Thread: Rcon locker / exploit fix
View Single Post
Author Message
devicenull
Veteran Member
Join Date: Mar 2004
Location: CT
Old 06-04-2009 , 14:53   Rcon locker / exploit fix
Reply With Quote #1
This plugin will prevent your rcon password from being changed. It uses whatever password you have set in server.cfg, and resetting the password will require the server to be updated in server.cfg, and then restarted.

This fixes the following exploits:
  • Executing harmful commands via ent_fire/ent_create if cheats are on
  • Around 10 or so commands that can be used to lag the server (adds the cheats flag to them)
  • Loading plugins clientside, allowing you to use cheat commands
  • Clients would be able to teleport, regardless of cheats/plugins on server.
  • If Mani is detected, spammable commands will be blocked (this will break nextmap functionality, but its either that or risk server crashes)
  • Es_tools changelevel exploit
  • Cvar bounds are removed on sv_rcon_minfailures and sv_rcon_maxfailures. These are also set to 10,000 if they are not changed in your config file.
  • "unnamed" users will be kicked once they join.
  • Users with bell or % characters will be kicked when they join
  • Commands executed before a client has connected will be blocked.
  • Prevent logging from being disabled, if it is ever enabled while the plugin is active.
  • All commands on the server will be logged by default.

No configuration is needed for this plugin.

Note:This will leave your server vulnerable to brute force attacks, though that's easily fixed.. just use a secure rcon password. This was necessary to prevent a server crash that happens when a user is banned from accessing rcon.

To generate a secure rcon password go here. These passwords are randomly generated and change each time you refresh the page. If you use these, there are 62^24 possible passwords, so they won't be brute forced any time soon.

Donate

If you wish to disable the command logging functionality, create a file in addons/sourcemod/configs named rcon_lock.cfg. It doesn't matter what this file contains, as long as it exists it will be disabled.

I didn't want to add the ability to disable command logging as a cvar, as many rcon "hack" scripts already attempt to disable normal logs. Unless you are running old eventscripts plugins, you can safely leave command logging enabled.

If you are running 1.3 or higher, you want the "rcon_lock" plugin.

If you are running under 1.3, you want the "rcon_lock_legacy" plugin, or to upgrade sourcemod. Note that the legacy plugin is no longer being updated.
Attached Files
File Type: sp Get Plugin or Get Source (rcon_lock.sp - 22127 views - 13.2 KB)
File Type: sp Get Plugin or Get Source (rcon_lock_legacy.sp - 7837 views - 10.4 KB)
__________________
Various bits of semi-useful code in a bunch of languages: http://code.devicenull.org/
Last edited by devicenull; 06-01-2010 at 20:52.
devicenull is offline