Server Protection : How to Protect Your Server From Hackers and DOSERS
Description :
Hi , Today i will tell you how to Protect Your Server From Hackers and dosers. I will tell you all methods and also give you best Anti-Cheat to Protect Your Server.
I hope you will like it.
We are doing Following Methods to Protect Our Server:
1. SMAC R1.F This Anti-Cheat will Protect server from Hackers like aimbot, wallhack, etc.
2. SV_PURE This will Protect Server from Hackers who use Material Wall Hacks.
3. DAF and DOSP Anti-dosers These two Anti-dosers shows doser ip when he/she ddosing.
4. IP-Tables This is main Protection against dos and its very Important.
1. SMAC R1.F
Description :
The latest Anti-Cheat for CSS v34. This Anti-Cheat will Protect server from Hackers like Aimbot, Wallhack, etc.
Installation :
1. First Download
SMAC v34 R1.F
2. Extract it to
your server/cstrike folder.
3. Restart your server or change map.
Admin Commands :
Code:
!smac_status - Show information about current players with SteamID, IP
!smac_addcmd - Adds a command to the block list.
!smac_removecmd - Removes a command from block list.
!smac_addignorecmd - Adds a command to ignore on command spam.
!smac_removeignorecmd - Removes a command from ignore list.
!smac_addcvar - Adds a client cvar to be checked on cvar list.
!smac_removecvar - Removes a cvar from cvar list.
Credits for SMAC.R1.F :
Danyas
2. SV_PURE
Description :
If sv_pure is enabled on a server, then the server forces clients to use only files matching with server. This means, any custom files used for modifying texture, sound of the map will be simply ignored. Thus preventing clients to use certain cheats such as Materials Wallhack.
By default sv_pure is set to 0, means disabled. The sv_pure cvar supports 3 values :
0 - Disabled setting for sv_pure. Custom files from client is supported on the server.
1 - sv_pure is enabled on server. Any custom files to modify the original game files is not allowed. This setting supports a whitelist file pure_server_whitelist.txt, in which server owners can allow certain custom files to be used by the clients such as skins, sprays, server plugin files etc.
2 - sv_pure is enabled on server. For this setting, no whitelist file is loaded or read by the server. This setting doesn't allow any modified custom file including server plugins custom files. Everything is ignored except the default files of the server and client.
Before the ClientMod API, the sv_pure was broken on CS: Source v34 servers. ClientMod API fixes this bug, so now server owners can use the sv_pure setting on their server.
Installation :
Install
ClientMod Server API on server.
In cstrike/cfg/sourcemod/ClientMod.cfg, set the value of the CVAR se_allowpure to 1.
In cstrike/cfg/autoexec.cfg, put the cvar sv_pure. Use value 1 or 2, depending on what type of sv_pure setting you want. It is necessary to have the sv_pure cvar in autoexec.cfg. Because on server start or map change, this file is loaded first, after that server.cfg file or any other map config file. If sv_pure is set on server.cfg instead of autoexec.cfg, then on server start first map doesn't load with sv_pure setting and some clients game may crash. It will only take effect after the map change. Make sure no other cfg file contains sv_pure cvar, otherwise it may not work for you.
Download
pure_server_whitelist.txt
Paste pure_server_whitelist.txt in
yourserver/cstrike folder.
CVARs :
Code:
// If set to 1, the server will kick clients with mismatching files. Otherwise, it will issue a warning to the client.
"sv_pure_kick_clients" = "0"
Credits For sv_pure :
SLAYER
Vertigo
3. DAF and DOSP : Anti DOS
Description :
These two Anti-DOS will show the IP of doser when he/she dosing Server.
Installation of DAF:
1. Download
DAF Windows or
DAF Linux
2. Extract in
yourserver/cstrike folder
3. Goto
server/cstrike/cfg open
autoexec.cfg and paste this command
4. Restart your server.
5. Type
plugin_print in server console to check if the plugin is loaded or not.
Server Console Commands :
Code:
daf_status - Shows currently blocked Attacker's IP addresses from the attacks
daf_reset - Resets all the blocked IP addresses
Credits of DAF :
Drunken F00l
Installation of DOSP :
1. Download
DOSP Windows or
DOSP Linux
2. Extract in
yourserver/cstrike folder
4. Restart your server.
5. Type
meta list in server console to check if the plugin is loaded or not.
