https://wiki.alliedmods.net/api.php?action=feedcontributions&feedformat=atom&user=DevicenullAlliedModders Wiki - User contributions [en]2026-05-08T18:10:49ZUser contributionsMediaWiki 1.31.6https://wiki.alliedmods.net/index.php?title=SRCDS_Hardening&diff=7682SRCDS Hardening2010-04-20T16:56:15Z<p>Devicenull: /* Special name characters */</p>
<hr />
<div>= Securing your server = <br />
== General Tips == <br />
* Do not enable sv_cheats, do not run any plugins that do so.<br />
* [http://www.goodpassword.com/ Use secure passwords.] This should be obvious, but your clan name is not a good rcon password, nor is "password".<br />
* Don't blindly give admin out. Depending on what flags you give people, you could allow them to take over the server.<br />
* Don't piss people off. Many servers get attacked because players get pissed off that admins are abusing them.<br />
<br />
== File Permissions ==<br />
If you are running your own server (not renting one from a GSP), there are some things you can do to prevent many of the more malicious exploits. The basic theory here is to give srcds as little access to the machine as possible. It only needs write access to the following directories:<br />
* downloads/<br />
* cache/<br />
* addons/sourcemod/gamedata/<br />
* addons/sourcemod/data/<br />
* addons/sourcemod/logs/<br />
* logs/<br />
Note that some plugins rely on being able to write to directories other then these, and permissions may break them. At the very least, it's a good idea to make sure srcds is running as a user that does not have permission to change anything outside of it's own directory. That will prevent your machine from being comprised and made into a botnet client.<br />
<br />
== Plugins ==<br />
There are a few plugins that can be installed to prevent exploits. Some of the recommended ones include [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix], [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck], [https://forums.alliedmods.net/showthread.php?t=109453 D-FENS], and [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF].<br />
<br />
Many of the Eventscripts plugins that claim to fix exploits are mostly useless at best, or actively harmful to your server at worst. If you are running the plugins listed in the previous paragraph, you do not need anything else to protect your server. Installing extra plugins other then those will likely cause issues with your server, and is not recommended.<br />
<br />
= Current Exploits =<br />
<br />
== Crashes ==<br />
<br />
=== Invalid RCON Crash ===<br />
SRCDS will crash on some machines if you attempt to use an incorrect rcon password too many times. It seems that some machines are affected by this, while others are not. Valve has been notified a few times, and has been unwilling/unable to fix this.<br />
<br />
*Fix: Firewall off rcon (TCP port 27015) from everyone except for certain whitelisted IP's.<br />
<br />
=== HalfConnected Crash ===<br />
If a command is received as the client is connecting, the server will crash or enter a state where it does not accept new connections, but has not crashed. This exploit can also happen if you remove the players entity, which shouldn't happen under normal circumstances. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]<br />
<br />
=== Disconnect Crash ===<br />
Using modified clients, it is possible to send disconnect messages with large numbers of special characters. These have a variety of effects, including crashing the server or crashing all connected clients.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]<br />
<br />
=== "K" packet Crash ===<br />
Using modified clients, it is possible to send a Steam auth packet that contains an invalid header length. Upon receiving this packet, the server will crash.<br />
<br />
*Fix: 4/19/10: Apply the latest steam beta patch. Run hldsupdatetool with "-beta cs0419" to get this.<br />
<br />
== Takeover == <br />
=== ent_fire server takeover ===<br />
If cheats are enabled on a server, the point_servercommand entity can be created, which can be used by clients to execute rcon commands on the server. Premade scripts exist for this that will change the rcon password, and add the client as an admin. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent the rcon password from being changed, as well as disallowing the point_servercommand entity. The alternative is to not run with sv_cheats 1, and take other measures to ensure it is never enabled.<br />
=== ES_Tools changelevel exploit ===<br />
The "changelevel" command can be abused when ES_tools is running to execute commands on the server<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent this. Alternatively, remove es_tools if at all possible.<br />
=== File upload/download ===<br />
It's possible to convince the server to let you upload or download random files from it. Valve has been attempting to fix this, but there still seem to be some workarounds to their fixes.<br />
<br />
If you are running your own servers (not rented from a GSP), you can set file permissions on them to fix the upload issue.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?t=109453 dfens] will prevent this.<br />
<br />
== Lag/DOS ==<br />
=== A2C_PRINT Spam ===<br />
SRCDS does not do any sort of authentication on A2C_PRINT messages. This means that anyone can print messages to the servers console, simply by sending UDP packets. It seems this is a legacy feature, and is not actually used by anything. Valve has been notified, and doesn't see this as a problem.<br />
<br />
*Fix: Block any packets beginning with \xFF\xFF\xFF\xFF\x6C or run [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF]<br />
=== A2S_INFO Spam ===<br />
If large numbers of A2S_INFO packets are sent at the server, the FPS will severely drop, making the server essentially unplayable. Since these packets can be spoofed, rate limiting one IP is fairly useless<br />
<br />
*Fix: You can use sv_max_queries_sec_global to limit this, though that would mean your server would be invisible on the master server list while the attacks are in progress. [https://forums.alliedmods.net/showthread.php?t=114787 Query Cache] (a SM extension) will also work.<br />
*'''Fixed in:''' TF2 (partial fix) (August 13, 2009)<br />
<br />
=== Command spam ===<br />
Various commands built into the game can be spammed to lag or crash the server. Some of these commands can cause the ingame physiscs to freeze up. The fix for most of these is quite simple, just disable them by adding the cheats flag. Valve has been notified, and fixes commands in the occasional patch.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck] can be used to kick players who have been caught spamming, [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] adds the cheats flag to most of the known commands. [https://forums.alliedmods.net/showthread.php?p=880328 Scortched Earth] will disable all commands except for those on a whitelist, which is the "better" way to fix this, but can break other addons.<br />
<br />
=== Bell characters in name ===<br />
If your name contains bell characters, this can be used to lag the server on windows.<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will kick players with these characters in their name.<br />
=== Force fullupdate ===<br />
If you send an empty packet to the server, you can force it to send you the full state of the game, which will lag the server if done enough. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] has a partial workaround<br />
<br />
== Annoyances ==<br />
=== Teleport exploit ===<br />
If you use very large values for your mouse sensitivity, you can overwrite your X and Y coordinates, letting you teleport around. This has the potential to crash the server as well. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
*'''Fixed in:''' TF2 (July 14 2009)<br />
=== Clientside plugins ===<br />
The VSP interface built into the game can be used to load plugins on the game client, allowing them to change cheat-flagged cvars. This can allow them to have wallhacks, or alter weapon recharge rates. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
=== Empty name / unconnected ===<br />
Players can set their name to an empty string using the setinfo console command. Some admin plugins will be unable to kick or perform other actions on them. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will automatically kick anyone found to have an empty name<br />
=== Special name characters ===<br />
If certain special characters are added to your name, you can create messages that appear to be sent by the server administrator.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]<br />
<br />
= Fixed Exploits = <br />
== Memory corruption crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefraghof-adv.txt this link]<br />
<br />
Fix: none<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Arbitrary file upload ==<br />
See [http://aluigi.altervista.org/adv/sourceupfile-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=905647 File upload exploit fix]<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== "ProcessClientInfo: SourceTV can not connect to game directly" crash ==<br />
See [http://aluigi.altervista.org/adv/sourcenotvnull-adv.txt this link]<br />
<br />
Fix: Add "tv_enable 1" to cfg/autoexec.cfg, and (optionally) "tv_enable 0" to server.cfg (You only need tv_enable 0 if you don't want sourcetv)<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Player disconnect crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefs-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has what may be a partial fix. <br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=SRCDS_Hardening&diff=7681SRCDS Hardening2010-04-20T16:53:48Z<p>Devicenull: /* Command spam */</p>
<hr />
<div>= Securing your server = <br />
== General Tips == <br />
* Do not enable sv_cheats, do not run any plugins that do so.<br />
* [http://www.goodpassword.com/ Use secure passwords.] This should be obvious, but your clan name is not a good rcon password, nor is "password".<br />
* Don't blindly give admin out. Depending on what flags you give people, you could allow them to take over the server.<br />
* Don't piss people off. Many servers get attacked because players get pissed off that admins are abusing them.<br />
<br />
== File Permissions ==<br />
If you are running your own server (not renting one from a GSP), there are some things you can do to prevent many of the more malicious exploits. The basic theory here is to give srcds as little access to the machine as possible. It only needs write access to the following directories:<br />
* downloads/<br />
* cache/<br />
* addons/sourcemod/gamedata/<br />
* addons/sourcemod/data/<br />
* addons/sourcemod/logs/<br />
* logs/<br />
Note that some plugins rely on being able to write to directories other then these, and permissions may break them. At the very least, it's a good idea to make sure srcds is running as a user that does not have permission to change anything outside of it's own directory. That will prevent your machine from being comprised and made into a botnet client.<br />
<br />
== Plugins ==<br />
There are a few plugins that can be installed to prevent exploits. Some of the recommended ones include [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix], [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck], [https://forums.alliedmods.net/showthread.php?t=109453 D-FENS], and [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF].<br />
<br />
Many of the Eventscripts plugins that claim to fix exploits are mostly useless at best, or actively harmful to your server at worst. If you are running the plugins listed in the previous paragraph, you do not need anything else to protect your server. Installing extra plugins other then those will likely cause issues with your server, and is not recommended.<br />
<br />
= Current Exploits =<br />
<br />
== Crashes ==<br />
<br />
=== Invalid RCON Crash ===<br />
SRCDS will crash on some machines if you attempt to use an incorrect rcon password too many times. It seems that some machines are affected by this, while others are not. Valve has been notified a few times, and has been unwilling/unable to fix this.<br />
<br />
*Fix: Firewall off rcon (TCP port 27015) from everyone except for certain whitelisted IP's.<br />
<br />
=== HalfConnected Crash ===<br />
If a command is received as the client is connecting, the server will crash or enter a state where it does not accept new connections, but has not crashed. This exploit can also happen if you remove the players entity, which shouldn't happen under normal circumstances. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]<br />
<br />
=== Disconnect Crash ===<br />
Using modified clients, it is possible to send disconnect messages with large numbers of special characters. These have a variety of effects, including crashing the server or crashing all connected clients.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]<br />
<br />
=== "K" packet Crash ===<br />
Using modified clients, it is possible to send a Steam auth packet that contains an invalid header length. Upon receiving this packet, the server will crash.<br />
<br />
*Fix: 4/19/10: Apply the latest steam beta patch. Run hldsupdatetool with "-beta cs0419" to get this.<br />
<br />
== Takeover == <br />
=== ent_fire server takeover ===<br />
If cheats are enabled on a server, the point_servercommand entity can be created, which can be used by clients to execute rcon commands on the server. Premade scripts exist for this that will change the rcon password, and add the client as an admin. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent the rcon password from being changed, as well as disallowing the point_servercommand entity. The alternative is to not run with sv_cheats 1, and take other measures to ensure it is never enabled.<br />
=== ES_Tools changelevel exploit ===<br />
The "changelevel" command can be abused when ES_tools is running to execute commands on the server<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent this. Alternatively, remove es_tools if at all possible.<br />
=== File upload/download ===<br />
It's possible to convince the server to let you upload or download random files from it. Valve has been attempting to fix this, but there still seem to be some workarounds to their fixes.<br />
<br />
If you are running your own servers (not rented from a GSP), you can set file permissions on them to fix the upload issue.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?t=109453 dfens] will prevent this.<br />
<br />
== Lag/DOS ==<br />
=== A2C_PRINT Spam ===<br />
SRCDS does not do any sort of authentication on A2C_PRINT messages. This means that anyone can print messages to the servers console, simply by sending UDP packets. It seems this is a legacy feature, and is not actually used by anything. Valve has been notified, and doesn't see this as a problem.<br />
<br />
*Fix: Block any packets beginning with \xFF\xFF\xFF\xFF\x6C or run [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF]<br />
=== A2S_INFO Spam ===<br />
If large numbers of A2S_INFO packets are sent at the server, the FPS will severely drop, making the server essentially unplayable. Since these packets can be spoofed, rate limiting one IP is fairly useless<br />
<br />
*Fix: You can use sv_max_queries_sec_global to limit this, though that would mean your server would be invisible on the master server list while the attacks are in progress. [https://forums.alliedmods.net/showthread.php?t=114787 Query Cache] (a SM extension) will also work.<br />
*'''Fixed in:''' TF2 (partial fix) (August 13, 2009)<br />
<br />
=== Command spam ===<br />
Various commands built into the game can be spammed to lag or crash the server. Some of these commands can cause the ingame physiscs to freeze up. The fix for most of these is quite simple, just disable them by adding the cheats flag. Valve has been notified, and fixes commands in the occasional patch.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck] can be used to kick players who have been caught spamming, [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] adds the cheats flag to most of the known commands. [https://forums.alliedmods.net/showthread.php?p=880328 Scortched Earth] will disable all commands except for those on a whitelist, which is the "better" way to fix this, but can break other addons.<br />
<br />
=== Bell characters in name ===<br />
If your name contains bell characters, this can be used to lag the server on windows.<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will kick players with these characters in their name.<br />
=== Force fullupdate ===<br />
If you send an empty packet to the server, you can force it to send you the full state of the game, which will lag the server if done enough. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] has a partial workaround<br />
<br />
== Annoyances ==<br />
=== Teleport exploit ===<br />
If you use very large values for your mouse sensitivity, you can overwrite your X and Y coordinates, letting you teleport around. This has the potential to crash the server as well. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
*'''Fixed in:''' TF2 (July 14 2009)<br />
=== Clientside plugins ===<br />
