Hi, I've decided to write a security guide for gameservers in hope of helping new people around the community with some advices to prevent ddos, exploits, etc.
If you know anyting that could be added in this guide please let me know and leave a reply here.
Summary:
1) Fastdownload setup
2) Rcon hacking attempt / DoS
3) [CSGO] Server Lagger Exploit Security Patch [3/7/2020]
4) [CSGO] Server Lagger Exploit Security Patch [5/28/2021]
5) [Root access needed] Rcon (27015/tcp) DoS
6) [Root access needed] Ip rate limitting error / A2S (aka VSE) DoS attack
7) NetMessages crasher exploit
1. Fastdownload setup
If you are using a fastdownload (aka downloadurl) most of the people will usually put "sv_allowdownload 1" and "sv_allowupload 1". Those settings don't affect fastdl, its recommended to keep them on 0 (disabled) because of the game exploits people can use.
Should be put inside file "server.cfg"
Message in console you get when this exploit is used:
Code:
CreateFragmentsFromFile: '.txt' doesn't exist.
Good settings:
Code:
// FastDownload
sv_allowupload 0
sv_allowdownload 0
sv_downloadurl "mysite.com/fastdl"
If the problem still persists this might be a fix too:
https://forums.alliedmods.net/showthread.php?t=317120
2. Rcon hacking attempt / DoS
If you are using rcon and most probably you do I recommend you to limit the number of wrong rcon password in a period of time.
Should be put inside file "server.cfg"
Here are my settings:
Code:
// Rcon hacking attempt / DoS
sm_cvar sv_rcon_banpenalty 5
sm_cvar sv_rcon_maxfailures 10
sm_cvar sv_rcon_minfailures 5
sm_cvar sv_rcon_minfailuretime 30
I recommend you to check the list of cvars explained, dont just copy paste everything from this, try your own settings too:
https://developer.valvesoftware.com/...of_CS:GO_Cvars
3. [CSGO] Server Lagger Exploit Security Patch [3/7/2020]
This is an exploit that usually makes your server laggy and your console to spam this error:
IPADDRESS : PORT:reliable state invalid (0)..
Solution is here:
https://forums.alliedmods.net/showthread.php?p=2686176
4. [CSGO] Server Lagger Exploit Security Patch [5/28/2021]
This plugin patches an DoS exploit that increases pings on the server.
https://forums.alliedmods.net/showthread.php?t=332721
Attention! The next guides can be done only if you have a root access to the dedicated server. If you have a simple gamehost package you can't do this.
5. [Root access needed] Rcon (27015/tcp) DoS
As backwards recommends too (
https://forums.alliedmods.net/showthread.php?p=2730982 ) its a good practice to cut down port 27015/tcp (it will affect only rcon) and give access only to some whitelisted IPs (for example your webhost, for sourcebans, etc)
You can do this via a firewall or simply using iptables.
Example of iptables rules:
Code:
/usr/sbin/iptables -A INPUT -p tcp --dport 27015 -j DROP # DROP PORT 27015/TCP
/usr/sbin/iptables -I INPUT -p tcp -s YOUR_IP --dport 27015 -j ACCEPT # allow specific ip on this port
You can do the same for mysql if you want. Nobody else than you should try to connect to your database.
6. [Root access needed] Ip rate limitting error / A2S (aka VSE) DoS attack
Maybe you've seen this error in your console:
Code:
IP rate limiting client xxxxxx:29823 at 305 hits (14 buckets, 136 global count).
IP rate limiting client xxxxxx:6479 at 310 hits (14 buckets, 136 global count).
IP rate limiting client xxxxxx:24293 at 301 hits (17 buckets, 116 global count).
IP rate limiting client xxxxxx:35475 at 304 hits (17 buckets, 106 global count).
IP rate limiting client xxxxxx:30688 at 308 hits (16 buckets, 90 global count).
This could be a DoS attack if your server becomes unresponsive. Here's one of the solutions:
- Caching the A2S Query response instead of asking the gameserver everytime someone requests it.
Why not rate limitting? Limit the response at 1 request/second for each IP address. Well, you can't since most of the a2s ddos scripts are using Spoofed ip addresses (
https://en.wikipedia.org/wiki/IP_address_spoofing )
hyperxpro built a good cacher in Java:
https://github.com/hyperxpro/SourceEngineQueryCacher
[isnt finished at the moment]
Note: You will need to run a cacher for each gameserver you have. I will show you how to do it.
1. Please install the latest version of java11 on your system. A search on google will help you with this since are thousands of tutorials about this.