Server Console Commands :
Code:
dosp_enable - Enable/Disable DoS Protect Plugin (0 - Disabled, 1 - Enabled)
dosp_status - Shows status of attacks with attacker's IP
dosp_version - Show version information of DoS Protect
Credits of DOSP :
ZombieX2.net
4. IP-Tables : The Most Important Part to Protect Your Server From DOS
Description :
Iptables is the interface used by administrators to interact with Netfilter modules. In another words it is the program you use to configure the built in firewall. A lot of people have been asking about how to protect a Linux server against denial of service (DoS) attacks. The vast majority of these attacks involve one individual using a scripted program to execute an attack on a single server target. The goal of using iptables here is to handle networking traffic before it reaches to server where it could cause undesired latency for players. Also, keep in mind that these iptables rules will do nothing in the face of a large-scale sustained DoS attacks. With that in mind, effectively iptables rules will mitigate script kiddies' DoS, small-scale DoS, and even larger pulsed DoS attacks.
Installation :
NOTE : In this IP-Tables process we using Linux VPS and Using 27015 server port if your server port is different from 27015 than where you see 27015 port in below section change it to your server port.
First go out from your server folder or type
To start out we are going to clear all our old rules and recreate the default chains.
Put These lines one by one.
Code:
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
-F = Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.
-P = Set the policy for the chain to the given target. See the section TARGETS for the legal targets. Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined chains can be policy targets.
Now we are going to allow all our need traffic.
Code:
Accept anything from localhost
sudo iptables -A INPUT -s 127.0.0.1/32 --jump ACCEPT
FTP
sudo iptables -A INPUT -p tcp --dport 21 --jump ACCEPT
SSH
sudo iptables -A INPUT -p tcp --dport ssh --jump ACCEPT
MySql
sudo iptables -A INPUT -p tcp --dport 3306 --jump ACCEPT
Steam Friends Service
sudo iptables -A INPUT -p udp --dport 1200 --jump ACCEPT
Steam Main UDP
sudo iptables -A INPUT -p udp --dport 27000 --jump ACCEPT
Steam Main TCP
sudo iptables -A INPUT -p tcp --dport 27020 --jump ACCEPT
sudo iptables -A INPUT -p tcp --dport 27039 --jump ACCEPT
Steam Dedicated Server HLTV
sudo iptables -A INPUT -p udp --dport 27020 --jump ACCEPT
your server info go's here
sudo iptables -A INPUT -p udp -d 192.168.10.5 --dport 27015
allow rcon to thoes servers
sudo iptables -A INPUT -p tcp -d 192.168.10.5 --dport 27015 --jump ACCEPT
now to drop all other traffic :)
sudo iptables -A INPUT -p tcp --dport 1:1023 --jump DROP
sudo iptables -A INPUT -p udp --dport 1:1023 --jump DROP
In above code you can see two line in these two lines you can see the
ip 192.168.10.5 and
port 27015
You need to change them according to your server IP and PORT imagine my server
ip is 123.456.78.90 and
port is 27016 than i will write these two line like this
Code:
sudo iptables -A INPUT -p udp -d 123.456.78.90 --dport 27016
sudo iptables -A INPUT -p tcp -d 123.456.78.90[/B] --dport 27016 --jump ACCEPT
Now here i tell you commands and there use which we use above :
-A =Append one or more rules to the end of the selected chain. Adds the rule to the chain
-p = Protocol tcp, udp, icmp, or all
--dport = destination port
--jump = Tells the firewall what to do if the packet matches the rule
Now that is all great for a basic firewall but that does not help much with the DoS attack the still effects srcds...
To stop that we can use ip-tables in combo with another program called fail2ban. Fail2ban pronounced Fail 2 Ban reads logs and takes actions based on what it finds.
First we have to install
Fail2Ban :
Code:
apt-get install fail2ban
Now just a little configuring
Creating a file called srcdsdos.conf
Code:
nano /etc/fail2ban/filter.d/srcdsdos.conf
Now download this file from
Filezilla located in
/etc/fail2ban/filter.d/ than open the file with
Notepad ++ and than copy these lines in to the file which i given below :
Code:
[Definition]
failregex= IPTABLES-FLOOD LENGTH (28|48): IN=eth0 OUT= MAC=[a-zA-F0-9:]+ SRC=<HOST> DST=([0-9]{1,3}\.?){4} LEN=28
After copy and paste SAVE the file and again put it to folder where you download from :
/etc/fail2ban/filter.d/
Now open the
jail.conf file located in
/etc/fail2ban/ by the steps which i tell you above and add copy and paste these line which i given below :
Code:
[srcdsdos]
enabled = true
port = 27015,27025,27035
protocol = udp
filter = srcdsdos
logpath = /var/log/messages.log
maxretry = 3
bantime = 6000
In above code you can see the line
port = 27015,27025,27035 In this line you need to change the Port 27015 to your server port if you dont using
