Raised This Month: $12 Target: $400
 3% 

Source Servers Security Guide


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
xSLOW
Senior Member
Join Date: Apr 2019
Location: Romania
Old 11-13-2021 , 19:21   Source Servers Security Guide
Reply With Quote #1

Hi, I've decided to write a security guide for gameservers in hope of helping new people around the community with some advices to prevent ddos, exploits, etc.
If you know anyting that could be added in this guide please let me know and leave a reply here.

Summary:
1) Fastdownload setup
2) Rcon hacking attempt / DoS
3) [CSGO] Server Lagger Exploit Security Patch [3/7/2020]
4) [CSGO] Server Lagger Exploit Security Patch [5/28/2021]
5) [Root access needed] Rcon (27015/tcp) DoS
6) [Root access needed] Ip rate limitting error / A2S (aka VSE) DoS attack
7) NetMessages crasher exploit






1. Fastdownload setup

If you are using a fastdownload (aka downloadurl) most of the people will usually put "sv_allowdownload 1" and "sv_allowupload 1". Those settings don't affect fastdl, its recommended to keep them on 0 (disabled) because of the game exploits people can use.
Should be put inside file "server.cfg"

Message in console you get when this exploit is used:
Code:
CreateFragmentsFromFile: '.txt' doesn't exist.
Good settings:
Code:
// FastDownload
sv_allowupload 0
sv_allowdownload 0
sv_downloadurl "mysite.com/fastdl"
If the problem still persists this might be a fix too: https://forums.alliedmods.net/showthread.php?t=317120

2. Rcon hacking attempt / DoS

If you are using rcon and most probably you do I recommend you to limit the number of wrong rcon password in a period of time.
Should be put inside file "server.cfg"
Here are my settings:
Code:
// Rcon hacking attempt / DoS
sm_cvar sv_rcon_banpenalty 5
sm_cvar sv_rcon_maxfailures 10
sm_cvar sv_rcon_minfailures 5
sm_cvar sv_rcon_minfailuretime 30
I recommend you to check the list of cvars explained, dont just copy paste everything from this, try your own settings too: https://developer.valvesoftware.com/...of_CS:GO_Cvars

3. [CSGO] Server Lagger Exploit Security Patch [3/7/2020]

This is an exploit that usually makes your server laggy and your console to spam this error:
IPADDRESS : PORT:reliable state invalid (0)..
Solution is here: https://forums.alliedmods.net/showthread.php?p=2686176

4. [CSGO] Server Lagger Exploit Security Patch [5/28/2021]

This plugin patches an DoS exploit that increases pings on the server.
https://forums.alliedmods.net/showthread.php?t=332721

Attention! The next guides can be done only if you have a root access to the dedicated server. If you have a simple gamehost package you can't do this.

5. [Root access needed] Rcon (27015/tcp) DoS

As backwards recommends too ( https://forums.alliedmods.net/showthread.php?p=2730982 ) its a good practice to cut down port 27015/tcp (it will affect only rcon) and give access only to some whitelisted IPs (for example your webhost, for sourcebans, etc)

You can do this via a firewall or simply using iptables.
Example of iptables rules:
Code:
/usr/sbin/iptables -A INPUT -p tcp --dport 27015 -j DROP  # DROP PORT 27015/TCP
/usr/sbin/iptables -I INPUT -p tcp -s YOUR_IP --dport 27015 -j ACCEPT  # allow specific ip on this port
You can do the same for mysql if you want. Nobody else than you should try to connect to your database.


6. [Root access needed] Ip rate limitting error / A2S (aka VSE) DoS attack

Maybe you've seen this error in your console:

Code:
IP rate limiting client xxxxxx:29823 at 305 hits (14 buckets, 136 global count).
IP rate limiting client xxxxxx:6479 at 310 hits (14 buckets, 136 global count).
IP rate limiting client xxxxxx:24293 at 301 hits (17 buckets, 116 global count).
IP rate limiting client xxxxxx:35475 at 304 hits (17 buckets, 106 global count).
IP rate limiting client xxxxxx:30688 at 308 hits (16 buckets, 90 global count).
This could be a DoS attack if your server becomes unresponsive. Here's one of the solutions:

- Caching the A2S Query response instead of asking the gameserver everytime someone requests it.
Why not rate limitting? Limit the response at 1 request/second for each IP address. Well, you can't since most of the a2s ddos scripts are using Spoofed ip addresses ( https://en.wikipedia.org/wiki/IP_address_spoofing )

hyperxpro built a good cacher in Java: https://github.com/hyperxpro/SourceEngineQueryCacher
[isnt finished at the moment]
Note: You will need to run a cacher for each gameserver you have. I will show you how to do it.