The VSP interface built into the game can be used to load plugins on the game client, allowing them to change cheat-flagged cvars. This can allow them to have wallhacks, or alter weapon recharge rates. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
=== Empty name / unconnected ===<br />
Players can set their name to an empty string using the setinfo console command. Some admin plugins will be unable to kick or perform other actions on them. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will automatically kick anyone found to have an empty name<br />
=== Special name characters ===<br />
If certain special characters are added to your name, you can create messages that appear to be sent by the server administrator.<br />
<br />
*Fix: None currently known.<br />
<br />
= Fixed Exploits = <br />
== Memory corruption crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefraghof-adv.txt this link]<br />
<br />
Fix: none<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Arbitrary file upload ==<br />
See [http://aluigi.altervista.org/adv/sourceupfile-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=905647 File upload exploit fix]<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== "ProcessClientInfo: SourceTV can not connect to game directly" crash ==<br />
See [http://aluigi.altervista.org/adv/sourcenotvnull-adv.txt this link]<br />
<br />
Fix: Add "tv_enable 1" to cfg/autoexec.cfg, and (optionally) "tv_enable 0" to server.cfg (You only need tv_enable 0 if you don't want sourcetv)<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Player disconnect crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefs-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has what may be a partial fix. <br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=SRCDS_Hardening&diff=7680SRCDS Hardening2010-04-20T16:53:04Z<p>Devicenull: /* File Permissions */</p>
<hr />
<div>= Securing your server = <br />
== General Tips == <br />
* Do not enable sv_cheats, do not run any plugins that do so.<br />
* [http://www.goodpassword.com/ Use secure passwords.] This should be obvious, but your clan name is not a good rcon password, nor is "password".<br />
* Don't blindly give admin out. Depending on what flags you give people, you could allow them to take over the server.<br />
* Don't piss people off. Many servers get attacked because players get pissed off that admins are abusing them.<br />
<br />
== File Permissions ==<br />
If you are running your own server (not renting one from a GSP), there are some things you can do to prevent many of the more malicious exploits. The basic theory here is to give srcds as little access to the machine as possible. It only needs write access to the following directories:<br />
* downloads/<br />
* cache/<br />
* addons/sourcemod/gamedata/<br />
* addons/sourcemod/data/<br />
* addons/sourcemod/logs/<br />
* logs/<br />
Note that some plugins rely on being able to write to directories other then these, and permissions may break them. At the very least, it's a good idea to make sure srcds is running as a user that does not have permission to change anything outside of it's own directory. That will prevent your machine from being comprised and made into a botnet client.<br />
<br />
== Plugins ==<br />
There are a few plugins that can be installed to prevent exploits. Some of the recommended ones include [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix], [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck], [https://forums.alliedmods.net/showthread.php?t=109453 D-FENS], and [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF].<br />
<br />
Many of the Eventscripts plugins that claim to fix exploits are mostly useless at best, or actively harmful to your server at worst. If you are running the plugins listed in the previous paragraph, you do not need anything else to protect your server. Installing extra plugins other then those will likely cause issues with your server, and is not recommended.<br />
<br />
= Current Exploits =<br />
<br />
== Crashes ==<br />
<br />
=== Invalid RCON Crash ===<br />
SRCDS will crash on some machines if you attempt to use an incorrect rcon password too many times. It seems that some machines are affected by this, while others are not. Valve has been notified a few times, and has been unwilling/unable to fix this.<br />
<br />
*Fix: Firewall off rcon (TCP port 27015) from everyone except for certain whitelisted IP's.<br />
<br />
=== HalfConnected Crash ===<br />
If a command is received as the client is connecting, the server will crash or enter a state where it does not accept new connections, but has not crashed. This exploit can also happen if you remove the players entity, which shouldn't happen under normal circumstances. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]<br />
<br />
=== Disconnect Crash ===<br />
Using modified clients, it is possible to send disconnect messages with large numbers of special characters. These have a variety of effects, including crashing the server or crashing all connected clients.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]<br />
<br />
=== "K" packet Crash ===<br />
Using modified clients, it is possible to send a Steam auth packet that contains an invalid header length. Upon receiving this packet, the server will crash.<br />
<br />
*Fix: 4/19/10: Apply the latest steam beta patch. Run hldsupdatetool with "-beta cs0419" to get this.<br />
<br />
== Takeover == <br />
=== ent_fire server takeover ===<br />
If cheats are enabled on a server, the point_servercommand entity can be created, which can be used by clients to execute rcon commands on the server. Premade scripts exist for this that will change the rcon password, and add the client as an admin. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent the rcon password from being changed, as well as disallowing the point_servercommand entity. The alternative is to not run with sv_cheats 1, and take other measures to ensure it is never enabled.<br />
=== ES_Tools changelevel exploit ===<br />
The "changelevel" command can be abused when ES_tools is running to execute commands on the server<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent this. Alternatively, remove es_tools if at all possible.<br />
=== File upload/download ===<br />
It's possible to convince the server to let you upload or download random files from it. Valve has been attempting to fix this, but there still seem to be some workarounds to their fixes.<br />
<br />
If you are running your own servers (not rented from a GSP), you can set file permissions on them to fix the upload issue.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?t=109453 dfens] will prevent this.<br />
<br />
== Lag/DOS ==<br />
=== A2C_PRINT Spam ===<br />
SRCDS does not do any sort of authentication on A2C_PRINT messages. This means that anyone can print messages to the servers console, simply by sending UDP packets. It seems this is a legacy feature, and is not actually used by anything. Valve has been notified, and doesn't see this as a problem.<br />
<br />
*Fix: Block any packets beginning with \xFF\xFF\xFF\xFF\x6C or run [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF]<br />
=== A2S_INFO Spam ===<br />
If large numbers of A2S_INFO packets are sent at the server, the FPS will severely drop, making the server essentially unplayable. Since these packets can be spoofed, rate limiting one IP is fairly useless<br />
<br />
*Fix: You can use sv_max_queries_sec_global to limit this, though that would mean your server would be invisible on the master server list while the attacks are in progress. [https://forums.alliedmods.net/showthread.php?t=114787 Query Cache] (a SM extension) will also work.<br />
*'''Fixed in:''' TF2 (partial fix) (August 13, 2009)<br />
<br />
=== Command spam ===<br />
Various commands built into the game can be spammed to lag or crash the server. The fix for most of these is quite simple, just disable them by adding the cheats flag. Valve has been notified, and fixes commands in the occasional patch.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck] can be used to kick players who have been caught spamming, [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] adds the cheats flag to most of the known commands. [https://forums.alliedmods.net/showthread.php?p=880328 Scortched Earth] will disable all commands except for those on a whitelist, which is the "better" way to fix this, but can break other addons.<br />
=== Bell characters in name ===<br />
If your name contains bell characters, this can be used to lag the server on windows.<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will kick players with these characters in their name.<br />
=== Force fullupdate ===<br />
If you send an empty packet to the server, you can force it to send you the full state of the game, which will lag the server if done enough. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] has a partial workaround<br />
<br />
== Annoyances ==<br />
=== Teleport exploit ===<br />
If you use very large values for your mouse sensitivity, you can overwrite your X and Y coordinates, letting you teleport around. This has the potential to crash the server as well. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
*'''Fixed in:''' TF2 (July 14 2009)<br />
=== Clientside plugins ===<br />
The VSP interface built into the game can be used to load plugins on the game client, allowing them to change cheat-flagged cvars. This can allow them to have wallhacks, or alter weapon recharge rates. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
=== Empty name / unconnected ===<br />
Players can set their name to an empty string using the setinfo console command. Some admin plugins will be unable to kick or perform other actions on them. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will automatically kick anyone found to have an empty name<br />
=== Special name characters ===<br />
If certain special characters are added to your name, you can create messages that appear to be sent by the server administrator.<br />
<br />
*Fix: None currently known.<br />
<br />
= Fixed Exploits = <br />
== Memory corruption crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefraghof-adv.txt this link]<br />
<br />
Fix: none<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Arbitrary file upload ==<br />
See [http://aluigi.altervista.org/adv/sourceupfile-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=905647 File upload exploit fix]<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== "ProcessClientInfo: SourceTV can not connect to game directly" crash ==<br />
See [http://aluigi.altervista.org/adv/sourcenotvnull-adv.txt this link]<br />
<br />
Fix: Add "tv_enable 1" to cfg/autoexec.cfg, and (optionally) "tv_enable 0" to server.cfg (You only need tv_enable 0 if you don't want sourcetv)<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Player disconnect crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefs-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has what may be a partial fix. <br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=SRCDS_Hardening&diff=7679SRCDS Hardening2010-04-20T16:52:28Z<p>Devicenull: </p>
<hr />
<div>= Securing your server = <br />
== General Tips == <br />
* Do not enable sv_cheats, do not run any plugins that do so.<br />
* [http://www.goodpassword.com/ Use secure passwords.] This should be obvious, but your clan name is not a good rcon password, nor is "password".<br />
* Don't blindly give admin out. Depending on what flags you give people, you could allow them to take over the server.<br />
* Don't piss people off. Many servers get attacked because players get pissed off that admins are abusing them.<br />
<br />
== File Permissions ==<br />
If you are running your own server (not renting one from a GSP), there are some things you can do to prevent many of the more malicious exploits. The basic theory here is to give srcds as little access to the machine as possible. It only needs write access to the following directories:<br />
* downloads/<br />
* cache/<br />
* addons/sourcemod/gamedata/<br />
* addons/sourcemod/data<br />
Note that some plugins rely on being able to write to directories other then these, and permissions may break them. At the very least, it's a good idea to make sure srcds is running as a user that does not have permission to change anything outside of it's own directory. That will prevent your machine from being comprised and made into a botnet client.<br />
<br />
== Plugins ==<br />
There are a few plugins that can be installed to prevent exploits. Some of the recommended ones include [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix], [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck], [https://forums.alliedmods.net/showthread.php?t=109453 D-FENS], and [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF].<br />
<br />
Many of the Eventscripts plugins that claim to fix exploits are mostly useless at best, or actively harmful to your server at worst. If you are running the plugins listed in the previous paragraph, you do not need anything else to protect your server. Installing extra plugins other then those will likely cause issues with your server, and is not recommended.<br />
<br />
= Current Exploits =<br />
<br />
== Crashes ==<br />
<br />
=== Invalid RCON Crash ===<br />
SRCDS will crash on some machines if you attempt to use an incorrect rcon password too many times. It seems that some machines are affected by this, while others are not. Valve has been notified a few times, and has been unwilling/unable to fix this.<br />
<br />
*Fix: Firewall off rcon (TCP port 27015) from everyone except for certain whitelisted IP's.<br />
<br />
=== HalfConnected Crash ===<br />
If a command is received as the client is connecting, the server will crash or enter a state where it does not accept new connections, but has not crashed. This exploit can also happen if you remove the players entity, which shouldn't happen under normal circumstances. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]<br />
<br />
=== Disconnect Crash ===<br />
Using modified clients, it is possible to send disconnect messages with large numbers of special characters. These have a variety of effects, including crashing the server or crashing all connected clients.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]<br />
<br />
=== "K" packet Crash ===<br />
Using modified clients, it is possible to send a Steam auth packet that contains an invalid header length. Upon receiving this packet, the server will crash.<br />
<br />
*Fix: 4/19/10: Apply the latest steam beta patch. Run hldsupdatetool with "-beta cs0419" to get this.<br />
<br />
== Takeover == <br />
=== ent_fire server takeover ===<br />
If cheats are enabled on a server, the point_servercommand entity can be created, which can be used by clients to execute rcon commands on the server. Premade scripts exist for this that will change the rcon password, and add the client as an admin. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent the rcon password from being changed, as well as disallowing the point_servercommand entity. The alternative is to not run with sv_cheats 1, and take other measures to ensure it is never enabled.<br />
=== ES_Tools changelevel exploit ===<br />
The "changelevel" command can be abused when ES_tools is running to execute commands on the server<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent this. Alternatively, remove es_tools if at all possible.<br />
=== File upload/download ===<br />
It's possible to convince the server to let you upload or download random files from it. Valve has been attempting to fix this, but there still seem to be some workarounds to their fixes.<br />
<br />
If you are running your own servers (not rented from a GSP), you can set file permissions on them to fix the upload issue.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?t=109453 dfens] will prevent this.<br />
<br />
== Lag/DOS ==<br />
=== A2C_PRINT Spam ===<br />
SRCDS does not do any sort of authentication on A2C_PRINT messages. This means that anyone can print messages to the servers console, simply by sending UDP packets. It seems this is a legacy feature, and is not actually used by anything. Valve has been notified, and doesn't see this as a problem.<br />
<br />
*Fix: Block any packets beginning with \xFF\xFF\xFF\xFF\x6C or run [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF]<br />
=== A2S_INFO Spam ===<br />
If large numbers of A2S_INFO packets are sent at the server, the FPS will severely drop, making the server essentially unplayable. Since these packets can be spoofed, rate limiting one IP is fairly useless<br />
<br />
*Fix: You can use sv_max_queries_sec_global to limit this, though that would mean your server would be invisible on the master server list while the attacks are in progress. [https://forums.alliedmods.net/showthread.php?t=114787 Query Cache] (a SM extension) will also work.<br />
*'''Fixed in:''' TF2 (partial fix) (August 13, 2009)<br />
<br />
=== Command spam ===<br />