27015 Port for server.
Now save the file and Put it to the folder from which you download the
file /etc/fail2ban/
Now we going to restart fail2ban
Code:
/etc/init.d/fail2ban restart
others command for fail2ban
Code:
/etc/init.d/fail2ban stop
/etc/init.d/fail2ban start
Now add these rules :
Code:
Creation channel rejection flood udp 28
sudo iptables -N REJECT_FLOOD28
sudo iptables -A REJECT_FLOOD28 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 28: ' --log-level info
sudo iptables -A REJECT_FLOOD28 -j DROP
Creation channel rejection flood udp 46
sudo iptables -N REJECT_FLOOD46
sudo iptables -A REJECT_FLOOD46 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 46: ' --log-level info
sudo iptables -A REJECT_FLOOD46 -j DROP
sudo iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28
sudo iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46
Now again where i type
your_port delete it and enter your
server port.
Now if any DOSER attack your server it will be stopped and logged in the fail2ban.log like this :
Code:
2009-10-14 19:11:43,702 fail2ban.actions: WARNING [srcdsdos] Ban 78.22.165.162
Now we make our Server Harder to access outside world :
The first measure of protection is to develop a white-list of IP addresses that have your permission to access rcon ; otherwise, it's best to completely hide rcon from the outside world.
Code:
sudo iptables -A INPUT -p tcp --destination-port 27015 -j LOG --log-prefix "SRCDS-RCON " -m limit --limit 1/m --limit-burst 1
sudo iptables -A INPUT -p tcp --destination-port 27015 -j DROP
Many of the programs available in the nether-regions of the Internet spam queries to the server. These programs have a few commonalities such as the length of their packets. One popular iptables rule blocks anything with length 28. To suppress these attacks, we'll block any packets with a length between 0 and 32. You won't see any valid game packets below 32 bytes.
Code:
sudo iptables -A INPUT -p udp --destination-port 27015 -m length --length 0:32 -j LOG --log-prefix "SRCDS-XSQUERY " --log-ip-options -m limit --limit 1/m --limit-burst 1
sudo iptables -A INPUT -p udp --destination-port 27015 -m length --length 0:32 -j DROP
Similarly, how the game responds to fragmented packets is defined by a few net_ cvars. Check the values of your cvars and configure your firewall rules accordingly. This is the calculation I used to determine the maximum acceptable packet size:
Maximum Size = (`net_maxroutable`) + (`net_splitrate`) * (`net_maxfragments`)
which gives
2520 bytes under the default configuration of
maximum 32 players allow on server.
Means below code is for that server in which maximum 32 players can join at a time.
Code:
Cvar :
maxplayers 32
Code:
sudo iptables -A INPUT -p udp --destination-port 27015 -m length --length 2521:65535 -j LOG --log-prefix "SRCDS-XLFRAG " --log-ip-options -m limit --limit 1/m --limit-burst 1
sudo iptables -A INPUT -p udp --destination-port 27015 -m length --length 2521:65535 -j DROP
sudo iptables -A INPUT -p udp -m state --state ESTABLISH -j ACCEPT
Handling 'new' or unsolicited UDP connections such as requests to join the game server or miscellaneous queries will be rate-limitted. A hash-limit is used to throttle connection attempts that become excessive. This is so sensitive that hitting 'Refresh' in the server browser window too often will trigger these rules. There are several different options for how to configure the hash-limits so I'll briefly discuss two different scenarios.
1) You run multiple game servers on different ports but same IP
For this you'd want to make the hash-limit come from the source IP and go to the destination port (srcip,dstport).
Code:
sudo iptables -A INPUT -p udp -m state --state NEW -m hashlimit --hashlimit-mode srcip,dstport --hashlimit-name StopDoS --hashlimit 1/s --hashlimit-burst 3 -j ACCEPT
2) You run a single game server on a single IP
For this it's easier just to specify the source IP for the hash (srcip).
Code:
sudo iptables -A INPUT -p udp -m state --state NEW -m hashlimit --hashlimit-mode srcip --hashlimit-name StopDoS --hashlimit 1/s --hashlimit-burst 3 -j ACCEPT
Finally, for all packets that weren't matched to an acceptance rule above, we'll drop them here.