2. You will have to redirect all a2s traffic from port 27015 to the cacher's port to handle the queries.
Easiest way is to do it via iptables:
Code:
# server 1
iptables -t nat -A PREROUTING -d SERVER_1_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF54|' -j REDIRECT --to-ports 9110
iptables -t nat -A PREROUTING -d SERVER_1_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF55|' -j REDIRECT --to-ports 9110
iptables -t nat -A PREROUTING -d SERVER_1_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF41|' -j REDIRECT --to-ports 9110
# server 2
iptables -t nat -A PREROUTING -d SERVER_2_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF54|' -j REDIRECT --to-ports 9111
iptables -t nat -A PREROUTING -d SERVER_2_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF55|' -j REDIRECT --to-ports 9111
iptables -t nat -A PREROUTING -d SERVER_2_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF41|' -j REDIRECT --to-ports 9111
I've redirected server 1's a2s traffic to port 9110 and server 2's a2s traffic to port 9111. Remember this, we will need later in cacher's configuration.
3. At the moment, latest version is not finished and doesn't work in CSGO. I recommend you using this one instead, log4j is fixed too.
https://github.com/xSL0W/SourceEngineQueryCacher
Download both source & java file. From source code archive you only need Cacher.conf
4. Once you have both Cacher.conf and SourceEngineQueryCacher-1.6.6.jar we can start configuring.
Open Cacher.conf
Code:
Threads=2
StatsPPS=true
StatsbPS=true
GameUpdateInterval=1000
GameUpdateSocketTimeout=1000
MaxChallengeCode=100000
ChallengeCacheCleanerInterval=1000
ChallengeCodeTTL=5000
ChallengeCodeCacheConcurrency=8
LocalServerIPAddress=0.0.0.0 # this should remain 0.0.0.0
LocalServerPort=9110 # here's the port we choosed at step 2
GameServerIPAddress=8.8.8.8 # server's public ip address
GameServerPort=27015 # server's port
ReceiveBufferSize=65535
SendBufferSize=65535
FixedReceiveAllocatorBufferSize=65535
Please complete LocalServerIPAddress, LocalServerPort, GameServerPort according to your setup.
5. Once you saved the file you can run the cacher. If you want to run it in background you can use screen.
https://linuxize.com/post/how-to-use-linux-screen/
Code:
screen -S cacher1
/usr/bin/java -jar /path/to/file/SourceEngineQueryCacher-1.6.6.jar -c /path/to/file/Cacher.conf
# [CTRL A+D to detach from screen]
screen -R cacher1 to attach again
6. Repeat this for all your servers, in case you have multiples. You only need a new Cacher.conf, you can use the same jar file for every server.
You could also try using my config, security might be improved:
Code:
Threads=8 # Your number of CPU Threads
StatsPPS=true
StatsbPS=true
GameUpdateInterval=60000 # Update interval increased to 60s
GameUpdateSocketTimeout=100000
ChallengeCodeTTL=500000
LocalServerIPAddress=0.0.0.0
LocalServerPort=9110 # cacher's port
GameServerIPAddress=GAME_SERVER_IP
GameServerPort=GAME_SERVER_PORT
ReceiveBufferSize=3276750 # increased buffer
SendBufferSize=3276750 # increased buffer
FixedReceiveAllocatorBufferSize=3276750 # increased buffer
7. You can also do a cronjob to automatically start everything on server reboot.
Code:
crontab -e
# [Select your text editor]
Then paste your commands here with full path and @reboot before. This will execute the commands every time you reboot the server.
Code:
# server 1
@reboot /usr/sbin/iptables -t nat -A PREROUTING -d SERVER_1_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF54|' -j REDIRECT --to-ports 9110
@reboot /usr/sbin/iptables -t nat -A PREROUTING -d SERVER_1_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF55|' -j REDIRECT --to-ports 9110
@reboot /usr/sbin/iptables -t nat -A PREROUTING -d SERVER_1_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF41|' -j REDIRECT --to-ports 9110
# server 2
@reboot /usr/sbin/iptables -t nat -A PREROUTING -d SERVER_2_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF54|' -j REDIRECT --to-ports 9111
@reboot /usr/sbin/iptables -t nat -A PREROUTING -d SERVER_2_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF55|' -j REDIRECT --to-ports 9111
@reboot /usr/sbin/iptables -t nat -A PREROUTING -d SERVER_2_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF41|' -j REDIRECT --to-ports 9111
@reboot /usr/bin/java -jar /path/to/file/SourceEngineQueryCacher-1.6.6.jar -c /path/to/file/Cacher.conf
@reboot /usr/bin/java -jar /path/to/file/SourceEngineQueryCacher-1.6.6.jar -c /path/to/file/Cacher2.conf
7. NetMessages crasher exploit
There is a server crasher exploit that sends a lot of netmessages packets in a tick and the server spends too much time processing them. The solution is to limit packets per client using convar "net_chan_limit_msec".
As far as I know limiting to 100 packets/tick seems a reasonable value. More testing is needed so I recommend you to monitor your server.
- In server.cfg:
Code:
net_chan_limit_msec "100"
Reference:
https://blog.counter-strike.net/inde...2019/07/24922/
https://www.unknowncheats.me/forum/c...asher-fix.html
Last update: 25/11/2021