Various commands built into the game can be spammed to lag or crash the server. The fix for most of these is quite simple, just disable them by adding the cheats flag. Valve has been notified, and fixes commands in the occasional patch.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck] can be used to kick players who have been caught spamming, [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] adds the cheats flag to most of the known commands. [https://forums.alliedmods.net/showthread.php?p=880328 Scortched Earth] will disable all commands except for those on a whitelist, which is the "better" way to fix this, but can break other addons.<br />
=== Bell characters in name ===<br />
If your name contains bell characters, this can be used to lag the server on windows.<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will kick players with these characters in their name.<br />
=== Force fullupdate ===<br />
If you send an empty packet to the server, you can force it to send you the full state of the game, which will lag the server if done enough. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] has a partial workaround<br />
<br />
== Annoyances ==<br />
=== Teleport exploit ===<br />
If you use very large values for your mouse sensitivity, you can overwrite your X and Y coordinates, letting you teleport around. This has the potential to crash the server as well. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
*'''Fixed in:''' TF2 (July 14 2009)<br />
=== Clientside plugins ===<br />
The VSP interface built into the game can be used to load plugins on the game client, allowing them to change cheat-flagged cvars. This can allow them to have wallhacks, or alter weapon recharge rates. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
=== Empty name / unconnected ===<br />
Players can set their name to an empty string using the setinfo console command. Some admin plugins will be unable to kick or perform other actions on them. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will automatically kick anyone found to have an empty name<br />
=== Special name characters ===<br />
If certain special characters are added to your name, you can create messages that appear to be sent by the server administrator.<br />
<br />
*Fix: None currently known.<br />
<br />
= Fixed Exploits = <br />
== Memory corruption crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefraghof-adv.txt this link]<br />
<br />
Fix: none<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Arbitrary file upload ==<br />
See [http://aluigi.altervista.org/adv/sourceupfile-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=905647 File upload exploit fix]<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== "ProcessClientInfo: SourceTV can not connect to game directly" crash ==<br />
See [http://aluigi.altervista.org/adv/sourcenotvnull-adv.txt this link]<br />
<br />
Fix: Add "tv_enable 1" to cfg/autoexec.cfg, and (optionally) "tv_enable 0" to server.cfg (You only need tv_enable 0 if you don't want sourcetv)<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Player disconnect crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefs-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has what may be a partial fix. <br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=SRCDS_Hardening&diff=7678SRCDS Hardening2010-04-20T16:52:07Z<p>Devicenull: /* Disconnect Crash */</p>
<hr />
<div>= Securing your server = <br />
== General Tips == <br />
* Do not enable sv_cheats, do not run any plugins that do so.<br />
* [http://www.goodpassword.com/ Use secure passwords.] This should be obvious, but your clan name is not a good rcon password, nor is "password".<br />
* Don't blindly give admin out. Depending on what flags you give people, you could allow them to take over the server.<br />
* Don't piss people off. Many servers get attacked because players get pissed off that admins are abusing them.<br />
<br />
== File Permissions ==<br />
If you are running your own server (not renting one from a GSP), there are some things you can do to prevent many of the more malicious exploits. The basic theory here is to give srcds as little access to the machine as possible. It only needs write access to the following directories:<br />
* downloads/<br />
* cache/<br />
* addons/sourcemod/gamedata/<br />
* addons/sourcemod/data<br />
Note that some plugins rely on being able to write to directories other then these, and permissions may break them. At the very least, it's a good idea to make sure srcds is running as a user that does not have permission to change anything outside of it's own directory. That will prevent your machine from being comprised and made into a botnet client.<br />
<br />
== Plugins ==<br />
There are a few plugins that can be installed to prevent exploits. Some of the recommended ones include [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix], [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck], [https://forums.alliedmods.net/showthread.php?t=109453 D-FENS], and [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF].<br />
<br />
Many of the Eventscripts plugins that claim to fix exploits are mostly useless at best, or actively harmful to your server at worst. If you are running the plugins listed in the previous paragraph, you do not need anything else to protect your server. Installing extra plugins other then those will likely cause issues with your server, and is not recommended.<br />
<br />
= Current Exploits =<br />
<br />
== Crashes ==<br />
<br />
=== Invalid RCON Crash ===<br />
SRCDS will crash on some machines if you attempt to use an incorrect rcon password too many times. It seems that some machines are affected by this, while others are not. Valve has been notified a few times, and has been unwilling/unable to fix this.<br />
<br />
*Fix: Firewall off rcon (TCP port 27015) from everyone except for certain whitelisted IP's.<br />
<br />
=== HalfConnected Crash ===<br />
If a command is received as the client is connecting, the server will crash or enter a state where it does not accept new connections, but has not crashed. This exploit can also happen if you remove the players entity, which shouldn't happen under normal circumstances. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]<br />
<br />
=== Invalid ticket length crash ===<br />
By manipulating the steam login packets, it's possible to create one with an invalid length field. The server will crash with a generic memory read error (windows) or segfault (linux).<br />
<br />
*Fix: No fix available.<br />
<br />
=== Disconnect Crash ===<br />
Using modified clients, it is possible to send disconnect messages with large numbers of special characters. These have a variety of effects, including crashing the server or crashing all connected clients.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]<br />
<br />
=== "K" packet Crash ===<br />
Using modified clients, it is possible to send a Steam auth packet that contains an invalid header length. Upon receiving this packet, the server will crash.<br />
<br />
*Fix: 4/19/10: Apply the latest steam beta patch. Run hldsupdatetool with "-beta cs0419" to get this.<br />
<br />
== Takeover == <br />
=== ent_fire server takeover ===<br />
If cheats are enabled on a server, the point_servercommand entity can be created, which can be used by clients to execute rcon commands on the server. Premade scripts exist for this that will change the rcon password, and add the client as an admin. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent the rcon password from being changed, as well as disallowing the point_servercommand entity. The alternative is to not run with sv_cheats 1, and take other measures to ensure it is never enabled.<br />
=== ES_Tools changelevel exploit ===<br />
The "changelevel" command can be abused when ES_tools is running to execute commands on the server<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent this. Alternatively, remove es_tools if at all possible.<br />
=== File upload/download ===<br />
It's possible to convince the server to let you upload or download random files from it. Valve has been attempting to fix this, but there still seem to be some workarounds to their fixes.<br />
<br />
If you are running your own servers (not rented from a GSP), you can set file permissions on them to fix the upload issue.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?t=109453 dfens] will prevent this.<br />
<br />
== Lag/DOS ==<br />
=== A2C_PRINT Spam ===<br />
SRCDS does not do any sort of authentication on A2C_PRINT messages. This means that anyone can print messages to the servers console, simply by sending UDP packets. It seems this is a legacy feature, and is not actually used by anything. Valve has been notified, and doesn't see this as a problem.<br />
<br />
*Fix: Block any packets beginning with \xFF\xFF\xFF\xFF\x6C or run [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF]<br />
=== A2S_INFO Spam ===<br />
If large numbers of A2S_INFO packets are sent at the server, the FPS will severely drop, making the server essentially unplayable. Since these packets can be spoofed, rate limiting one IP is fairly useless<br />
<br />
*Fix: You can use sv_max_queries_sec_global to limit this, though that would mean your server would be invisible on the master server list while the attacks are in progress. [https://forums.alliedmods.net/showthread.php?t=114787 Query Cache] (a SM extension) will also work.<br />
*'''Fixed in:''' TF2 (partial fix) (August 13, 2009)<br />
<br />
=== Command spam ===<br />
Various commands built into the game can be spammed to lag or crash the server. The fix for most of these is quite simple, just disable them by adding the cheats flag. Valve has been notified, and fixes commands in the occasional patch.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck] can be used to kick players who have been caught spamming, [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] adds the cheats flag to most of the known commands. [https://forums.alliedmods.net/showthread.php?p=880328 Scortched Earth] will disable all commands except for those on a whitelist, which is the "better" way to fix this, but can break other addons.<br />
=== Bell characters in name ===<br />
If your name contains bell characters, this can be used to lag the server on windows.<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will kick players with these characters in their name.<br />
=== Force fullupdate ===<br />
If you send an empty packet to the server, you can force it to send you the full state of the game, which will lag the server if done enough. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] has a partial workaround<br />
<br />
== Annoyances ==<br />
=== Teleport exploit ===<br />
If you use very large values for your mouse sensitivity, you can overwrite your X and Y coordinates, letting you teleport around. This has the potential to crash the server as well. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
*'''Fixed in:''' TF2 (July 14 2009)<br />
=== Clientside plugins ===<br />
The VSP interface built into the game can be used to load plugins on the game client, allowing them to change cheat-flagged cvars. This can allow them to have wallhacks, or alter weapon recharge rates. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
=== Empty name / unconnected ===<br />
Players can set their name to an empty string using the setinfo console command. Some admin plugins will be unable to kick or perform other actions on them. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will automatically kick anyone found to have an empty name<br />
=== Special name characters ===<br />
If certain special characters are added to your name, you can create messages that appear to be sent by the server administrator.<br />
<br />
*Fix: None currently known.<br />
<br />
= Fixed Exploits = <br />
== Memory corruption crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefraghof-adv.txt this link]<br />
<br />
Fix: none<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Arbitrary file upload ==<br />
See [http://aluigi.altervista.org/adv/sourceupfile-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=905647 File upload exploit fix]<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== "ProcessClientInfo: SourceTV can not connect to game directly" crash ==<br />
See [http://aluigi.altervista.org/adv/sourcenotvnull-adv.txt this link]<br />
<br />
Fix: Add "tv_enable 1" to cfg/autoexec.cfg, and (optionally) "tv_enable 0" to server.cfg (You only need tv_enable 0 if you don't want sourcetv)<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Player disconnect crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefs-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has what may be a partial fix. <br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=SRCDS_Hardening&diff=7677SRCDS Hardening2010-04-20T16:51:55Z<p>Devicenull: /* HalfConnected Crash */</p>
<hr />
<div>= Securing your server = <br />
== General Tips == <br />
* Do not enable sv_cheats, do not run any plugins that do so.<br />
* [http://www.goodpassword.com/ Use secure passwords.] This should be obvious, but your clan name is not a good rcon password, nor is "password".<br />
* Don't blindly give admin out. Depending on what flags you give people, you could allow them to take over the server.<br />
* Don't piss people off. Many servers get attacked because players get pissed off that admins are abusing them.<br />
<br />
== File Permissions ==<br />
If you are running your own server (not renting one from a GSP), there are some things you can do to prevent many of the more malicious exploits. The basic theory here is to give srcds as little access to the machine as possible. It only needs write access to the following directories:<br />
* downloads/<br />
* cache/<br />
* addons/sourcemod/gamedata/<br />
* addons/sourcemod/data<br />
Note that some plugins rely on being able to write to directories other then these, and permissions may break them. At the very least, it's a good idea to make sure srcds is running as a user that does not have permission to change anything outside of it's own directory. That will prevent your machine from being comprised and made into a botnet client.<br />
<br />
== Plugins ==<br />
There are a few plugins that can be installed to prevent exploits. Some of the recommended ones include [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix], [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck], [https://forums.alliedmods.net/showthread.php?t=109453 D-FENS], and [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF].<br />
<br />
Many of the Eventscripts plugins that claim to fix exploits are mostly useless at best, or actively harmful to your server at worst. If you are running the plugins listed in the previous paragraph, you do not need anything else to protect your server. Installing extra plugins other then those will likely cause issues with your server, and is not recommended.<br />
<br />
= Current Exploits =<br />
<br />
== Crashes ==<br />
<br />
=== Invalid RCON Crash ===<br />
SRCDS will crash on some machines if you attempt to use an incorrect rcon password too many times. It seems that some machines are affected by this, while others are not. Valve has been notified a few times, and has been unwilling/unable to fix this.<br />
<br />
*Fix: Firewall off rcon (TCP port 27015) from everyone except for certain whitelisted IP's.<br />
<br />
=== HalfConnected Crash ===<br />
If a command is received as the client is connecting, the server will crash or enter a state where it does not accept new connections, but has not crashed. This exploit can also happen if you remove the players entity, which shouldn't happen under normal circumstances. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]<br />
<br />
=== Invalid ticket length crash ===<br />
By manipulating the steam login packets, it's possible to create one with an invalid length field. The server will crash with a generic memory read error (windows) or segfault (linux).<br />
<br />
*Fix: No fix available.<br />
<br />
=== Disconnect Crash ===<br />
Using modified clients, it is possible to send disconnect messages with large numbers of special characters. These have a variety of effects, including crashing the server or crashing all connected clients.<br />
<br />
*Fix: No fix available.<br />
<br />
=== "K" packet Crash ===<br />
Using modified clients, it is possible to send a Steam auth packet that contains an invalid header length. Upon receiving this packet, the server will crash.<br />
<br />
*Fix: 4/19/10: Apply the latest steam beta patch. Run hldsupdatetool with "-beta cs0419" to get this.<br />
<br />
== Takeover == <br />
=== ent_fire server takeover ===<br />
If cheats are enabled on a server, the point_servercommand entity can be created, which can be used by clients to execute rcon commands on the server. Premade scripts exist for this that will change the rcon password, and add the client as an admin. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent the rcon password from being changed, as well as disallowing the point_servercommand entity. The alternative is to not run with sv_cheats 1, and take other measures to ensure it is never enabled.<br />
=== ES_Tools changelevel exploit ===<br />
The "changelevel" command can be abused when ES_tools is running to execute commands on the server<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent this. Alternatively, remove es_tools if at all possible.<br />
=== File upload/download ===<br />