1. Please install the latest version of java11 on your system. A search on google will help you with this since are thousands of tutorials about this.
2. You will have to redirect all a2s traffic from port 27015 to the cacher's port to handle the queries.
Easiest way is to do it via iptables:

Code:
# server 1
iptables -t nat -A PREROUTING -d SERVER_1_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF54|' -j REDIRECT --to-ports 9110
iptables -t nat -A PREROUTING -d SERVER_1_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF55|' -j REDIRECT --to-ports 9110
iptables -t nat -A PREROUTING -d SERVER_1_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF41|' -j REDIRECT --to-ports 9110


# server 2
iptables -t nat -A PREROUTING -d SERVER_2_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF54|' -j REDIRECT --to-ports 9111
iptables -t nat -A PREROUTING -d SERVER_2_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF55|' -j REDIRECT --to-ports 9111
iptables -t nat -A PREROUTING -d SERVER_2_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF41|' -j REDIRECT --to-ports 9111
I've redirected server 1's a2s traffic to port 9110 and server 2's a2s traffic to port 9111. Remember this, we will need later in cacher's configuration.

3. At the moment, latest version is not finished and doesn't work in CSGO. I recommend you using this one instead, log4j is fixed too.
https://github.com/xSL0W/SourceEngineQueryCacher

Download both source & java file. From source code archive you only need Cacher.conf

4. Once you have both Cacher.conf and SourceEngineQueryCacher-1.6.6.jar we can start configuring.
Open Cacher.conf
Code:
Threads=2
StatsPPS=true
StatsbPS=true
GameUpdateInterval=1000
GameUpdateSocketTimeout=1000
MaxChallengeCode=100000
ChallengeCacheCleanerInterval=1000
ChallengeCodeTTL=5000
ChallengeCodeCacheConcurrency=8
LocalServerIPAddress=0.0.0.0 # this should remain 0.0.0.0
LocalServerPort=9110 # here's the port we choosed at step 2
GameServerIPAddress=8.8.8.8 # server's public ip address
GameServerPort=27015 # server's port
ReceiveBufferSize=65535
SendBufferSize=65535
FixedReceiveAllocatorBufferSize=65535
Please complete LocalServerIPAddress, LocalServerPort, GameServerPort according to your setup.

5. Once you saved the file you can run the cacher. If you want to run it in background you can use screen.
https://linuxize.com/post/how-to-use-linux-screen/

Code:
screen -S cacher1
/usr/bin/java -jar /path/to/file/SourceEngineQueryCacher-1.6.6.jar -c /path/to/file/Cacher.conf
# [CTRL A+D to detach from screen]
screen -R cacher1 to attach again
6. Repeat this for all your servers, in case you have multiples. You only need a new Cacher.conf, you can use the same jar file for every server.


You could also try using my config, security might be improved:

Code:
Threads=8 # Your number of CPU Threads
StatsPPS=true
StatsbPS=true
GameUpdateInterval=60000 # Update interval increased to 60s
GameUpdateSocketTimeout=100000
ChallengeCodeTTL=500000
LocalServerIPAddress=0.0.0.0
LocalServerPort=9110 # cacher's port
GameServerIPAddress=GAME_SERVER_IP
GameServerPort=GAME_SERVER_PORT
ReceiveBufferSize=3276750 # increased buffer
SendBufferSize=3276750 # increased buffer
FixedReceiveAllocatorBufferSize=3276750 # increased buffer

7. You can also do a cronjob to automatically start everything on server reboot.

Code:
crontab -e
# [Select your text editor]
Then paste your commands here with full path and @reboot before. This will execute the commands every time you reboot the server.
Code:
# server 1
@reboot /usr/sbin/iptables -t nat -A PREROUTING -d SERVER_1_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF54|' -j REDIRECT --to-ports 9110
@reboot /usr/sbin/iptables -t nat -A PREROUTING -d SERVER_1_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF55|' -j REDIRECT --to-ports 9110
@reboot /usr/sbin/iptables -t nat -A PREROUTING -d SERVER_1_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF41|' -j REDIRECT --to-ports 9110

# server 2
@reboot /usr/sbin/iptables -t nat -A PREROUTING -d SERVER_2_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF54|' -j REDIRECT --to-ports 9111
@reboot /usr/sbin/iptables -t nat -A PREROUTING -d SERVER_2_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF55|' -j REDIRECT --to-ports 9111
@reboot /usr/sbin/iptables -t nat -A PREROUTING -d SERVER_2_IP -p udp --dport 27015 --match string --algo kmp --hex-string '|FFFFFFFF41|' -j REDIRECT --to-ports 9111

@reboot /usr/bin/java -jar /path/to/file/SourceEngineQueryCacher-1.6.6.jar -c /path/to/file/Cacher.conf
@reboot /usr/bin/java -jar /path/to/file/SourceEngineQueryCacher-1.6.6.jar -c /path/to/file/Cacher2.conf

7. NetMessages crasher exploit

There is a server crasher exploit that sends a lot of netmessages packets in a tick and the server spends too much time processing them. The solution is to limit packets per client using convar "net_chan_limit_msec".
As far as I know limiting to 100 packets/tick seems a reasonable value. More testing is needed so I recommend you to monitor your server.

