Raised This Month: $ Target: $400
 0% 

Server Protection : How to Protect Your Server From Hackers and DDOSERS


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
born for gaming
Junior Member
Join Date: Aug 2019
Old 01-19-2021 , 02:04   Server Protection : How to Protect Your Server From Hackers and DDOSERS
Reply With Quote #1

Server Protection : How to Protect Your Server From Hackers and DOSERS


Description :

Hi , Today i will tell you how to Protect Your Server From Hackers and dosers. I will tell you all methods and also give you best Anti-Cheat to Protect Your Server.

I hope you will like it.


We are doing Following Methods to Protect Our Server:


1. SMAC R1.F This Anti-Cheat will Protect server from Hackers like aimbot, wallhack, etc.

2. SV_PURE This will Protect Server from Hackers who use Material Wall Hacks.

3. DAF and DOSP Anti-dosers These two Anti-dosers shows doser ip when he/she ddosing.

4. IP-Tables This is main Protection against dos and its very Important.


1. SMAC R1.F


Description :

The latest Anti-Cheat for CSS v34. This Anti-Cheat will Protect server from Hackers like Aimbot, Wallhack, etc.


Installation :

1. First Download SMAC v34 R1.F

2. Extract it to your server/cstrike folder.

3. Restart your server or change map.


Admin Commands :


Code:
!smac_status                     -                   Show information about current players with SteamID, IP

!smac_addcmd                     -                   Adds a command to the block list.

!smac_removecmd                  -                   Removes a command from block list.

!smac_addignorecmd               -                   Adds a command to ignore on command spam.

!smac_removeignorecmd            -                   Removes a command from ignore list.

!smac_addcvar                    -                   Adds a client cvar to be checked on cvar list.

!smac_removecvar                 -                   Removes a cvar from cvar list.

Credits for SMAC.R1.F :
Danyas


2. SV_PURE


Description :

If sv_pure is enabled on a server, then the server forces clients to use only files matching with server. This means, any custom files used for modifying texture, sound of the map will be simply ignored. Thus preventing clients to use certain cheats such as Materials Wallhack.


By default sv_pure is set to 0, means disabled. The sv_pure cvar supports 3 values :


0 - Disabled setting for sv_pure. Custom files from client is supported on the server.
1 - sv_pure is enabled on server. Any custom files to modify the original game files is not allowed. This setting supports a whitelist file pure_server_whitelist.txt, in which server owners can allow certain custom files to be used by the clients such as skins, sprays, server plugin files etc.
2 - sv_pure is enabled on server. For this setting, no whitelist file is loaded or read by the server. This setting doesn't allow any modified custom file including server plugins custom files. Everything is ignored except the default files of the server and client.

Before the ClientMod API, the sv_pure was broken on CS: Source v34 servers. ClientMod API fixes this bug, so now server owners can use the sv_pure setting on their server.


Installation :

Install ClientMod Server API on server.
In cstrike/cfg/sourcemod/ClientMod.cfg, set the value of the CVAR se_allowpure to 1.
In cstrike/cfg/autoexec.cfg, put the cvar sv_pure. Use value 1 or 2, depending on what type of sv_pure setting you want. It is necessary to have the sv_pure cvar in autoexec.cfg. Because on server start or map change, this file is loaded first, after that server.cfg file or any other map config file. If sv_pure is set on server.cfg instead of autoexec.cfg, then on server start first map doesn't load with sv_pure setting and some clients game may crash. It will only take effect after the map change. Make sure no other cfg file contains sv_pure cvar, otherwise it may not work for you.
Download pure_server_whitelist.txt
Paste pure_server_whitelist.txt in yourserver/cstrike folder.

CVARs :



Code:
// If set to 1, the server will kick clients with mismatching files. Otherwise, it will issue a warning to the client.

"sv_pure_kick_clients" = "0"


Credits For sv_pure :
SLAYER
Vertigo


3. DAF and DOSP : Anti DOS


Description :

These two Anti-DOS will show the IP of doser when he/she dosing Server.