It's possible to convince the server to let you upload or download random files from it. Valve has been attempting to fix this, but there still seem to be some workarounds to their fixes.<br />
<br />
If you are running your own servers (not rented from a GSP), you can set file permissions on them to fix the upload issue.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?t=109453 dfens] will prevent this.<br />
<br />
== Lag/DOS ==<br />
=== A2C_PRINT Spam ===<br />
SRCDS does not do any sort of authentication on A2C_PRINT messages. This means that anyone can print messages to the servers console, simply by sending UDP packets. It seems this is a legacy feature, and is not actually used by anything. Valve has been notified, and doesn't see this as a problem.<br />
<br />
*Fix: Block any packets beginning with \xFF\xFF\xFF\xFF\x6C or run [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF]<br />
=== A2S_INFO Spam ===<br />
If large numbers of A2S_INFO packets are sent at the server, the FPS will severely drop, making the server essentially unplayable. Since these packets can be spoofed, rate limiting one IP is fairly useless<br />
<br />
*Fix: You can use sv_max_queries_sec_global to limit this, though that would mean your server would be invisible on the master server list while the attacks are in progress. [https://forums.alliedmods.net/showthread.php?t=114787 Query Cache] (a SM extension) will also work.<br />
*'''Fixed in:''' TF2 (partial fix) (August 13, 2009)<br />
<br />
=== Command spam ===<br />
Various commands built into the game can be spammed to lag or crash the server. The fix for most of these is quite simple, just disable them by adding the cheats flag. Valve has been notified, and fixes commands in the occasional patch.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck] can be used to kick players who have been caught spamming, [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] adds the cheats flag to most of the known commands. [https://forums.alliedmods.net/showthread.php?p=880328 Scortched Earth] will disable all commands except for those on a whitelist, which is the "better" way to fix this, but can break other addons.<br />
=== Bell characters in name ===<br />
If your name contains bell characters, this can be used to lag the server on windows.<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will kick players with these characters in their name.<br />
=== Force fullupdate ===<br />
If you send an empty packet to the server, you can force it to send you the full state of the game, which will lag the server if done enough. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] has a partial workaround<br />
<br />
== Annoyances ==<br />
=== Teleport exploit ===<br />
If you use very large values for your mouse sensitivity, you can overwrite your X and Y coordinates, letting you teleport around. This has the potential to crash the server as well. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
*'''Fixed in:''' TF2 (July 14 2009)<br />
=== Clientside plugins ===<br />
The VSP interface built into the game can be used to load plugins on the game client, allowing them to change cheat-flagged cvars. This can allow them to have wallhacks, or alter weapon recharge rates. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
=== Empty name / unconnected ===<br />
Players can set their name to an empty string using the setinfo console command. Some admin plugins will be unable to kick or perform other actions on them. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will automatically kick anyone found to have an empty name<br />
=== Special name characters ===<br />
If certain special characters are added to your name, you can create messages that appear to be sent by the server administrator.<br />
<br />
*Fix: None currently known.<br />
<br />
= Fixed Exploits = <br />
== Memory corruption crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefraghof-adv.txt this link]<br />
<br />
Fix: none<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Arbitrary file upload ==<br />
See [http://aluigi.altervista.org/adv/sourceupfile-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=905647 File upload exploit fix]<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== "ProcessClientInfo: SourceTV can not connect to game directly" crash ==<br />
See [http://aluigi.altervista.org/adv/sourcenotvnull-adv.txt this link]<br />
<br />
Fix: Add "tv_enable 1" to cfg/autoexec.cfg, and (optionally) "tv_enable 0" to server.cfg (You only need tv_enable 0 if you don't want sourcetv)<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Player disconnect crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefs-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has what may be a partial fix. <br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=SRCDS_Hardening&diff=7676SRCDS Hardening2010-04-20T16:51:33Z<p>Devicenull: /* "K" packet Crash */</p>
<hr />
<div>= Securing your server = <br />
== General Tips == <br />
* Do not enable sv_cheats, do not run any plugins that do so.<br />
* [http://www.goodpassword.com/ Use secure passwords.] This should be obvious, but your clan name is not a good rcon password, nor is "password".<br />
* Don't blindly give admin out. Depending on what flags you give people, you could allow them to take over the server.<br />
* Don't piss people off. Many servers get attacked because players get pissed off that admins are abusing them.<br />
<br />
== File Permissions ==<br />
If you are running your own server (not renting one from a GSP), there are some things you can do to prevent many of the more malicious exploits. The basic theory here is to give srcds as little access to the machine as possible. It only needs write access to the following directories:<br />
* downloads/<br />
* cache/<br />
* addons/sourcemod/gamedata/<br />
* addons/sourcemod/data<br />
Note that some plugins rely on being able to write to directories other then these, and permissions may break them. At the very least, it's a good idea to make sure srcds is running as a user that does not have permission to change anything outside of it's own directory. That will prevent your machine from being comprised and made into a botnet client.<br />
<br />
== Plugins ==<br />
There are a few plugins that can be installed to prevent exploits. Some of the recommended ones include [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix], [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck], [https://forums.alliedmods.net/showthread.php?t=109453 D-FENS], and [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF].<br />
<br />
Many of the Eventscripts plugins that claim to fix exploits are mostly useless at best, or actively harmful to your server at worst. If you are running the plugins listed in the previous paragraph, you do not need anything else to protect your server. Installing extra plugins other then those will likely cause issues with your server, and is not recommended.<br />
<br />
= Current Exploits =<br />
<br />
== Crashes ==<br />
<br />
=== Invalid RCON Crash ===<br />
SRCDS will crash on some machines if you attempt to use an incorrect rcon password too many times. It seems that some machines are affected by this, while others are not. Valve has been notified a few times, and has been unwilling/unable to fix this.<br />
<br />
*Fix: Firewall off rcon (TCP port 27015) from everyone except for certain whitelisted IP's.<br />
<br />
=== HalfConnected Crash ===<br />
[http://aluigi.freeforums.org/source-engine-seg-fault-crash-exploit-t993.html Inital thread]<br />
<br />
If a command is received as the client is connecting, the server will crash or enter a state where it does not accept new connections, but has not crashed. This exploit can also happen if you remove the players entity, which shouldn't happen under normal circumstances. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]<br />
<br />
=== Invalid ticket length crash ===<br />
By manipulating the steam login packets, it's possible to create one with an invalid length field. The server will crash with a generic memory read error (windows) or segfault (linux).<br />
<br />
*Fix: No fix available.<br />
<br />
=== Disconnect Crash ===<br />
Using modified clients, it is possible to send disconnect messages with large numbers of special characters. These have a variety of effects, including crashing the server or crashing all connected clients.<br />
<br />
*Fix: No fix available.<br />
<br />
=== "K" packet Crash ===<br />
Using modified clients, it is possible to send a Steam auth packet that contains an invalid header length. Upon receiving this packet, the server will crash.<br />
<br />
*Fix: 4/19/10: Apply the latest steam beta patch. Run hldsupdatetool with "-beta cs0419" to get this.<br />
<br />
== Takeover == <br />
=== ent_fire server takeover ===<br />
If cheats are enabled on a server, the point_servercommand entity can be created, which can be used by clients to execute rcon commands on the server. Premade scripts exist for this that will change the rcon password, and add the client as an admin. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent the rcon password from being changed, as well as disallowing the point_servercommand entity. The alternative is to not run with sv_cheats 1, and take other measures to ensure it is never enabled.<br />
=== ES_Tools changelevel exploit ===<br />
The "changelevel" command can be abused when ES_tools is running to execute commands on the server<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent this. Alternatively, remove es_tools if at all possible.<br />
=== File upload/download ===<br />
It's possible to convince the server to let you upload or download random files from it. Valve has been attempting to fix this, but there still seem to be some workarounds to their fixes.<br />
<br />
If you are running your own servers (not rented from a GSP), you can set file permissions on them to fix the upload issue.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?t=109453 dfens] will prevent this.<br />
<br />
== Lag/DOS ==<br />
=== A2C_PRINT Spam ===<br />
SRCDS does not do any sort of authentication on A2C_PRINT messages. This means that anyone can print messages to the servers console, simply by sending UDP packets. It seems this is a legacy feature, and is not actually used by anything. Valve has been notified, and doesn't see this as a problem.<br />
<br />
*Fix: Block any packets beginning with \xFF\xFF\xFF\xFF\x6C or run [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF]<br />
=== A2S_INFO Spam ===<br />
If large numbers of A2S_INFO packets are sent at the server, the FPS will severely drop, making the server essentially unplayable. Since these packets can be spoofed, rate limiting one IP is fairly useless<br />
<br />
*Fix: You can use sv_max_queries_sec_global to limit this, though that would mean your server would be invisible on the master server list while the attacks are in progress. [https://forums.alliedmods.net/showthread.php?t=114787 Query Cache] (a SM extension) will also work.<br />
*'''Fixed in:''' TF2 (partial fix) (August 13, 2009)<br />
<br />
=== Command spam ===<br />
Various commands built into the game can be spammed to lag or crash the server. The fix for most of these is quite simple, just disable them by adding the cheats flag. Valve has been notified, and fixes commands in the occasional patch.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck] can be used to kick players who have been caught spamming, [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] adds the cheats flag to most of the known commands. [https://forums.alliedmods.net/showthread.php?p=880328 Scortched Earth] will disable all commands except for those on a whitelist, which is the "better" way to fix this, but can break other addons.<br />
=== Bell characters in name ===<br />
If your name contains bell characters, this can be used to lag the server on windows.<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will kick players with these characters in their name.<br />
=== Force fullupdate ===<br />
If you send an empty packet to the server, you can force it to send you the full state of the game, which will lag the server if done enough. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] has a partial workaround<br />
<br />
== Annoyances ==<br />
=== Teleport exploit ===<br />
If you use very large values for your mouse sensitivity, you can overwrite your X and Y coordinates, letting you teleport around. This has the potential to crash the server as well. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
*'''Fixed in:''' TF2 (July 14 2009)<br />
=== Clientside plugins ===<br />
The VSP interface built into the game can be used to load plugins on the game client, allowing them to change cheat-flagged cvars. This can allow them to have wallhacks, or alter weapon recharge rates. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
=== Empty name / unconnected ===<br />
Players can set their name to an empty string using the setinfo console command. Some admin plugins will be unable to kick or perform other actions on them. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will automatically kick anyone found to have an empty name<br />
=== Special name characters ===<br />
If certain special characters are added to your name, you can create messages that appear to be sent by the server administrator.<br />
<br />
*Fix: None currently known.<br />
<br />
= Fixed Exploits = <br />
== Memory corruption crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefraghof-adv.txt this link]<br />
<br />
Fix: none<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Arbitrary file upload ==<br />
See [http://aluigi.altervista.org/adv/sourceupfile-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=905647 File upload exploit fix]<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== "ProcessClientInfo: SourceTV can not connect to game directly" crash ==<br />
See [http://aluigi.altervista.org/adv/sourcenotvnull-adv.txt this link]<br />
<br />
Fix: Add "tv_enable 1" to cfg/autoexec.cfg, and (optionally) "tv_enable 0" to server.cfg (You only need tv_enable 0 if you don't want sourcetv)<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Player disconnect crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefs-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has what may be a partial fix. <br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=SRCDS_Hardening&diff=7609SRCDS Hardening2010-04-07T19:43:39Z<p>Devicenull: /* = "K" packet Crash */</p>
<hr />
<div>= Securing your server = <br />
== General Tips == <br />
* Do not enable sv_cheats, do not run any plugins that do so.<br />
* [http://www.goodpassword.com/ Use secure passwords.] This should be obvious, but your clan name is not a good rcon password, nor is "password".<br />
* Don't blindly give admin out. Depending on what flags you give people, you could allow them to take over the server.<br />
* Don't piss people off. Many servers get attacked because players get pissed off that admins are abusing them.<br />
<br />
== File Permissions ==<br />
If you are running your own server (not renting one from a GSP), there are some things you can do to prevent many of the more malicious exploits. The basic theory here is to give srcds as little access to the machine as possible. It only needs write access to the following directories:<br />
* downloads/<br />
* cache/<br />
* addons/sourcemod/gamedata/<br />
* addons/sourcemod/data<br />
Note that some plugins rely on being able to write to directories other then these, and permissions may break them. At the very least, it's a good idea to make sure srcds is running as a user that does not have permission to change anything outside of it's own directory. That will prevent your machine from being comprised and made into a botnet client.<br />
<br />
== Plugins ==<br />
There are a few plugins that can be installed to prevent exploits. Some of the recommended ones include [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix], [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck], [https://forums.alliedmods.net/showthread.php?t=109453 D-FENS], and [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF].<br />
<br />
Many of the Eventscripts plugins that claim to fix exploits are mostly useless at best, or actively harmful to your server at worst. If you are running the plugins listed in the previous paragraph, you do not need anything else to protect your server. Installing extra plugins other then those will likely cause issues with your server, and is not recommended.<br />
<br />
= Current Exploits =<br />
<br />
== Crashes ==<br />
<br />
=== Invalid RCON Crash ===<br />
SRCDS will crash on some machines if you attempt to use an incorrect rcon password too many times. It seems that some machines are affected by this, while others are not. Valve has been notified a few times, and has been unwilling/unable to fix this.<br />
<br />
*Fix: Firewall off rcon (TCP port 27015) from everyone except for certain whitelisted IP's.<br />
<br />
=== HalfConnected Crash ===<br />
[http://aluigi.freeforums.org/source-engine-seg-fault-crash-exploit-t993.html Inital thread]<br />
<br />