Code:
sudo iptables -A INPUT -p udp -j LOG --log-prefix "UDP-SPAM " --log-ip-options -m limit --limit 1/m --limit-burst 1
sudo iptables -A INPUT -p udp -j DROP
Now add these lines :
Code:
sudo iptables -A INPUT -p udp --dport 27015 -m hashlimit --hashlimit 50 / s --hashlimit-burst 50 --hashlimit-mode srcip --hashlimit-name CSS -j ACCEPT
sudo iptables -A INPUT -p udp - dport 27015 -j DROP
You can write other rules for more accurate filtering!
Code:
sudo iptables -A INPUT -p udp -m udp --dport 27015 -m state --state RELATED, ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p udp --dport 27015 -m state --state NEW -m hashlimit --hashlimit 100 / s --hashlimit-burst 100 --hashlimit-mode srcip --hashlimit-name TF -j ACCEPT
sudo iptables -A INPUT -p udp --dport 27015 -j DROP
By the way, so that after restarting the computer [VPS], the rules are restored, you need to execute:
Code:
sudo iptables-save > /etc/iptables.rules
make this file executable:
Code:
chmod +x /etc/iptables.rules
and add the line which i given below to the file loctated
/etc/rc.local :
Code:
sudo iptables-restore < /etc/iptables.rules
Protecting Server by baning the IP of DOSER through IP-Tables :
Install the plugin
DAF/DOSP which we discuss in above
Point 3 ! Further, if there was a DoS attack, look in the log from which IP address the attack was from, and
BAN the
IP address through iptables! Ban on iptables is a very reliable thing, I checked it myself =)!
Offtopic : Although it is written that this DAF/DOSP plugin protects the server from DOS, but in my opinion and experience, it doesn’t protect a little bit from DOS. These plugins ONLY SHOW the IP of DOSER.
You ban should through iptables like this :
Code:
sudo iptables -A INPUT -s xxx.xxx .xxx.xxx -j DROP
Where
xxx.xxx.xxx.xxx is the
DOSER's IP address!
If the DOSER has a dynamic IP, changed the IP and DoS it further, then we will ban a subnet or several subnets!
Code:
sudo iptables -A INPUT -s xxx.xxx.xxx.0/24 -j DROP
Example:
Code:
sudo iptables -A INPUT -s 187.34.232.0/24 -j DROP -> This will ban the range of IP addresses from 187.34.232.0 to 187.34.232.255 by iptables
Unban IP like this :
Code:
sudo iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP
Note 1:
By the way, Ban on iptables does not seem to be Banning on the server CS: S , that is, a User banned on iptables will be able to play on your Server, but will not be able to
DoS!
if you want to BAN DOSER from IP-tables and Server both than you can do like this :
Code:
sudo iptables -A INPUT -s xxx.xxx.xxx.xxx -p udp -m udp --dport 27015: 27018 -j DROP
Where
xxx.xxx.xxx.xxx is the
DOSER's IP address!
Then the banned person will not be able to play on these ports
Note 2:
And yet, all these rules and Bans prevent only from external
DOS attacks, i.e. when you can do
DoS through all kinds of flood programs without going to the Server! For scripts that flood commands into the console on the server itself, you can try using
KAC Anti-Cheat!
Note 3 :
The Information which i tell you above well protect your server
50% to
70% because CSS is nearly dead no one cares about it. All community is going to play
CSGO. And which methods i tell you are the good methods to
Protect Server.
Tips :
1. Always make your Server on Linux VPS.
2. if you want to stop real DOS you need to buy VPS from that site which gives you DOS protection like Google Cloud give you DOS protection and its also my experience that Server which running on Google Cloud has 20% to 30% chance to DOS.
Things to Remembered :
1. Never trust on Anti-DOS plugins they ONLY show IP of little DOSERS. The best DOSER can crash your server in a Minute.
2. After adding all IP-Tables which i give you above will protect your server 50% to 60%. Yeah its truth, you cant save your server from best doser but you can stop small scale DOS.
Credits :
Vertigo : Thanks vertigo to helping me to bring this information to you
Donation :
If you like the information about Server Protection. Please Subscribe my Youtube Channel :
League of Gamers
OR
Share the link of this thread to peoples than more downloads = money.
Original Thread :
RIS Website : SLAYER
Need More Plugins or Information about CSS v34 Servers. Please Try This Site :
RIS Website
Linear Mode