Installation of DAF:


1. Download DAF Windows or DAF Linux

2. Extract in yourserver/cstrike folder

3. Goto server/cstrike/cfg open autoexec.cfg and paste this command
Code:
exec daf.cfg
4. Restart your server.

5. Type plugin_print in server console to check if the plugin is loaded or not.



Server Console Commands :

Code:
daf_status             -              Shows currently blocked Attacker's IP addresses from the attacks

daf_reset              -              Resets all the blocked IP addresses

Credits of DAF :
Drunken F00l



Installation of DOSP :


1. Download DOSP Windows or DOSP Linux

2. Extract in yourserver/cstrike folder

4. Restart your server.

5. Type meta list in server console to check if the plugin is loaded or not.


Server Console Commands :

Code:
dosp_enable           -           Enable/Disable DoS Protect Plugin (0 - Disabled, 1 - Enabled)

dosp_status           -           Shows status of attacks with attacker's IP

dosp_version          -           Show version information of DoS Protect


Credits of DOSP :

ZombieX2.net



4. IP-Tables : The Most Important Part to Protect Your Server From DOS


Description :


Iptables is the interface used by administrators to interact with Netfilter modules. In another words it is the program you use to configure the built in firewall. A lot of people have been asking about how to protect a Linux server against denial of service (DoS) attacks. The vast majority of these attacks involve one individual using a scripted program to execute an attack on a single server target. The goal of using iptables here is to handle networking traffic before it reaches to server where it could cause undesired latency for players. Also, keep in mind that these iptables rules will do nothing in the face of a large-scale sustained DoS attacks. With that in mind, effectively iptables rules will mitigate script kiddies' DoS, small-scale DoS, and even larger pulsed DoS attacks.


Installation :

NOTE : In this IP-Tables process we using Linux VPS and Using 27015 server port if your server port is different from 27015 than where you see 27015 port in below section change it to your server port.


First go out from your server folder or type
Code:
cd /home
To start out we are going to clear all our old rules and recreate the default chains.

Put These lines one by one.


Code:
iptables -F

iptables -P INPUT   ACCEPT

iptables -P OUTPUT  ACCEPT

iptables -P FORWARD ACCEPT

-F = Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.

-P = Set the policy for the chain to the given target. See the section TARGETS for the legal targets. Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined chains can be policy targets.


Now we are going to allow all our need traffic.


Code:
Accept anything from localhost

sudo iptables -A INPUT -s 127.0.0.1/32 --jump ACCEPT


FTP

sudo iptables -A INPUT -p tcp --dport 21 --jump ACCEPT


SSH

sudo iptables -A INPUT -p tcp --dport ssh --jump ACCEPT


MySql

sudo iptables -A INPUT -p tcp --dport 3306 --jump ACCEPT


Steam Friends Service

sudo iptables -A INPUT -p udp --dport 1200 --jump ACCEPT


Steam Main UDP

sudo iptables -A INPUT -p udp --dport 27000 --jump ACCEPT


Steam Main TCP

sudo iptables -A INPUT -p tcp --dport 27020 --jump ACCEPT

sudo iptables -A INPUT -p tcp --dport 27039 --jump ACCEPT


Steam Dedicated Server HLTV

sudo iptables -A INPUT -p udp --dport 27020 --jump ACCEPT


your server info go's here

sudo iptables -A INPUT -p udp -d 192.168.10.5 --dport 27015


allow rcon to thoes servers

sudo iptables -A INPUT -p tcp -d 192.168.10.5 --dport 27015 --jump ACCEPT


now to drop all other traffic :)

sudo iptables -A INPUT -p tcp --dport 1:1023 --jump DROP

sudo iptables -A INPUT -p udp --dport 1:1023 --jump DROP


In above code you can see two line in these two lines you can see the ip 192.168.10.5 and port 27015

You need to change them according to your server IP and PORT imagine my server ip is 123.456.78.90 and port is 27016 than i will write these two line like this

Code:
sudo iptables -A INPUT -p udp -d 123.456.78.90 --dport 27016


sudo iptables -A INPUT -p tcp -d 123.456.78.90[/B] --dport 27016 --jump ACCEPT


Now here i tell you commands and there use which we use above :


-A =Append one or more rules to the end of the selected chain. Adds the rule to the chain

-p = Protocol tcp, udp, icmp, or all

--dport = destination port

--jump = Tells the firewall what to do if the packet matches the rule


Now that is all great for a basic firewall but that does not help much with the DoS attack the still effects srcds...