If a command is received as the client is connecting, the server will crash or enter a state where it does not accept new connections, but has not crashed. This exploit can also happen if you remove the players entity, which shouldn't happen under normal circumstances. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]<br />
<br />
=== Invalid ticket length crash ===<br />
By manipulating the steam login packets, it's possible to create one with an invalid length field. The server will crash with a generic memory read error (windows) or segfault (linux).<br />
<br />
*Fix: No fix available.<br />
<br />
=== Disconnect Crash ===<br />
Using modified clients, it is possible to send disconnect messages with large numbers of special characters. These have a variety of effects, including crashing the server or crashing all connected clients.<br />
<br />
*Fix: No fix available.<br />
<br />
=== "K" packet Crash ===<br />
Using modified clients, it is possible to send a Steam auth packet that contains an invalid header length. Upon receiving this packet, the server will crash.<br />
<br />
*Fix: If it is a windows server, running the Steam client on the same machine will patch this. There is no known fix for Linux.<br />
<br />
== Takeover == <br />
=== ent_fire server takeover ===<br />
If cheats are enabled on a server, the point_servercommand entity can be created, which can be used by clients to execute rcon commands on the server. Premade scripts exist for this that will change the rcon password, and add the client as an admin. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent the rcon password from being changed, as well as disallowing the point_servercommand entity. The alternative is to not run with sv_cheats 1, and take other measures to ensure it is never enabled.<br />
=== ES_Tools changelevel exploit ===<br />
The "changelevel" command can be abused when ES_tools is running to execute commands on the server<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent this. Alternatively, remove es_tools if at all possible.<br />
=== File upload/download ===<br />
It's possible to convince the server to let you upload or download random files from it. Valve has been attempting to fix this, but there still seem to be some workarounds to their fixes.<br />
<br />
If you are running your own servers (not rented from a GSP), you can set file permissions on them to fix the upload issue.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?t=109453 dfens] will prevent this.<br />
<br />
== Lag/DOS ==<br />
=== A2C_PRINT Spam ===<br />
SRCDS does not do any sort of authentication on A2C_PRINT messages. This means that anyone can print messages to the servers console, simply by sending UDP packets. It seems this is a legacy feature, and is not actually used by anything. Valve has been notified, and doesn't see this as a problem.<br />
<br />
*Fix: Block any packets beginning with \xFF\xFF\xFF\xFF\x6C or run [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF]<br />
=== A2S_INFO Spam ===<br />
If large numbers of A2S_INFO packets are sent at the server, the FPS will severely drop, making the server essentially unplayable. Since these packets can be spoofed, rate limiting one IP is fairly useless<br />
<br />
*Fix: You can use sv_max_queries_sec_global to limit this, though that would mean your server would be invisible on the master server list while the attacks are in progress. [https://forums.alliedmods.net/showthread.php?t=114787 Query Cache] (a SM extension) will also work.<br />
*'''Fixed in:''' TF2 (partial fix) (August 13, 2009)<br />
<br />
=== Command spam ===<br />
Various commands built into the game can be spammed to lag or crash the server. The fix for most of these is quite simple, just disable them by adding the cheats flag. Valve has been notified, and fixes commands in the occasional patch.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck] can be used to kick players who have been caught spamming, [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] adds the cheats flag to most of the known commands. [https://forums.alliedmods.net/showthread.php?p=880328 Scortched Earth] will disable all commands except for those on a whitelist, which is the "better" way to fix this, but can break other addons.<br />
=== Bell characters in name ===<br />
If your name contains bell characters, this can be used to lag the server on windows.<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will kick players with these characters in their name.<br />
=== Force fullupdate ===<br />
If you send an empty packet to the server, you can force it to send you the full state of the game, which will lag the server if done enough. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] has a partial workaround<br />
<br />
== Annoyances ==<br />
=== Teleport exploit ===<br />
If you use very large values for your mouse sensitivity, you can overwrite your X and Y coordinates, letting you teleport around. This has the potential to crash the server as well. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
*'''Fixed in:''' TF2 (July 14 2009)<br />
=== Clientside plugins ===<br />
The VSP interface built into the game can be used to load plugins on the game client, allowing them to change cheat-flagged cvars. This can allow them to have wallhacks, or alter weapon recharge rates. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
=== Empty name / unconnected ===<br />
Players can set their name to an empty string using the setinfo console command. Some admin plugins will be unable to kick or perform other actions on them. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will automatically kick anyone found to have an empty name<br />
=== Special name characters ===<br />
If certain special characters are added to your name, you can create messages that appear to be sent by the server administrator.<br />
<br />
*Fix: None currently known.<br />
<br />
= Fixed Exploits = <br />
== Memory corruption crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefraghof-adv.txt this link]<br />
<br />
Fix: none<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Arbitrary file upload ==<br />
See [http://aluigi.altervista.org/adv/sourceupfile-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=905647 File upload exploit fix]<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== "ProcessClientInfo: SourceTV can not connect to game directly" crash ==<br />
See [http://aluigi.altervista.org/adv/sourcenotvnull-adv.txt this link]<br />
<br />
Fix: Add "tv_enable 1" to cfg/autoexec.cfg, and (optionally) "tv_enable 0" to server.cfg (You only need tv_enable 0 if you don't want sourcetv)<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Player disconnect crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefs-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has what may be a partial fix. <br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=SRCDS_Hardening&diff=7608SRCDS Hardening2010-04-07T19:43:33Z<p>Devicenull: /* Crashes */</p>
<hr />
<div>= Securing your server = <br />
== General Tips == <br />
* Do not enable sv_cheats, do not run any plugins that do so.<br />
* [http://www.goodpassword.com/ Use secure passwords.] This should be obvious, but your clan name is not a good rcon password, nor is "password".<br />
* Don't blindly give admin out. Depending on what flags you give people, you could allow them to take over the server.<br />
* Don't piss people off. Many servers get attacked because players get pissed off that admins are abusing them.<br />
<br />
== File Permissions ==<br />
If you are running your own server (not renting one from a GSP), there are some things you can do to prevent many of the more malicious exploits. The basic theory here is to give srcds as little access to the machine as possible. It only needs write access to the following directories:<br />
* downloads/<br />
* cache/<br />
* addons/sourcemod/gamedata/<br />
* addons/sourcemod/data<br />
Note that some plugins rely on being able to write to directories other then these, and permissions may break them. At the very least, it's a good idea to make sure srcds is running as a user that does not have permission to change anything outside of it's own directory. That will prevent your machine from being comprised and made into a botnet client.<br />
<br />
== Plugins ==<br />
There are a few plugins that can be installed to prevent exploits. Some of the recommended ones include [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix], [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck], [https://forums.alliedmods.net/showthread.php?t=109453 D-FENS], and [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF].<br />
<br />
Many of the Eventscripts plugins that claim to fix exploits are mostly useless at best, or actively harmful to your server at worst. If you are running the plugins listed in the previous paragraph, you do not need anything else to protect your server. Installing extra plugins other then those will likely cause issues with your server, and is not recommended.<br />
<br />
= Current Exploits =<br />
<br />
== Crashes ==<br />
<br />
=== Invalid RCON Crash ===<br />
SRCDS will crash on some machines if you attempt to use an incorrect rcon password too many times. It seems that some machines are affected by this, while others are not. Valve has been notified a few times, and has been unwilling/unable to fix this.<br />
<br />
*Fix: Firewall off rcon (TCP port 27015) from everyone except for certain whitelisted IP's.<br />
<br />
=== HalfConnected Crash ===<br />
[http://aluigi.freeforums.org/source-engine-seg-fault-crash-exploit-t993.html Inital thread]<br />
<br />
If a command is received as the client is connecting, the server will crash or enter a state where it does not accept new connections, but has not crashed. This exploit can also happen if you remove the players entity, which shouldn't happen under normal circumstances. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]<br />
<br />
=== Invalid ticket length crash ===<br />
By manipulating the steam login packets, it's possible to create one with an invalid length field. The server will crash with a generic memory read error (windows) or segfault (linux).<br />
<br />
*Fix: No fix available.<br />
<br />
=== Disconnect Crash ===<br />
Using modified clients, it is possible to send disconnect messages with large numbers of special characters. These have a variety of effects, including crashing the server or crashing all connected clients.<br />
<br />
*Fix: No fix available.<br />
<br />
=== "K" packet Crash ==<br />
Using modified clients, it is possible to send a Steam auth packet that contains an invalid header length. Upon receiving this packet, the server will crash.<br />
<br />
*Fix: If it is a windows server, running the Steam client on the same machine will patch this. There is no known fix for Linux.<br />
<br />
== Takeover == <br />
=== ent_fire server takeover ===<br />
If cheats are enabled on a server, the point_servercommand entity can be created, which can be used by clients to execute rcon commands on the server. Premade scripts exist for this that will change the rcon password, and add the client as an admin. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent the rcon password from being changed, as well as disallowing the point_servercommand entity. The alternative is to not run with sv_cheats 1, and take other measures to ensure it is never enabled.<br />
=== ES_Tools changelevel exploit ===<br />
The "changelevel" command can be abused when ES_tools is running to execute commands on the server<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent this. Alternatively, remove es_tools if at all possible.<br />
=== File upload/download ===<br />
It's possible to convince the server to let you upload or download random files from it. Valve has been attempting to fix this, but there still seem to be some workarounds to their fixes.<br />
<br />
If you are running your own servers (not rented from a GSP), you can set file permissions on them to fix the upload issue.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?t=109453 dfens] will prevent this.<br />
<br />
== Lag/DOS ==<br />
=== A2C_PRINT Spam ===<br />
SRCDS does not do any sort of authentication on A2C_PRINT messages. This means that anyone can print messages to the servers console, simply by sending UDP packets. It seems this is a legacy feature, and is not actually used by anything. Valve has been notified, and doesn't see this as a problem.<br />
<br />
*Fix: Block any packets beginning with \xFF\xFF\xFF\xFF\x6C or run [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF]<br />
=== A2S_INFO Spam ===<br />
If large numbers of A2S_INFO packets are sent at the server, the FPS will severely drop, making the server essentially unplayable. Since these packets can be spoofed, rate limiting one IP is fairly useless<br />
<br />
*Fix: You can use sv_max_queries_sec_global to limit this, though that would mean your server would be invisible on the master server list while the attacks are in progress. [https://forums.alliedmods.net/showthread.php?t=114787 Query Cache] (a SM extension) will also work.<br />
*'''Fixed in:''' TF2 (partial fix) (August 13, 2009)<br />
<br />
=== Command spam ===<br />
Various commands built into the game can be spammed to lag or crash the server. The fix for most of these is quite simple, just disable them by adding the cheats flag. Valve has been notified, and fixes commands in the occasional patch.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck] can be used to kick players who have been caught spamming, [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] adds the cheats flag to most of the known commands. [https://forums.alliedmods.net/showthread.php?p=880328 Scortched Earth] will disable all commands except for those on a whitelist, which is the "better" way to fix this, but can break other addons.<br />
=== Bell characters in name ===<br />
If your name contains bell characters, this can be used to lag the server on windows.<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will kick players with these characters in their name.<br />
=== Force fullupdate ===<br />
If you send an empty packet to the server, you can force it to send you the full state of the game, which will lag the server if done enough. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] has a partial workaround<br />
<br />
== Annoyances ==<br />
=== Teleport exploit ===<br />
If you use very large values for your mouse sensitivity, you can overwrite your X and Y coordinates, letting you teleport around. This has the potential to crash the server as well. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
*'''Fixed in:''' TF2 (July 14 2009)<br />
=== Clientside plugins ===<br />
The VSP interface built into the game can be used to load plugins on the game client, allowing them to change cheat-flagged cvars. This can allow them to have wallhacks, or alter weapon recharge rates. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
=== Empty name / unconnected ===<br />
Players can set their name to an empty string using the setinfo console command. Some admin plugins will be unable to kick or perform other actions on them. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will automatically kick anyone found to have an empty name<br />
=== Special name characters ===<br />
If certain special characters are added to your name, you can create messages that appear to be sent by the server administrator.<br />
<br />
*Fix: None currently known.<br />
<br />
= Fixed Exploits = <br />
== Memory corruption crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefraghof-adv.txt this link]<br />
<br />
Fix: none<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Arbitrary file upload ==<br />
See [http://aluigi.altervista.org/adv/sourceupfile-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=905647 File upload exploit fix]<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== "ProcessClientInfo: SourceTV can not connect to game directly" crash ==<br />
See [http://aluigi.altervista.org/adv/sourcenotvnull-adv.txt this link]<br />
<br />
Fix: Add "tv_enable 1" to cfg/autoexec.cfg, and (optionally) "tv_enable 0" to server.cfg (You only need tv_enable 0 if you don't want sourcetv)<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Player disconnect crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefs-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has what may be a partial fix. <br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=SRCDS_Hardening&diff=7607SRCDS Hardening2010-04-07T19:41:51Z<p>Devicenull: </p>
<hr />
<div>= Securing your server = <br />
== General Tips == <br />
* Do not enable sv_cheats, do not run any plugins that do so.<br />
* [http://www.goodpassword.com/ Use secure passwords.] This should be obvious, but your clan name is not a good rcon password, nor is "password".<br />
* Don't blindly give admin out. Depending on what flags you give people, you could allow them to take over the server.<br />
* Don't piss people off. Many servers get attacked because players get pissed off that admins are abusing them.<br />
<br />
== File Permissions ==<br />
If you are running your own server (not renting one from a GSP), there are some things you can do to prevent many of the more malicious exploits. The basic theory here is to give srcds as little access to the machine as possible. It only needs write access to the following directories:<br />
* downloads/<br />
* cache/<br />
* addons/sourcemod/gamedata/<br />
* addons/sourcemod/data<br />
Note that some plugins rely on being able to write to directories other then these, and permissions may break them. At the very least, it's a good idea to make sure srcds is running as a user that does not have permission to change anything outside of it's own directory. That will prevent your machine from being comprised and made into a botnet client.<br />
<br />
== Plugins ==<br />
There are a few plugins that can be installed to prevent exploits. Some of the recommended ones include [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix], [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck], [https://forums.alliedmods.net/showthread.php?t=109453 D-FENS], and [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF].<br />
<br />
Many of the Eventscripts plugins that claim to fix exploits are mostly useless at best, or actively harmful to your server at worst. If you are running the plugins listed in the previous paragraph, you do not need anything else to protect your server. Installing extra plugins other then those will likely cause issues with your server, and is not recommended.<br />
<br />
= Current Exploits =<br />
<br />
== Crashes ==<br />
<br />
=== Invalid RCON Crash ===<br />
SRCDS will crash on some machines if you attempt to use an incorrect rcon password too many times. It seems that some machines are affected by this, while others are not. Valve has been notified a few times, and has been unwilling/unable to fix this.<br />
<br />
*Fix: Firewall off rcon (TCP port 27015) from everyone except for certain whitelisted IP's.<br />
<br />
=== HalfConnected Crash ===<br />
[http://aluigi.freeforums.org/source-engine-seg-fault-crash-exploit-t993.html Inital thread]<br />
<br />
If a command is received as the client is connecting, the server will crash or enter a state where it does not accept new connections, but has not crashed. This exploit can also happen if you remove the players entity, which shouldn't happen under normal circumstances. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]<br />
<br />
=== Invalid ticket length crash ===<br />
By manipulating the steam login packets, it's possible to create one with an invalid length field. The server will crash with a generic memory read error (windows) or segfault (linux).<br />
<br />
*Fix: No fix available.<br />
<br />
=== Disconnect Crash ===<br />
Using modified clients, it is possible to send disconnect messages with large numbers of special characters. These have a variety of effects, including crashing the server or crashing all connected clients.<br />
<br />
*Fix: No fix available.<br />
<br />
== Takeover == <br />
=== ent_fire server takeover ===<br />
If cheats are enabled on a server, the point_servercommand entity can be created, which can be used by clients to execute rcon commands on the server. Premade scripts exist for this that will change the rcon password, and add the client as an admin. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent the rcon password from being changed, as well as disallowing the point_servercommand entity. The alternative is to not run with sv_cheats 1, and take other measures to ensure it is never enabled.<br />
=== ES_Tools changelevel exploit ===<br />
The "changelevel" command can be abused when ES_tools is running to execute commands on the server<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent this. Alternatively, remove es_tools if at all possible.<br />
=== File upload/download ===<br />
It's possible to convince the server to let you upload or download random files from it. Valve has been attempting to fix this, but there still seem to be some workarounds to their fixes.<br />
<br />
If you are running your own servers (not rented from a GSP), you can set file permissions on them to fix the upload issue.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?t=109453 dfens] will prevent this.<br />
<br />
== Lag/DOS ==<br />
=== A2C_PRINT Spam ===<br />
SRCDS does not do any sort of authentication on A2C_PRINT messages. This means that anyone can print messages to the servers console, simply by sending UDP packets. It seems this is a legacy feature, and is not actually used by anything. Valve has been notified, and doesn't see this as a problem.<br />
<br />
*Fix: Block any packets beginning with \xFF\xFF\xFF\xFF\x6C or run [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF]<br />
=== A2S_INFO Spam ===<br />
If large numbers of A2S_INFO packets are sent at the server, the FPS will severely drop, making the server essentially unplayable. Since these packets can be spoofed, rate limiting one IP is fairly useless<br />
<br />
*Fix: You can use sv_max_queries_sec_global to limit this, though that would mean your server would be invisible on the master server list while the attacks are in progress. [https://forums.alliedmods.net/showthread.php?t=114787 Query Cache] (a SM extension) will also work.<br />
*'''Fixed in:''' TF2 (partial fix) (August 13, 2009)<br />
<br />
=== Command spam ===<br />
Various commands built into the game can be spammed to lag or crash the server. The fix for most of these is quite simple, just disable them by adding the cheats flag. Valve has been notified, and fixes commands in the occasional patch.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck] can be used to kick players who have been caught spamming, [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] adds the cheats flag to most of the known commands. [https://forums.alliedmods.net/showthread.php?p=880328 Scortched Earth] will disable all commands except for those on a whitelist, which is the "better" way to fix this, but can break other addons.<br />
=== Bell characters in name ===<br />
If your name contains bell characters, this can be used to lag the server on windows.<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will kick players with these characters in their name.<br />
=== Force fullupdate ===<br />
If you send an empty packet to the server, you can force it to send you the full state of the game, which will lag the server if done enough. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] has a partial workaround<br />
<br />
== Annoyances ==<br />
=== Teleport exploit ===<br />
If you use very large values for your mouse sensitivity, you can overwrite your X and Y coordinates, letting you teleport around. This has the potential to crash the server as well. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
*'''Fixed in:''' TF2 (July 14 2009)<br />
=== Clientside plugins ===<br />
The VSP interface built into the game can be used to load plugins on the game client, allowing them to change cheat-flagged cvars. This can allow them to have wallhacks, or alter weapon recharge rates. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
=== Empty name / unconnected ===<br />
Players can set their name to an empty string using the setinfo console command. Some admin plugins will be unable to kick or perform other actions on them. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will automatically kick anyone found to have an empty name<br />
=== Special name characters ===<br />
If certain special characters are added to your name, you can create messages that appear to be sent by the server administrator.<br />
<br />
*Fix: None currently known.<br />
<br />
= Fixed Exploits = <br />
== Memory corruption crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefraghof-adv.txt this link]<br />
<br />
Fix: none<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Arbitrary file upload ==<br />
See [http://aluigi.altervista.org/adv/sourceupfile-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=905647 File upload exploit fix]<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== "ProcessClientInfo: SourceTV can not connect to game directly" crash ==<br />
See [http://aluigi.altervista.org/adv/sourcenotvnull-adv.txt this link]<br />
<br />
Fix: Add "tv_enable 1" to cfg/autoexec.cfg, and (optionally) "tv_enable 0" to server.cfg (You only need tv_enable 0 if you don't want sourcetv)<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Player disconnect crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefs-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has what may be a partial fix. <br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=SRCDS_Hardening&diff=7549SRCDS Hardening2010-03-20T05:58:59Z<p>Devicenull: /* Securing your server */</p>
<hr />
<div>= Securing your server = <br />
== General Tips == <br />
* Do not enable sv_cheats, do not run any plugins that do so.<br />
* [http://www.goodpassword.com/ Use secure passwords.] This should be obvious, but your clan name is not a good rcon password, nor is "password".<br />
* Don't blindly give admin out. Depending on what flags you give people, you could allow them to take over the server.<br />
* Don't piss people off. Many servers get attacked because players get pissed off that admins are abusing them.<br />
<br />
== File Permissions ==<br />
If you are running your own server (not renting one from a GSP), there are some things you can do to prevent many of the more malicious exploits. The basic theory here is to give srcds as little access to the machine as possible. It only needs write access to the following directories:<br />
* downloads/<br />
* cache/<br />
* addons/sourcemod/gamedata/<br />
* addons/sourcemod/data<br />
Note that some plugins rely on being able to write to directories other then these, and permissions may break them. At the very least, it's a good idea to make sure srcds is running as a user that does not have permission to change anything outside of it's own directory. That will prevent your machine from being comprised and made into a botnet client.<br />
<br />
== Plugins ==<br />
There are a few plugins that can be installed to prevent exploits. Some of the recommended ones include [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix], [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck], [https://forums.alliedmods.net/showthread.php?t=109453 D-FENS], and [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF].<br />
<br />
Many of the Eventscripts plugins that claim to fix exploits are mostly useless at best, or actively harmful to your server at worst. If you are running the plugins listed in the previous paragraph, you do not need anything else to protect your server. Installing extra plugins other then those will likely cause issues with your server, and is not recommended.<br />
<br />
= Current Exploits =<br />
<br />
== Crashes ==<br />
<br />
=== Invalid RCON Crash ===<br />
SRCDS will crash on some machines if you attempt to use an incorrect rcon password too many times. It seems that some machines are affected by this, while others are not. Valve has been notified a few times, and has been unwilling/unable to fix this.<br />
<br />
*Fix: Firewall off rcon (TCP port 27015) from everyone except for certain whitelisted IP's.<br />
<br />
=== HalfConnected Crash ===<br />
[http://aluigi.freeforums.org/source-engine-seg-fault-crash-exploit-t993.html Inital thread]<br />
<br />
If a command is received as the client is connecting, the server will crash or enter a state where it does not accept new connections, but has not crashed. This exploit can also happen if you remove the players entity, which shouldn't happen under normal circumstances. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]<br />
<br />
=== Invalid ticket length crash ===<br />
By manipulating the steam login packets, it's possible to create one with an invalid length field. The server will crash with a generic memory read error (windows) or segfault (linux).<br />
<br />
*Fix: No fix available.<br />
<br />
== Takeover == <br />
=== ent_fire server takeover ===<br />
If cheats are enabled on a server, the point_servercommand entity can be created, which can be used by clients to execute rcon commands on the server. Premade scripts exist for this that will change the rcon password, and add the client as an admin. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent the rcon password from being changed, as well as disallowing the point_servercommand entity. The alternative is to not run with sv_cheats 1, and take other measures to ensure it is never enabled.<br />
=== ES_Tools changelevel exploit ===<br />
The "changelevel" command can be abused when ES_tools is running to execute commands on the server<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent this. Alternatively, remove es_tools if at all possible.<br />
=== File upload/download ===<br />
It's possible to convince the server to let you upload or download random files from it. Valve has been attempting to fix this, but there still seem to be some workarounds to their fixes.<br />
<br />
If you are running your own servers (not rented from a GSP), you can set file permissions on them to fix the upload issue.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?t=109453 dfens] will prevent this.<br />
<br />
== Lag/DOS ==<br />
=== A2C_PRINT Spam ===<br />
SRCDS does not do any sort of authentication on A2C_PRINT messages. This means that anyone can print messages to the servers console, simply by sending UDP packets. It seems this is a legacy feature, and is not actually used by anything. Valve has been notified, and doesn't see this as a problem.<br />
<br />
*Fix: Block any packets beginning with \xFF\xFF\xFF\xFF\x6C or run [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF]<br />
=== A2S_INFO Spam ===<br />
If large numbers of A2S_INFO packets are sent at the server, the FPS will severely drop, making the server essentially unplayable. Since these packets can be spoofed, rate limiting one IP is fairly useless<br />
<br />
*Fix: You can use sv_max_queries_sec_global to limit this, though that would mean your server would be invisible on the master server list while the attacks are in progress. [https://forums.alliedmods.net/showthread.php?t=114787 Query Cache] (a SM extension) will also work.<br />
*'''Fixed in:''' TF2 (partial fix) (August 13, 2009)<br />
<br />
=== Command spam ===<br />
Various commands built into the game can be spammed to lag or crash the server. The fix for most of these is quite simple, just disable them by adding the cheats flag. Valve has been notified, and fixes commands in the occasional patch.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck] can be used to kick players who have been caught spamming, [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] adds the cheats flag to most of the known commands. [https://forums.alliedmods.net/showthread.php?p=880328 Scortched Earth] will disable all commands except for those on a whitelist, which is the "better" way to fix this, but can break other addons.<br />
=== Bell characters in name ===<br />
If your name contains bell characters, this can be used to lag the server on windows.<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will kick players with these characters in their name.<br />
=== Force fullupdate ===<br />
If you send an empty packet to the server, you can force it to send you the full state of the game, which will lag the server if done enough. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] has a partial workaround<br />
<br />
== Annoyances ==<br />
=== Teleport exploit ===<br />
If you use very large values for your mouse sensitivity, you can overwrite your X and Y coordinates, letting you teleport around. This has the potential to crash the server as well. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
*'''Fixed in:''' TF2 (July 14 2009)<br />
=== Clientside plugins ===<br />
The VSP interface built into the game can be used to load plugins on the game client, allowing them to change cheat-flagged cvars. This can allow them to have wallhacks, or alter weapon recharge rates. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
=== Empty name / unconnected ===<br />
Players can set their name to an empty string using the setinfo console command. Some admin plugins will be unable to kick or perform other actions on them. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will automatically kick anyone found to have an empty name<br />
=== Special name characters ===<br />
If certain special characters are added to your name, you can create messages that appear to be sent by the server administrator.<br />
<br />
*Fix: None currently known.<br />
<br />
= Fixed Exploits = <br />
== Memory corruption crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefraghof-adv.txt this link]<br />
<br />
Fix: none<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Arbitrary file upload ==<br />
See [http://aluigi.altervista.org/adv/sourceupfile-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=905647 File upload exploit fix]<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== "ProcessClientInfo: SourceTV can not connect to game directly" crash ==<br />
See [http://aluigi.altervista.org/adv/sourcenotvnull-adv.txt this link]<br />
<br />
Fix: Add "tv_enable 1" to cfg/autoexec.cfg, and (optionally) "tv_enable 0" to server.cfg (You only need tv_enable 0 if you don't want sourcetv)<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Player disconnect crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefs-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has what may be a partial fix. <br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=SRCDS_Hardening&diff=7548SRCDS Hardening2010-03-20T05:56:12Z<p>Devicenull: </p>
<hr />
<div>= Securing your server = <br />
* Do not enable sv_cheats, do not run any plugins that do so.<br />
* Between [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix], [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck], [https://forums.alliedmods.net/showthread.php?t=109453 D-FENS], and [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] you should be well-protected against most of these exploits. Please don't just install every "fix exploit" plugin you can find, many have duplicate features and end up conflicting with each other. <br />
* [http://www.goodpassword.com/ Use secure rcon passwords.] This should be obvious, but your clan name is not a good rcon password.<br />
* Don't blindly give admin out. Depending on what flags you give people, you could allow them to take over the server.<br />
* Don't piss people off. Many servers get attacked because players get pissed off that admins are abusing them.<br />
<br />
== File Permissions ==<br />
If you are running your own server (not renting one from a GSP), there are some things you can do to prevent many of the more malicious exploits. The basic theory here is to give srcds as little access to the machine as possible. It only needs write access to the following directories:<br />
* downloads/<br />
* cache/<br />
* addons/sourcemod/gamedata/<br />
* addons/sourcemod/data<br />
Note that some plugins rely on being able to write to directories other then these, and permissions may break them. At the very least, it's a good idea to make sure srcds is running as a user that does not have permission to change anything outside of it's own directory. That will prevent your machine from being comprised and made into a botnet client. <br />
<br />
= Current Exploits =<br />
<br />
== Crashes ==<br />
<br />
=== Invalid RCON Crash ===<br />
SRCDS will crash on some machines if you attempt to use an incorrect rcon password too many times. It seems that some machines are affected by this, while others are not. Valve has been notified a few times, and has been unwilling/unable to fix this.<br />
<br />
*Fix: Firewall off rcon (TCP port 27015) from everyone except for certain whitelisted IP's.<br />
<br />
=== HalfConnected Crash ===<br />
[http://aluigi.freeforums.org/source-engine-seg-fault-crash-exploit-t993.html Inital thread]<br />
<br />
If a command is received as the client is connecting, the server will crash or enter a state where it does not accept new connections, but has not crashed. This exploit can also happen if you remove the players entity, which shouldn't happen under normal circumstances. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]<br />
<br />
=== Invalid ticket length crash ===<br />
By manipulating the steam login packets, it's possible to create one with an invalid length field. The server will crash with a generic memory read error (windows) or segfault (linux).<br />
<br />
*Fix: No fix available.<br />
<br />
== Takeover == <br />
=== ent_fire server takeover ===<br />
If cheats are enabled on a server, the point_servercommand entity can be created, which can be used by clients to execute rcon commands on the server. Premade scripts exist for this that will change the rcon password, and add the client as an admin. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent the rcon password from being changed, as well as disallowing the point_servercommand entity. The alternative is to not run with sv_cheats 1, and take other measures to ensure it is never enabled.<br />
=== ES_Tools changelevel exploit ===<br />
The "changelevel" command can be abused when ES_tools is running to execute commands on the server<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent this. Alternatively, remove es_tools if at all possible.<br />
=== File upload/download ===<br />
It's possible to convince the server to let you upload or download random files from it. Valve has been attempting to fix this, but there still seem to be some workarounds to their fixes.<br />
<br />
If you are running your own servers (not rented from a GSP), you can set file permissions on them to fix the upload issue.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?t=109453 dfens] will prevent this.<br />
<br />
== Lag/DOS ==<br />
=== A2C_PRINT Spam ===<br />
SRCDS does not do any sort of authentication on A2C_PRINT messages. This means that anyone can print messages to the servers console, simply by sending UDP packets. It seems this is a legacy feature, and is not actually used by anything. Valve has been notified, and doesn't see this as a problem.<br />
<br />
*Fix: Block any packets beginning with \xFF\xFF\xFF\xFF\x6C or run [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF]<br />
=== A2S_INFO Spam ===<br />
If large numbers of A2S_INFO packets are sent at the server, the FPS will severely drop, making the server essentially unplayable. Since these packets can be spoofed, rate limiting one IP is fairly useless<br />
<br />
*Fix: You can use sv_max_queries_sec_global to limit this, though that would mean your server would be invisible on the master server list while the attacks are in progress. [https://forums.alliedmods.net/showthread.php?t=114787 Query Cache] (a SM extension) will also work.<br />
*'''Fixed in:''' TF2 (partial fix) (August 13, 2009)<br />
<br />
=== Command spam ===<br />
Various commands built into the game can be spammed to lag or crash the server. The fix for most of these is quite simple, just disable them by adding the cheats flag. Valve has been notified, and fixes commands in the occasional patch.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck] can be used to kick players who have been caught spamming, [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] adds the cheats flag to most of the known commands. [https://forums.alliedmods.net/showthread.php?p=880328 Scortched Earth] will disable all commands except for those on a whitelist, which is the "better" way to fix this, but can break other addons.<br />
=== Bell characters in name ===<br />
If your name contains bell characters, this can be used to lag the server on windows.<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will kick players with these characters in their name.<br />
=== Force fullupdate ===<br />
If you send an empty packet to the server, you can force it to send you the full state of the game, which will lag the server if done enough. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] has a partial workaround<br />
<br />
== Annoyances ==<br />
=== Teleport exploit ===<br />
If you use very large values for your mouse sensitivity, you can overwrite your X and Y coordinates, letting you teleport around. This has the potential to crash the server as well. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
*'''Fixed in:''' TF2 (July 14 2009)<br />
=== Clientside plugins ===<br />
The VSP interface built into the game can be used to load plugins on the game client, allowing them to change cheat-flagged cvars. This can allow them to have wallhacks, or alter weapon recharge rates. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
=== Empty name / unconnected ===<br />
Players can set their name to an empty string using the setinfo console command. Some admin plugins will be unable to kick or perform other actions on them. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will automatically kick anyone found to have an empty name<br />
=== Special name characters ===<br />
If certain special characters are added to your name, you can create messages that appear to be sent by the server administrator.<br />
<br />
*Fix: None currently known.<br />
<br />
= Fixed Exploits = <br />
== Memory corruption crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefraghof-adv.txt this link]<br />
<br />
Fix: none<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Arbitrary file upload ==<br />
See [http://aluigi.altervista.org/adv/sourceupfile-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=905647 File upload exploit fix]<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== "ProcessClientInfo: SourceTV can not connect to game directly" crash ==<br />
See [http://aluigi.altervista.org/adv/sourcenotvnull-adv.txt this link]<br />
<br />
Fix: Add "tv_enable 1" to cfg/autoexec.cfg, and (optionally) "tv_enable 0" to server.cfg (You only need tv_enable 0 if you don't want sourcetv)<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Player disconnect crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefs-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has what may be a partial fix. <br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=SRCDS_Hardening&diff=7540SRCDS Hardening2010-03-12T00:49:01Z<p>Devicenull: </p>
<hr />
<div>= Securing your server = <br />
* Do not enable sv_cheats, do not run any plugins that do so.<br />
* Between [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix], [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck], [https://forums.alliedmods.net/showthread.php?t=109453 D-FENS], and [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] you should be well-protected against most of these exploits. Please don't just install every "fix exploit" plugin you can find, many have duplicate features and end up conflicting with each other. <br />
* [http://www.goodpassword.com/ Use secure rcon passwords.] This should be obvious, but your clan name is not a good rcon password.<br />
* Don't blindly give admin out. Depending on what flags you give people, you could allow them to take over the server.<br />
* Don't piss people off. Many servers get attacked because players get pissed off that admins are abusing them.<br />
<br />
= Current Exploits =<br />
<br />
== Crashes ==<br />
<br />
=== Invalid RCON Crash ===<br />
SRCDS will crash on some machines if you attempt to use an incorrect rcon password too many times. It seems that some machines are affected by this, while others are not. Valve has been notified a few times, and has been unwilling/unable to fix this.<br />
<br />
*Fix: Firewall off rcon (TCP port 27015) from everyone except for certain whitelisted IP's.<br />
<br />
=== HalfConnected Crash ===<br />
[http://aluigi.freeforums.org/source-engine-seg-fault-crash-exploit-t993.html Inital thread]<br />
<br />
If a command is received as the client is connecting, the server will crash or enter a state where it does not accept new connections, but has not crashed. This exploit can also happen if you remove the players entity, which shouldn't happen under normal circumstances. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]<br />
<br />
=== Invalid ticket length crash ===<br />
By manipulating the steam login packets, it's possible to create one with an invalid length field. The server will crash with a generic memory read error (windows) or segfault (linux).<br />
<br />
*Fix: No fix available.<br />
<br />
== Takeover == <br />
=== ent_fire server takeover ===<br />
If cheats are enabled on a server, the point_servercommand entity can be created, which can be used by clients to execute rcon commands on the server. Premade scripts exist for this that will change the rcon password, and add the client as an admin. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent the rcon password from being changed, as well as disallowing the point_servercommand entity. The alternative is to not run with sv_cheats 1, and take other measures to ensure it is never enabled.<br />
=== ES_Tools changelevel exploit ===<br />
The "changelevel" command can be abused when ES_tools is running to execute commands on the server<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent this. Alternatively, remove es_tools if at all possible.<br />
=== File upload/download ===<br />
It's possible to convince the server to let you upload or download random files from it. Valve has been attempting to fix this, but there still seem to be some workarounds to their fixes.<br />
<br />
If you are running your own servers (not rented from a GSP), you can set file permissions on them to fix the upload issue.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?t=109453 dfens] will prevent this.<br />
<br />
== Lag/DOS ==<br />
=== A2C_PRINT Spam ===<br />
SRCDS does not do any sort of authentication on A2C_PRINT messages. This means that anyone can print messages to the servers console, simply by sending UDP packets. It seems this is a legacy feature, and is not actually used by anything. Valve has been notified, and doesn't see this as a problem.<br />
<br />
*Fix: Block any packets beginning with \xFF\xFF\xFF\xFF\x6C or run [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF]<br />
=== A2S_INFO Spam ===<br />
If large numbers of A2S_INFO packets are sent at the server, the FPS will severely drop, making the server essentially unplayable. Since these packets can be spoofed, rate limiting one IP is fairly useless<br />
<br />
*Fix: You can use sv_max_queries_sec_global to limit this, though that would mean your server would be invisible on the master server list while the attacks are in progress. [https://forums.alliedmods.net/showthread.php?t=114787 Query Cache] (a SM extension) will also work.<br />
*'''Fixed in:''' TF2 (partial fix) (August 13, 2009)<br />
<br />
=== Command spam ===<br />
Various commands built into the game can be spammed to lag or crash the server. The fix for most of these is quite simple, just disable them by adding the cheats flag. Valve has been notified, and fixes commands in the occasional patch.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck] can be used to kick players who have been caught spamming, [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] adds the cheats flag to most of the known commands. [https://forums.alliedmods.net/showthread.php?p=880328 Scortched Earth] will disable all commands except for those on a whitelist, which is the "better" way to fix this, but can break other addons.<br />
=== Bell characters in name ===<br />
If your name contains bell characters, this can be used to lag the server on windows.<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will kick players with these characters in their name.<br />
=== Force fullupdate ===<br />
If you send an empty packet to the server, you can force it to send you the full state of the game, which will lag the server if done enough. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] has a partial workaround<br />
<br />
== Annoyances ==<br />
=== Teleport exploit ===<br />
If you use very large values for your mouse sensitivity, you can overwrite your X and Y coordinates, letting you teleport around. This has the potential to crash the server as well. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
*'''Fixed in:''' TF2 (July 14 2009)<br />
=== Clientside plugins ===<br />
The VSP interface built into the game can be used to load plugins on the game client, allowing them to change cheat-flagged cvars. This can allow them to have wallhacks, or alter weapon recharge rates. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
=== Empty name / unconnected ===<br />
Players can set their name to an empty string using the setinfo console command. Some admin plugins will be unable to kick or perform other actions on them. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will automatically kick anyone found to have an empty name<br />
=== Special name characters ===<br />
If certain special characters are added to your name, you can create messages that appear to be sent by the server administrator.<br />
<br />
*Fix: None currently known.<br />
<br />
= Fixed Exploits = <br />
== Memory corruption crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefraghof-adv.txt this link]<br />
<br />
Fix: none<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Arbitrary file upload ==<br />
See [http://aluigi.altervista.org/adv/sourceupfile-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=905647 File upload exploit fix]<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== "ProcessClientInfo: SourceTV can not connect to game directly" crash ==<br />
See [http://aluigi.altervista.org/adv/sourcenotvnull-adv.txt this link]<br />
<br />
Fix: Add "tv_enable 1" to cfg/autoexec.cfg, and (optionally) "tv_enable 0" to server.cfg (You only need tv_enable 0 if you don't want sourcetv)<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Player disconnect crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefs-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has what may be a partial fix. <br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=Vice_keys&diff=7537Vice keys2010-02-24T22:14:00Z<p>Devicenull: </p>
<hr />
<div>VICE keys are used to encrypt the game's weapon config files in an effort to make them more difficult to tamper with. It's not really a great protection, as usually the key is just hardcoded into the server binaries. Some games, such as Golden Eye Source, try to make it more difficult to retrieve these, but even then it's trivial.<br />
<br />
