[DarthNinja]

[Any] Rcon Password Protect
Version 1.1.0

Description:

Very basic plugin - if an admin tries to view or change the rcon password using sm_cvar or sm_rcon they will be denied and their info logged.
Users will only be able to access the rcon password via rcon rcon_password, in which case the obviously already have it.

Commands:

~None

Cvars:

sm_rpp_version - Version

Install Instructions:

1. Drag and drop.

Notes:

The log file is saved to /logs/RCON_PASSWORD_EXPLOITS.log and lists the client's name, steamid, time, etc.

ToDo:

• Nothing

Version History:

• V1.0.0
  
  • Initial Release
• V1.1.0
  • Code cleanup
  • Now uses Plugin_Stop

Total downloads prior to last edit: 818

[sinblaster]

cheers I'll have a look. Will you be adding any punishment system or something to make one alert of an attempt. If someone tries to steal rcon pass, the first you know about it is if you check logs, is this correct?

[DarthNinja]

Quote:

Originally Posted by sinblaster cheers I'll have a look. Will you be adding any punishment system or something to make one alert of an attempt. If someone tries to steal rcon pass, the first you know about it is if you check logs, is this correct?

I can add kick/ban support if you/anyone want that.
At the moment, they are denied and logged, so yes you would have to check your logs.

The log file is only created if someone is caught, so if you see it on your server, you should have a look inside it.

[delirium_trigger]

There is a lot of exploitation in L4D2 with downloading cfg files from servers and sending false packets of data to get authentication.

Somehow there are players who are able to get root admin to my server with this plugin installed. I am still not 100% the direct method they are using. I already have consistency enforced and sv_allowupload 0. However, players are still able to get to it.

Do you have any suggestions or any other ways of protecting my server?

[DarthNinja]

delirium_trigger:
Please read the description.

-Edit:
Do you have ServerSecure installed?

[sinblaster]

Quote:

Somehow there are players who are able to get root admin to my server with this plugin installed.

Bugger that
For your download issue, this?
[VSP] Anti-flood plugin "Serversecure"

[blue zebra]

One question.
Can you add that function to your script: (?)
Only for the admins from the admins_simple.ini can send the rcon_password cvar to the server? Anyone else must be kicked or banned from the server when he send this cvar to the server? On my servers, my logs full with the: Bad rcon password ......... rows. Too many loser try to cracking these servers.
(sorry for my bad english)

[DarthNinja]

PHP Code:


// Number of minutes to ban users who fail rcon authentication
sv_rcon_banpenalty 1440

// Max number of times a user can fail rcon authentication before being banned
sv_rcon_maxfailures 5 


??

[sinblaster]

Quote:

Originally Posted by DarthNinja PHP Code: // Number of minutes to ban users who fail rcon authentication sv_rcon_banpenalty 1440 // Max number of times a user can fail rcon authentication before being banned sv_rcon_maxfailures 5  ??

Whats the ?? lol are you asking if this is a good idea? My answer is yes. It looks great

[DarthNinja]

Quote:

Originally Posted by sinblaster Whats the ?? lol are you asking if this is a good idea? My answer is yes. It looks great

I was responding to the post above mine.
Said poster's problem would appear to be fixed by the usage of said cvars.