To stop that we can use ip-tables in combo with another program called fail2ban. Fail2ban pronounced Fail 2 Ban reads logs and takes actions based on what it finds.

First we have to install Fail2Ban :

Code:
apt-get install fail2ban

Now just a little configuring

Creating a file called srcdsdos.conf

Code:
nano /etc/fail2ban/filter.d/srcdsdos.conf

Now download this file from Filezilla located in /etc/fail2ban/filter.d/ than open the file with Notepad ++ and than copy these lines in to the file which i given below :

Code:
[Definition]


failregex= IPTABLES-FLOOD LENGTH (28|48): IN=eth0 OUT= MAC=[a-zA-F0-9:]+ SRC=<HOST> DST=([0-9]{1,3}\.?){4} LEN=28


After copy and paste SAVE the file and again put it to folder where you download from : /etc/fail2ban/filter.d/


Now open the jail.conf file located in /etc/fail2ban/ by the steps which i tell you above and add copy and paste these line which i given below :

Code:
[srcdsdos]

enabled = true

port      = 27015,27025,27035

protocol = udp

filter = srcdsdos

logpath = /var/log/messages.log

maxretry = 3

bantime = 6000


In above code you can see the line port = 27015,27025,27035 In this line you need to change the Port 27015 to your server port if you dont using 27015 Port for server.

Now save the file and Put it to the folder from which you download the file /etc/fail2ban/


Now we going to restart fail2ban

Code:
/etc/init.d/fail2ban restart

others command for fail2ban

Code:
/etc/init.d/fail2ban stop

/etc/init.d/fail2ban start


Now add these rules :

Code:
Creation channel rejection flood udp 28

sudo iptables -N REJECT_FLOOD28

sudo iptables -A REJECT_FLOOD28 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 28: ' --log-level info

sudo iptables -A REJECT_FLOOD28 -j DROP


Creation channel rejection flood udp 46

sudo iptables -N REJECT_FLOOD46

sudo iptables -A REJECT_FLOOD46 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 46: ' --log-level info

sudo iptables -A REJECT_FLOOD46 -j DROP


sudo iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28


sudo iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46


Now again where i type your_port delete it and enter your server port.


Now if any DOSER attack your server it will be stopped and logged in the fail2ban.log like this :

Code:
2009-10-14 19:11:43,702 fail2ban.actions: WARNING [srcdsdos] Ban 78.22.165.162


Now we make our Server Harder to access outside world :

The first measure of protection is to develop a white-list of IP addresses that have your permission to access rcon ; otherwise, it's best to completely hide rcon from the outside world.

Code:
sudo iptables -A INPUT -p tcp --destination-port 27015 -j LOG --log-prefix "SRCDS-RCON " -m limit --limit 1/m --limit-burst 1

sudo iptables -A INPUT -p tcp --destination-port 27015 -j DROP


Many of the programs available in the nether-regions of the Internet spam queries to the server. These programs have a few commonalities such as the length of their packets. One popular iptables rule blocks anything with length 28. To suppress these attacks, we'll block any packets with a length between 0 and 32. You won't see any valid game packets below 32 bytes.

Code:
sudo iptables -A INPUT -p udp --destination-port 27015 -m length --length 0:32 -j LOG --log-prefix "SRCDS-XSQUERY " --log-ip-options -m limit --limit 1/m --limit-burst 1

sudo iptables -A INPUT -p udp --destination-port 27015 -m length --length 0:32 -j DROP


Similarly, how the game responds to fragmented packets is defined by a few net_ cvars. Check the values of your cvars and configure your firewall rules accordingly. This is the calculation I used to determine the maximum acceptable packet size:

Maximum Size = (`net_maxroutable`) + (`net_splitrate`) * (`net_maxfragments`)

which gives 2520 bytes under the default configuration of maximum 32 players allow on server.

Means below code is for that server in which maximum 32 players can join at a time.

Code:
Cvar :

maxplayers 32

Code:
sudo iptables -A INPUT -p udp --destination-port 27015 -m length --length 2521:65535 -j LOG --log-prefix "SRCDS-XLFRAG " --log-ip-options -m limit --limit 1/m --limit-burst 1

sudo iptables -A INPUT -p udp --destination-port 27015 -m length --length 2521:65535 -j DROP

sudo iptables -A INPUT -p udp -m state --state ESTABLISH -j ACCEPT


Handling 'new' or unsolicited UDP connections such as requests to join the game server or miscellaneous queries will be rate-limitted. A hash-limit is used to throttle connection attempts that become excessive. This is so sensitive that hitting 'Refresh' in the server browser window too often will trigger these rules. There are several different options for how to configure the hash-limits so I'll briefly discuss two different scenarios.

1) You run multiple game servers on different ports but same IP

For this you'd want to make the hash-limit come from the source IP and go to the destination port (srcip,dstport).


Code:
sudo iptables -A INPUT -p udp -m state --state NEW -m hashlimit --hashlimit-mode srcip,dstport --hashlimit-name StopDoS --hashlimit 1/s --hashlimit-burst 3 -j ACCEPT


2) You run a single game server on a single IP

For this it's easier just to specify the source IP for the hash (srcip).

Code:
sudo iptables -A INPUT -p udp -m state --state NEW -m hashlimit --hashlimit-mode srcip --hashlimit-name StopDoS --hashlimit 1/s --hashlimit-burst 3 -j ACCEPT


Finally, for all packets that weren't matched to an acceptance rule above, we'll drop them here.

Code:
sudo iptables -A INPUT -p udp -j LOG --log-prefix "UDP-SPAM " --log-ip-options -m limit --limit 1/m --limit-burst 1

sudo iptables -A INPUT -p udp -j DROP


Now add these lines :

Code:
sudo iptables -A INPUT -p udp --dport 27015 -m hashlimit --hashlimit 50 / s --hashlimit-burst 50 --hashlimit-mode srcip --hashlimit-name CSS -j ACCEPT


sudo iptables -A INPUT -p udp - dport 27015 -j DROP


You can write other rules for more accurate filtering!

Code:
sudo iptables -A INPUT -p udp -m udp --dport 27015 -m state --state RELATED, ESTABLISHED -j ACCEPT


sudo iptables -A INPUT -p udp --dport 27015 -m state --state NEW -m hashlimit --hashlimit 100 / s --hashlimit-burst 100 --hashlimit-mode srcip --hashlimit-name TF -j ACCEPT


sudo iptables -A INPUT -p udp --dport 27015 -j DROP


By the way, so that after restarting the computer [VPS], the rules are restored, you need to execute:

Code:
sudo iptables-save > /etc/iptables.rules


make this file executable:

Code:
chmod +x /etc/iptables.rules


and add the line which i given below to the file loctated /etc/rc.local :

Code:
sudo iptables-restore < /etc/iptables.rules

Protecting Server by baning the IP of DOSER through IP-Tables :
Install the plugin DAF/DOSP which we discuss in above Point 3 ! Further, if there was a DoS attack, look in the log from which IP address the attack was from, and BAN the IP address through iptables! Ban on iptables is a very reliable thing, I checked it myself =)!

Offtopic : Although it is written that this DAF/DOSP plugin protects the server from DOS, but in my opinion and experience, it doesn’t protect a little bit from DOS. These plugins ONLY SHOW the IP of DOSER.

You ban should through iptables like this :
Code:

sudo iptables -A INPUT -s xxx.xxx .xxx.xxx -j DROP

Where xxx.xxx.xxx.xxx is the DOSER's IP address!

If the DOSER has a dynamic IP, changed the IP and DoS it further, then we will ban a subnet or several subnets!

Code:

sudo iptables -A INPUT -s xxx.xxx.xxx.0/24 -j DROP


Example:
Code:

sudo iptables -A INPUT -s 187.34.232.0/24 -j DROP -> This will ban the range of IP addresses from 187.34.232.0 to 187.34.232.255 by iptables

Unban IP like this :
Code:

sudo iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP


Note 1:
By the way, Ban on iptables does not seem to be Banning on the server CS: S , that is, a User banned on iptables will be able to play on your Server, but will not be able to DoS!

if you want to BAN DOSER from IP-tables and Server both than you can do like this :
Code:

sudo iptables -A INPUT -s xxx.xxx.xxx.xxx -p udp -m udp --dport 27015: 27018 -j DROP

Where xxx.xxx.xxx.xxx is the DOSER's IP address!
Then the banned person will not be able to play on these ports

Note 2:
And yet, all these rules and Bans prevent only from external DOS attacks, i.e. when you can do DoS through all kinds of flood programs without going to the Server! For scripts that flood commands into the console on the server itself, you can try using KAC Anti-Cheat!