- In server.cfg:
Code:
net_chan_limit_msec "100"

Reference:
https://blog.counter-strike.net/inde...2019/07/24922/
https://www.unknowncheats.me/forum/c...asher-fix.html


Last update: 25/11/2021
__________________
My community:
https://elitegamers.ro
https://www.gametracker.com/search/c...elitegamers.ro

Contact me, fastest way, through my discord server:
https://discord.gg/SBHzDGbbgG
xSLOW#0508

Last edited by xSLOW; 12-23-2021 at 14:02. Reason: Updated #6 - Source Query Cacher (for a2s attacks)
xSLOW is offline
xSLOW
Senior Member
Join Date: Apr 2019
Location: Romania
Old 11-25-2021 , 11:49   Re: Source Servers Security Guide
Reply With Quote #2

Added #7 guide -> NetMessages crasher exploit
__________________
My community:
https://elitegamers.ro
https://www.gametracker.com/search/c...elitegamers.ro

Contact me, fastest way, through my discord server:
https://discord.gg/SBHzDGbbgG
xSLOW#0508
xSLOW is offline
yuv41
Member
Join Date: Jan 2020
Old 11-28-2021 , 06:52   Re: Source Servers Security Guide
Reply With Quote #3

Good guide, will probably help alot of people thanks xSLOW
yuv41 is offline
xSLOW
Senior Member
Join Date: Apr 2019
Location: Romania
Old 12-23-2021 , 13:59   Re: Source Servers Security Guide
Reply With Quote #4

Quote:
Originally Posted by yuv41 View Post
Good guide, will probably help alot of people thanks xSLOW
Thanks, that's what I want too
__________________
My community:
https://elitegamers.ro
https://www.gametracker.com/search/c...elitegamers.ro

Contact me, fastest way, through my discord server:
https://discord.gg/SBHzDGbbgG
xSLOW#0508
xSLOW is offline
xSLOW
Senior Member
Join Date: Apr 2019
Location: Romania
Old 12-23-2021 , 14:03   Re: Source Servers Security Guide
Reply With Quote #5

Updated #6 - Source Query Cacher (for a2s attacks)
Please install the new files to avoid log4j attacks and make it compatible with a2s challenges.
__________________
My community:
https://elitegamers.ro
https://www.gametracker.com/search/c...elitegamers.ro

Contact me, fastest way, through my discord server:
https://discord.gg/SBHzDGbbgG
xSLOW#0508
xSLOW is offline
Ryan2
Senior Member
Join Date: Jul 2020
Old 01-19-2022 , 01:49   Re: Source Servers Security Guide
Reply With Quote #6

Actually loving this, hope you can continue this thread when needed.
Ryan2 is offline
asdfxD
Veteran Member
Join Date: Apr 2011
Old 01-20-2022 , 23:39   Re: Source Servers Security Guide
Reply With Quote #7

6. Ip rate limitting error / A2S (aka VSE) DoS attack

works fine at one of my dedicated server, at my second dedicated server the csgo server on port 27015 becomes invisible in steam and connecting is not possible, when the cacher is running (i do the same as in dedicated 1).
asdfxD is offline
NoDeath
Junior Member
Join Date: Feb 2013
Location: Sweden
Old 01-22-2022 , 08:38   Re: Source Servers Security Guide
Reply With Quote #8

[Root access needed] Ip rate limitting error / A2S (aka VSE) DoS attack

After doing this I can no longer see my servers in the community servers list. How do I fix this?
NoDeath is offline
xSLOW
Senior Member
Join Date: Apr 2019
Location: Romania
Old 03-13-2022 , 12:23   Re: Source Servers Security Guide
Reply With Quote #9

Quote:
Originally Posted by NoDeath View Post
[Root access needed] Ip rate limitting error / A2S (aka VSE) DoS attack

After doing this I can no longer see my servers in the community servers list. How do I fix this?
Quote:
Originally Posted by asdfxD View Post
6. Ip rate limitting error / A2S (aka VSE) DoS attack

works fine at one of my dedicated server, at my second dedicated server the csgo server on port 27015 becomes invisible in steam and connecting is not possible, when the cacher is running (i do the same as in dedicated 1).


Please install my version and read the github thread


Attention!
This version doesn't support A2S Challenges yet, you need to use LEGACY A2S Protocol
nano /etc/environment
# paste and save:
STEAM_GAMESERVER_A2S_INFO_STRICT_LEGACY_PROTO COL=1

# AND RESTART CSGO SERVER


https://github.com/xSL0W/SourceEngineQueryCacher
__________________
My community:
https://elitegamers.ro
https://www.gametracker.com/search/c...elitegamers.ro

Contact me, fastest way, through my discord server:
https://discord.gg/SBHzDGbbgG
xSLOW#0508
xSLOW is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 10:18.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode