the setting is not present in the Registry. Games that may be affected by this throttling: Source Engine games (TF2, Left 4 Dead, CS:S), HoN, CoD, Overlord series. Set DNS and Hosts Priority As with previous versions of Windows, one can improve DNS and hostname resolution by increasing the priority of of related services, while keeping their order. Lower numbers mean higher process priority. The corresponding registry settings in Vista are as follows: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\S ervices\Tcpip\ServiceProvider LocalPriority=4 (DWORD, recommended: 4, default: 499) - local names cache HostsPriority=5 (DWORD, recommended: 5, default: 500) - the HOSTS file DnsPriority=6 (DWORD, recommended: 6, default: 2000) - DNS NetbtPriority=7 (DWORD, recommended: 7, default: 2001) - NetBT name resolution, including WINS TcpTimedWaitDelay (port allocation) Short lived (ephemeral) TCP/IP ports above 1024 are allocated as needed by the OS. The default Vista values have improved from previous Windows versions, and are usually sufficient under normal load. However, in some instances under heavy load it it may be necessary to adjust the settings below to tweak the availability of user ports requested by an application. If the default limits are exceeded under heavy loads, the following error may be observed: "address in use: connect exception". By default under Vista (when the values are not presend in the registry), the OS can allocate up to 16384 ephemeral ports above port 1024, and the OS waits for 120 seconds before reclaiming ports after an application closes the TCP connection. This is a considerable improvement over older Windows versions. However, if necessary, the following registry values can be added/edited: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\S ervices\Tcpip\Parameters MaxUserPort=65534 (DWORD, not in the registry by default. Recommended: leave at default, or use a number above 16384 up to 65534 decimal as necessary) - maximum number of ports to use. 1024 is automatically subtracted from entered value to allow for reserved ports under 1024. TcpTimedWaitDelay=30 (DWORD, not present or 0xffffffff in registry by default. Recommended: 30 decimal, denoting 30 seconds) - time to wait before reclaiming ports, in seconds. Default time before reclaiming ports, if value is at 0xffffffff or not present in the registry is 120 seconds. Just reducing the delay is often sufficient without changing MaxUserPort, as it allows for reusing ports more efficiently. Ephemeral ports can be checked and changed using netsh as well. To query the current values, in command prompt, type: netsh int ipv4 show dynamicportrange tcp (for UDP, use the same command, replacing only "tcp" with "udp" at the end) To set both the starting, and max user port using netsh, in elevated command prompt run: netsh int ipv4 set dynamicportrange protocol=tcp start=1025 num=64511 (start=NNN denoting the starting port, and num=NNN denoting the number of ports) Notes: By default, dynamic ports are allocated between ports 49152 and 65535 (for a total of 16384 ephemeral ports). Using netsh allows to set both the starting port and port range. Editing the Registry allows for setting the port range, and the starting port is fixed at 1025. Deleting the MaxUserPort registry entry (or setting it to a value outside the allowed range) causes the OS to revert to using the default values. Some system processes can install port filters to block certain port ranges. If ephemeral ports run into these filtered port ranges, TCP/IP applications will be unable to bind to any ports. QoS Reserved Bandwidth As with Windows XP, nework adapters have a "QoS Packet Scheduler" enabled by default, which reserves 20% of bandwidth by default for QoS applications that request priority traffic. Note this only has effect in the presence of running QoS applications that request priority traffic. Registry value is undocumented for the Vista version of Windows. To customize this setting, in the Windows Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsof t\Windows\Psched NonBestEffortLimit=0 (DWORD, not present in the registry by default. Recommended: 0 , possible values between 0 and 100) - indicates the percentage value of reserved bandwidth for QoS applications. Set to 0 to disable. Notes: This tweak applies only to Windows versions that have Qos Packet Scheduler enabled. It will ONLY have effect in the presense of running QoS applications. Network Memory Allocation (Event ID 2017 error) When using Windows Vista/7 to serve many/large files over the local network, it is possible to sometimes run into memory allocation errors related to the Windows share. This can happen with Linux, Mac, or Windows XP clients. When this happens, you can usually see the following error in the Event Viewer System log: Source: srvIt is also possible to get an error indicating that: "Not enough server storage is available to process this command". To avoid those errors, you need to change the way Windows allocates memory for network services and file sharing. The below settings optimze the machine as a file server so it would allocate resources accordingly. There are two related registry settings: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management LargeSystemCache=1 (DWORD, default value: 0, recommended value: 1) A value of zero above establishes a cache of ~8 MB, a value of 1 allows the cache to expand to physical memory minus 4 MB, if needed. HKLM\SYSTEM\CurrentControlSet\Services\Lanman Server\Parameters Size=3 (DWORD, default value: 1, recommended value: 3) Size=1 minimizes used memory Size=2 balance used memory Size=3 optimal setting for file sharing and network applications Note: Even though this tweak is from older Windows server OSes, it works on workstation versions, as well as Windows Vista and 7 (32 and 64 bit). Gaming Tweak - Disable Nagle's algorithm Disabling "nagling" allows for very small packets to be transferred immediately without delay. Note that disabling Nagle's algorithm is only recommended for some games, and it may have negative impact on file transfers/throughput. The dafault state (Nagling enabled) improves performance by allowing several small packets to be combined together into a single, larger packet for more efficient transmission. While this improves overall performance and reduces TCP/IP overhead, it may briefly delay transmission of smaller packets. Keep in mind that disabling Nagle's algorithm may have some negative effect on file transfers, and can only help reduce delay in some games. To implement this tweak, in the registry editor (Start>Run>regedit) find: This setting configures the maximum number of outstanding ACKs in Windows XP/2003/Vista/2008: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\S ervices\Tcpip\Parameters\Interfaces\{NIC-id} There will be multiple NIC interfaces listed there, for example: {1660430C-B14A-4AC2-8F83-B653E83E8297}. Find the correct one with your IP address listed. Under this {NIC-id} key, create a new DWORD value: TcpAckFrequency=1 (DWORD value, 1=disable, 2=default, 2-n=send ACKs if outstanding ACKs before timed interval. Setting not present by default). For gaming performance, recommended is 1 (disable). For pure throughput and data streaming, you can experiment with values over 2. If you try larger values, just make sure TcpAckFrequency*MTU is less than RWIN, since the sender may stop sending data if RWIN fills witout acknowledgement. Also, find the following key (if present): HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Pa rameters Add a new DWORD value: TCPNoDelay=1 (DWORD value, 0 to enable Nagle's algorithm, 1 to disable, not present by default) To configure the ACK interval timeout (only has effect if nagling is enabled), find the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\S ervices\Tcpip\Parameters\Interfaces\{NIC-id} TcpDelAckTicks=0 (DWORD value, default=2, 0=disable nagling, 1-6=100-600 ms). Note you can also set this to 1 to reduce the nagle effect from the default of 200ms without disabling it. Set the desired new limit for TCP half-open connections The maximum simultaneous half-open (incomplete) outbound TCP connection attempts per second that the system can make, In the Windows Registry. Open the registry editor by clicking the Windows button > Run > type: regedit . You'd need to add a new DWORD value under the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\S ervices\Tcpip\Parameters TcpNumConnections=500 (DWORD value, not present by default. Recommended value is between 100 and 500). Stage 4 : Recommended plugins / Addons to fight hackers, laggers and malicious people who connect to your server : Drunken_F00l's | DAF (Dos Attack Fixer) Blocks exploits with specific "A2S" Packets in SRCDS. http://www.sourceop.com/modules.php?...p=getit&lid=37 asherkin | ServerSecure (Files only) - Server protection against the Upload / Download exploit. http://forums.alliedmods.net/showthread.php?t=142249 GoD-Tony | SourceMod Anti-Cheat - Prevents Hackers scripters spammers and cheaters. http://forums.alliedmods.net/showthread.php?p=1637640 Liam | HPK High Ping Kicker Lite Edition - Enforce a maximum ping upon players to prevent server lag. http://forums.alliedmods.net/showthread.php?p=701420 devicenull | Rcon Locker / Exploit Fixer (only works with "rcon_password" enabled) http://forums.alliedmods.net/showthread.php?p=841590 Forlix | Flood Checker - Prevents flooding / spamming of console chat and the server itself. http://forums.alliedmods.net/showthread.php?p=779851 How to get -autoupdate to work on Windows (Keeping your srcds server up to date) Dr.Mkay : http://forums.alliedmods.net/showthread.php?t=173487 C0nw0nk : https://forums.alliedmods.net/showthread.php?t=262294 KyleS | Create Edict Fixer http://forums.alliedmods.net/showthread.php?t=186830 Query Caching protecting the server from A2S_INFO DoS attacks Metamod version (ivailosp) | http://forums.alliedmods.net/showthread.php?t=135543 Sourcemod version (Zephyrus) | http://forums.alliedmods.net/showpos...&postcount=110 Downloadable Tools to help improve server performance, stability and security : Br5dy | https://forums.alliedmods.net/showthread.php?t=213461 Srcds and SteamCMD server manager and creator CCleaner - Brilliant tool for cleaning up system files and fixing registry issues compatible with windows server | http://www.piriform.com/ccleaner TCP Optimizer - Optimizing windows registry for security and perfomance against DDOS | http://forums.alliedmods.net/attachm...1&d=1341550118 DrTCP - Setting TCP Connection settings | http://www.dslreports.com/drtcp Resources and links : http://www.speedguide.net/articles/w...08-tweaks-2574 http://www.speedguide.net/articles/w...patch-for-2744 Microsoft windows server settings : http://support.microsoft.com/kb/947709 http://technet.microsoft.com/en-us/l...=ws.10%29.aspx http://msdn.microsoft.com/en-us/library/ff648853.aspx Valve srcds information : https://developer.valvesoftware.com/...dicated_Server https://developer.valvesoftware.com/wiki/Server_queries https://developer.valvesoftware.com/...d_Line_Options http://www.srcds.com/ Anti-DDoS Tools : QaasWall : (Windows Server Anti DDoS Firewall Free) http://sourceforge.net/projects/qaas...?source=navbar wipfw : (IPv4 packet filter and traffic shaper for Windows) http://sourceforge.net/projects/wipfw/?source=directory |
Re: SRCDS Windows Firewall Security / Hardening
Thank you for posting this C0nw0nk
|
Re: SRCDS Windows Firewall Security / Hardening
Very nice, but you might also want to show people how to keep remote admin working with the firewall on so they do not lock them self out ^.^
|
Re: SRCDS Windows Firewall Security / Hardening
Your welcome guys updated the post finished adding pictures and set the first step of firewall tweaks to add remote desktop protocol before turning on the firewall.
Added some command line parameters to increase security and performance as well as server configuration settings. Added specific packet types / protocols to be captured and blocked by windows firewall (Included wiki links.) |
Re: SRCDS Windows Firewall Security / Hardening
For anyone who wanted maximum security in windows firewall with one command this is the one for you.
Code:
netsh advfirewall firewall add rule name="All Protocol Block" protocol=any dir=in action=block I use it on my gaming PC and laptops just to block all incoming traffic since they do not host anything there is not need for them to accept any type of incoming connections. //EDIT : Updates : Original post updated added DrTCP link. http://www.dslreports.com/drtcp |
Re: SRCDS Windows Firewall Security / Hardening
2 Attachment(s)
Updated :
Added information on Disabling server hanging / hung errors (Servers should reboot automatically upon error or crash.) http://forums.alliedmods.net/attachm...1&d=1342876996 http://forums.alliedmods.net/attachm...1&d=1342877002 |
Re: SRCDS Windows Firewall Security / Hardening
You can just add this to command line -nocrashdialog and set ErrorMode 2. I don't remember if I set ErrorMode 2 but I just use this -nocrashdialog works just fine.
|
Re: SRCDS Windows Firewall Security / Hardening
Quote:
You can but if i remember correctly when i did this myself as well it just changed the error dialog to this. http://forums.alliedmods.net/attachm...1&d=1342877002 I may be wrong but i do remember using it before from the Valve command line wiki. https://developer.valvesoftware.com/...ine_parameters Anyway i added it to the start-up command line of the post just for those who don't follow registry settings. |
Re: SRCDS Windows Firewall Security / Hardening
very nice write up and tutorial for others to follow. The only thing I do differently is limit the RDP scope to my IPs for the PCs I use.
|
Re: SRCDS Windows Firewall Security / Hardening
Quote:
My recommendation for best RDP access security is to change the port or depending on how many ip addresses your server has set one and only one of them to be used by RDP. I have also updated the post to include some new addons for protection against SRCDS A2S_INFO DoS. |
All times are GMT -4. The time now is 02:24. |
Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.