Rcon locker / exploit fix
 

This plugin will prevent your rcon password from being changed. It uses whatever password you have set in server.cfg, and resetting the password will require the server to be updated in server.cfg, and then restarted.

This fixes the following exploits:

• Executing harmful commands via ent_fire/ent_create if cheats are on
• Around 10 or so commands that can be used to lag the server (adds the cheats flag to them)
• Loading plugins clientside, allowing you to use cheat commands
• Clients would be able to teleport, regardless of cheats/plugins on server.
• If Mani is detected, spammable commands will be blocked (this will break nextmap functionality, but its either that or risk server crashes)
• Es_tools changelevel exploit
• Cvar bounds are removed on sv_rcon_minfailures and sv_rcon_maxfailures. These are also set to 10,000 if they are not changed in your config file.
• "unnamed" users will be kicked once they join.
• Users with bell or % characters will be kicked when they join
• Commands executed before a client has connected will be blocked.
• Prevent logging from being disabled, if it is ever enabled while the plugin is active.
• All commands on the server will be logged by default.

No configuration is needed for this plugin.

Note:This will leave your server vulnerable to brute force attacks, though that's easily fixed.. just use a secure rcon password. This was necessary to prevent a server crash that happens when a user is banned from accessing rcon.

To generate a secure rcon password go here. These passwords are randomly generated and change each time you refresh the page. If you use these, there are 62^24 possible passwords, so they won't be brute forced any time soon.

Donate

If you wish to disable the command logging functionality, create a file in addons/sourcemod/configs named rcon_lock.cfg. It doesn't matter what this file contains, as long as it exists it will be disabled.

I didn't want to add the ability to disable command logging as a cvar, as many rcon "hack" scripts already attempt to disable normal logs. Unless you are running old eventscripts plugins, you can safely leave command logging enabled.

If you are running 1.3 or higher, you want the "rcon_lock" plugin.

If you are running under 1.3, you want the "rcon_lock_legacy" plugin, or to upgrade sourcemod. Note that the legacy plugin is no longer being updated.

Re: Rcon locker / exploit fix
 

which exploit is this prevelant in? CSS.. TF2 or all source games. not that i want to hack people :) just want to no if i need the protection for my servers

Re: Rcon locker / exploit fix
 

This will work for all Source games.

Re: Rcon locker / exploit fix
 

So this is only need if we run an addon that messes with rcon? Be specific with who needs to use this, im pretty sure I dont since I run just SM and plugins added by me.

Re: Rcon locker / exploit fix
 

If you at some point activate sv_cheats 1 on a server of yours, and someone runs an exploit based on that command then you might want to have this on :p

Re: Rcon locker / exploit fix
 

Is that info true ?
Do you mean that only those who put sv_cheats as 1 need this ?

Re: Rcon locker / exploit fix
 

If sv_cheats 1 is activated, players can execute rcon commands. This attempts to prevent them from doing permanent damage with it, but.. you still shouldn't turn cheats on.

As far as the rcon exploit, it seems to be confined to servers running a malicious plugin.

Re: Rcon locker / exploit fix
 

santaclaus:

Re: Rcon locker / exploit fix
 

Updated to v0.2, fixes a bunch more exploits.

Re: Rcon locker / exploit fix
 

Nice work, devicenull.