Note 3 :

The Information which i tell you above well protect your server 50% to 70% because CSS is nearly dead no one cares about it. All community is going to play CSGO. And which methods i tell you are the good methods to Protect Server.

Tips :
1. Always make your Server on Linux VPS.
2. if you want to stop real DOS you need to buy VPS from that site which gives you DOS protection like Google Cloud give you DOS protection and its also my experience that Server which running on Google Cloud has 20% to 30% chance to DOS.

Things to Remembered :
1. Never trust on Anti-DOS plugins they ONLY show IP of little DOSERS. The best DOSER can crash your server in a Minute.
2. After adding all IP-Tables which i give you above will protect your server 50% to 60%. Yeah its truth, you cant save your server from best doser but you can stop small scale DOS.

Credits :
Vertigo : Thanks vertigo to helping me to bring this information to you

Donation :
If you like the information about Server Protection. Please Subscribe my Youtube Channel : League of Gamers
OR
Share the link of this thread to peoples than more downloads = money.

Original Thread :
RIS Website : SLAYER

Need More Plugins or Information about CSS v34 Servers. Please Try This Site :
RIS Website

Last edited by born for gaming; 01-19-2021 at 02:59.
born for gaming is offline
Rugal
Member
Join Date: Jun 2020
Location: Brazil
Old 01-19-2021 , 23:44   Re: Server Protection : How to Protect Your Server From Hackers and DDOSERS
Reply With Quote #2

A question about SMAC Anti-Cheat.
This modified version that you mentioned in your post, is it updated?
Or is it maintained by someone?
Because, from what I know, the most recent version of this plugin was one 1 year ago, and it seems that it has already been discontinued.
I ask this because the old versions of this Anti-Cheat were unfairly banning people. And this is something I don't want on my server.
__________________
Need to set up a server? access
www.rugalservidores.com.br
Rugal is offline
born for gaming
Junior Member
Join Date: Aug 2019
Old 01-21-2021 , 01:24   Re: Server Protection : How to Protect Your Server From Hackers and DDOSERS
Reply With Quote #3

Quote:
Originally Posted by Rugal View Post
A question about SMAC Anti-Cheat.
This modified version that you mentioned in your post, is it updated?
Or is it maintained by someone?
Because, from what I know, the most recent version of this plugin was one 1 year ago, and it seems that it has already been discontinued.
I ask this because the old versions of this Anti-Cheat were unfairly banning people. And this is something I don't want on my server.
Bro i give you the last version of SMAC i also used this in my server i dont face any problem
born for gaming is offline
Rugal
Member
Join Date: Jun 2020
Location: Brazil
Old 01-21-2021 , 15:59   Re: Server Protection : How to Protect Your Server From Hackers and DDOSERS
Reply With Quote #4

Quote:
Originally Posted by born for gaming View Post
Bro i give you the last version of SMAC i also used this in my server i dont face any problem
Is the last version you attached the post to?
__________________
Need to set up a server? access
www.rugalservidores.com.br
Rugal is offline
born for gaming
Junior Member
Join Date: Aug 2019
Old 01-25-2021 , 02:26   Re: Server Protection : How to Protect Your Server From Hackers and DDOSERS
Reply With Quote #5

Quote:
Originally Posted by Rugal View Post
Is the last version you attached the post to?
Yes i attached the last version of SMAC to post
born for gaming is offline
StrikeR14
AlliedModders Donor
Join Date: Apr 2016
Location: Behind my PC
Old 01-30-2021 , 08:38   Re: Server Protection : How to Protect Your Server From Hackers and DDOSERS
Reply With Quote #6

SMAC doesn't function properly AFAIK (server owners often report that they have been banned by the plugin), might recommend other anti-cheats in your posts.
Having that said, it's a great guide, thanks!
__________________
Currently taking TF2/CSGO paid private requests!

My Plugins | My Discord Account
StrikeR14 is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 04:32.


Powered by vBulletin®
Copyright ©2000 - 2021, vBulletin Solutions, Inc.
Theme made by Freecode