These keys can be used to decrypt the CTX files that many games provide.<br />
<br />
{|<br />
!width="300"| Game<br />
!width="100"| Key<br />
|-<br />
| Counter-Strike: Source<br />
| d7NSuLq2<br />
|- <br />
| CSPromod<br />
| H1aRQ0n1<br />
|-<br />
| Day of Defeat: Source<br />
| Wl0u5B3F<br />
|- <br />
| Dystopia<br />
| pH3apO8w<br />
|-<br />
| Golden Eye Source<br />
| Gr3naDes<br />
|- <br />
| Half-Life 2: Deathmatch<br />
| x9Ke0BY7<br />
|- <br />
| Insurgency<br />
| DrA5e3EB<br />
|-<br />
| TF2 (items.ctx)<br />
| A5fSXbf7<br />
|- <br />
| TF2 (everything else)<br />
| E2NcUkG2<br />
|- <br />
| ZPS<br />
| 5R0ni0pZ<br />
|}</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=Vice_keys&diff=7536Vice keys2010-02-24T22:13:39Z<p>Devicenull: </p>
<hr />
<div>VICE keys are used to encrypt the game's weapon config files in an effort to make them more difficult to tamper with. It's not really a great protection, as usually the key is just hardcoded into the server binaries. Some games, such as Golden Eye Source, try to make it more difficult to retrieve these, but even then it's trivial.<br />
<br />
{|<br />
!width="300"| Game<br />
!width="100"| Key<br />
|-<br />
| Counter-Strike: Source<br />
| d7NSuLq2<br />
|- <br />
| CSPromod<br />
| H1aRQ0n1<br />
|-<br />
| Day of Defeat: Source<br />
| Wl0u5B3F<br />
|- <br />
| Dystopia<br />
| pH3apO8w<br />
|-<br />
| Golden Eye Source<br />
| Gr3naDes<br />
|- <br />
| Half-Life 2: Deathmatch<br />
| x9Ke0BY7<br />
|- <br />
| Insurgency<br />
| DrA5e3EB<br />
|-<br />
| TF2 (items.ctx)<br />
| A5fSXbf7<br />
|- <br />
| TF2 (everything else)<br />
| E2NcUkG2<br />
|- <br />
| ZPS<br />
| 5R0ni0pZ<br />
|}</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=Vice_keys&diff=7535Vice keys2010-02-24T20:17:25Z<p>Devicenull: </p>
<hr />
<div>{|<br />
| Game<br />
| Key<br />
|-<br />
| Counter-Strike: Source<br />
| d7NSuLq2<br />
|- <br />
| CSPromod<br />
| H1aRQ0n1<br />
|-<br />
| Day of Defeat: Source<br />
| Wl0u5B3F<br />
|- <br />
| Dystopia<br />
| pH3apO8w<br />
|-<br />
| Golden Eye Source<br />
| Gr3naDes<br />
|- <br />
| Half-Life 2: Deathmatch<br />
| x9Ke0BY7<br />
|- <br />
| Insurgency<br />
| DrA5e3EB<br />
|-<br />
| TF2 (items.ctx)<br />
| A5fSXbf7<br />
|- <br />
| TF2 (everything else)<br />
| E2NcUkG2<br />
|- <br />
| ZPS<br />
| 5R0ni0pZ<br />
|}</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=SRCDS_Hardening&diff=7534SRCDS Hardening2010-02-24T06:40:28Z<p>Devicenull: /* A2S_INFO Spam */</p>
<hr />
<div>= Securing your server = <br />
* Do not enable sv_cheats, do not run any plugins that do so.<br />
* Between [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix], [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck], [https://forums.alliedmods.net/showthread.php?t=109453 D-FENS], and [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] you should be well-protected against most of these exploits. Please don't just install every "fix exploit" plugin you can find, many have duplicate features and end up conflicting with each other. <br />
* [http://www.goodpassword.com/ Use secure rcon passwords.] This should be obvious, but your clan name is not a good rcon password.<br />
* Don't blindly give admin out. Depending on what flags you give people, you could allow them to take over the server.<br />
* Don't piss people off. Many servers get attacked because players get pissed off that admins are abusing them.<br />
<br />
= Current Exploits =<br />
<br />
== Crashes ==<br />
<br />
=== Invalid RCON Crash ===<br />
SRCDS will crash on some machines if you attempt to use an incorrect rcon password too many times. It seems that some machines are affected by this, while others are not. Valve has been notified a few times, and has been unwilling/unable to fix this.<br />
<br />
*Fix: Firewall off rcon (TCP port 27015) from everyone except for certain whitelisted IP's.<br />
<br />
=== HalfConnected Crash ===<br />
[http://aluigi.freeforums.org/source-engine-seg-fault-crash-exploit-t993.html Inital thread]<br />
<br />
If a command is received as the client is connecting, the server will crash or enter a state where it does not accept new connections, but has not crashed. This exploit can also happen if you remove the players entity, which shouldn't happen under normal circumstances. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]<br />
<br />
== Takeover == <br />
=== ent_fire server takeover ===<br />
If cheats are enabled on a server, the point_servercommand entity can be created, which can be used by clients to execute rcon commands on the server. Premade scripts exist for this that will change the rcon password, and add the client as an admin. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent the rcon password from being changed, as well as disallowing the point_servercommand entity. The alternative is to not run with sv_cheats 1, and take other measures to ensure it is never enabled.<br />
=== ES_Tools changelevel exploit ===<br />
The "changelevel" command can be abused when ES_tools is running to execute commands on the server<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent this. Alternatively, remove es_tools if at all possible.<br />
=== File upload/download ===<br />
It's possible to convince the server to let you upload or download random files from it. Valve has been attempting to fix this, but there still seem to be some workarounds to their fixes.<br />
<br />
If you are running your own servers (not rented from a GSP), you can set file permissions on them to fix the upload issue.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?t=109453 dfens] will prevent this.<br />
<br />
== Lag/DOS ==<br />
=== A2C_PRINT Spam ===<br />
SRCDS does not do any sort of authentication on A2C_PRINT messages. This means that anyone can print messages to the servers console, simply by sending UDP packets. It seems this is a legacy feature, and is not actually used by anything. Valve has been notified, and doesn't see this as a problem.<br />
<br />
*Fix: Block any packets beginning with \xFF\xFF\xFF\xFF\x6C or run [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF]<br />
=== A2S_INFO Spam ===<br />
If large numbers of A2S_INFO packets are sent at the server, the FPS will severely drop, making the server essentially unplayable. Since these packets can be spoofed, rate limiting one IP is fairly useless<br />
<br />
*Fix: You can use sv_max_queries_sec_global to limit this, though that would mean your server would be invisible on the master server list while the attacks are in progress. [https://forums.alliedmods.net/showthread.php?t=114787 Query Cache] (a SM extension) will also work.<br />
*'''Fixed in:''' TF2 (partial fix) (August 13, 2009)<br />
<br />
=== Command spam ===<br />
Various commands built into the game can be spammed to lag or crash the server. The fix for most of these is quite simple, just disable them by adding the cheats flag. Valve has been notified, and fixes commands in the occasional patch.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck] can be used to kick players who have been caught spamming, [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] adds the cheats flag to most of the known commands. [https://forums.alliedmods.net/showthread.php?p=880328 Scortched Earth] will disable all commands except for those on a whitelist, which is the "better" way to fix this, but can break other addons.<br />
=== Bell characters in name ===<br />
If your name contains bell characters, this can be used to lag the server on windows.<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will kick players with these characters in their name.<br />
=== Force fullupdate ===<br />
If you send an empty packet to the server, you can force it to send you the full state of the game, which will lag the server if done enough. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] has a partial workaround<br />
<br />
== Annoyances ==<br />
=== Teleport exploit ===<br />
If you use very large values for your mouse sensitivity, you can overwrite your X and Y coordinates, letting you teleport around. This has the potential to crash the server as well. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
*'''Fixed in:''' TF2 (July 14 2009)<br />
=== Clientside plugins ===<br />
The VSP interface built into the game can be used to load plugins on the game client, allowing them to change cheat-flagged cvars. This can allow them to have wallhacks, or alter weapon recharge rates. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
=== Empty name / unconnected ===<br />
Players can set their name to an empty string using the setinfo console command. Some admin plugins will be unable to kick or perform other actions on them. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will automatically kick anyone found to have an empty name<br />
=== Special name characters ===<br />
If certain special characters are added to your name, you can create messages that appear to be sent by the server administrator.<br />
<br />
*Fix: None currently known.<br />
<br />
= Fixed Exploits = <br />
== Memory corruption crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefraghof-adv.txt this link]<br />
<br />
Fix: none<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Arbitrary file upload ==<br />
See [http://aluigi.altervista.org/adv/sourceupfile-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=905647 File upload exploit fix]<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== "ProcessClientInfo: SourceTV can not connect to game directly" crash ==<br />
See [http://aluigi.altervista.org/adv/sourcenotvnull-adv.txt this link]<br />
<br />
Fix: Add "tv_enable 1" to cfg/autoexec.cfg, and (optionally) "tv_enable 0" to server.cfg (You only need tv_enable 0 if you don't want sourcetv)<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Player disconnect crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefs-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has what may be a partial fix. <br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=SRCDS_Hardening&diff=7533SRCDS Hardening2010-02-24T06:26:04Z<p>Devicenull: /* Annoyances */</p>
<hr />
<div>= Securing your server = <br />
* Do not enable sv_cheats, do not run any plugins that do so.<br />
* Between [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix], [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck], [https://forums.alliedmods.net/showthread.php?t=109453 D-FENS], and [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] you should be well-protected against most of these exploits. Please don't just install every "fix exploit" plugin you can find, many have duplicate features and end up conflicting with each other. <br />
* [http://www.goodpassword.com/ Use secure rcon passwords.] This should be obvious, but your clan name is not a good rcon password.<br />
* Don't blindly give admin out. Depending on what flags you give people, you could allow them to take over the server.<br />
* Don't piss people off. Many servers get attacked because players get pissed off that admins are abusing them.<br />
<br />
= Current Exploits =<br />
<br />
== Crashes ==<br />
<br />
=== Invalid RCON Crash ===<br />
SRCDS will crash on some machines if you attempt to use an incorrect rcon password too many times. It seems that some machines are affected by this, while others are not. Valve has been notified a few times, and has been unwilling/unable to fix this.<br />
<br />
*Fix: Firewall off rcon (TCP port 27015) from everyone except for certain whitelisted IP's.<br />
<br />
=== HalfConnected Crash ===<br />
[http://aluigi.freeforums.org/source-engine-seg-fault-crash-exploit-t993.html Inital thread]<br />
<br />
If a command is received as the client is connecting, the server will crash or enter a state where it does not accept new connections, but has not crashed. This exploit can also happen if you remove the players entity, which shouldn't happen under normal circumstances. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]<br />
<br />
== Takeover == <br />
=== ent_fire server takeover ===<br />
If cheats are enabled on a server, the point_servercommand entity can be created, which can be used by clients to execute rcon commands on the server. Premade scripts exist for this that will change the rcon password, and add the client as an admin. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent the rcon password from being changed, as well as disallowing the point_servercommand entity. The alternative is to not run with sv_cheats 1, and take other measures to ensure it is never enabled.<br />
=== ES_Tools changelevel exploit ===<br />
The "changelevel" command can be abused when ES_tools is running to execute commands on the server<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent this. Alternatively, remove es_tools if at all possible.<br />
=== File upload/download ===<br />
It's possible to convince the server to let you upload or download random files from it. Valve has been attempting to fix this, but there still seem to be some workarounds to their fixes.<br />
<br />
If you are running your own servers (not rented from a GSP), you can set file permissions on them to fix the upload issue.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?t=109453 dfens] will prevent this.<br />
<br />
== Lag/DOS ==<br />
=== A2C_PRINT Spam ===<br />
SRCDS does not do any sort of authentication on A2C_PRINT messages. This means that anyone can print messages to the servers console, simply by sending UDP packets. It seems this is a legacy feature, and is not actually used by anything. Valve has been notified, and doesn't see this as a problem.<br />
<br />
*Fix: Block any packets beginning with \xFF\xFF\xFF\xFF\x6C or run [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF]<br />
=== A2S_INFO Spam ===<br />
If large numbers of A2S_INFO packets are sent at the server, the FPS will severely drop, making the server essentially unplayable. Since these packets can be spoofed, rate limiting one IP is fairly useless<br />
<br />
*Fix: You can use sv_max_queries_sec_global to limit this, though that would mean your server would be invisible on the master server list while the attacks are in progress. [https://forums.alliedmods.net/showthread.php?t=114787 Query Cache] (an SM extension) will also work.<br />
*'''Fixed in:''' TF2 (partial fix) (August 13, 2009)<br />
=== Command spam ===<br />
Various commands built into the game can be spammed to lag or crash the server. The fix for most of these is quite simple, just disable them by adding the cheats flag. Valve has been notified, and fixes commands in the occasional patch.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck] can be used to kick players who have been caught spamming, [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] adds the cheats flag to most of the known commands. [https://forums.alliedmods.net/showthread.php?p=880328 Scortched Earth] will disable all commands except for those on a whitelist, which is the "better" way to fix this, but can break other addons.<br />
=== Bell characters in name ===<br />
If your name contains bell characters, this can be used to lag the server on windows.<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will kick players with these characters in their name.<br />
=== Force fullupdate ===<br />
If you send an empty packet to the server, you can force it to send you the full state of the game, which will lag the server if done enough. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] has a partial workaround<br />
<br />
== Annoyances ==<br />
=== Teleport exploit ===<br />
If you use very large values for your mouse sensitivity, you can overwrite your X and Y coordinates, letting you teleport around. This has the potential to crash the server as well. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
*'''Fixed in:''' TF2 (July 14 2009)<br />
=== Clientside plugins ===<br />
The VSP interface built into the game can be used to load plugins on the game client, allowing them to change cheat-flagged cvars. This can allow them to have wallhacks, or alter weapon recharge rates. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
=== Empty name / unconnected ===<br />
Players can set their name to an empty string using the setinfo console command. Some admin plugins will be unable to kick or perform other actions on them. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will automatically kick anyone found to have an empty name<br />
=== Special name characters ===<br />
If certain special characters are added to your name, you can create messages that appear to be sent by the server administrator.<br />
<br />
*Fix: None currently known.<br />
<br />
= Fixed Exploits = <br />
== Memory corruption crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefraghof-adv.txt this link]<br />
<br />
Fix: none<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Arbitrary file upload ==<br />
See [http://aluigi.altervista.org/adv/sourceupfile-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=905647 File upload exploit fix]<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== "ProcessClientInfo: SourceTV can not connect to game directly" crash ==<br />
See [http://aluigi.altervista.org/adv/sourcenotvnull-adv.txt this link]<br />
<br />
Fix: Add "tv_enable 1" to cfg/autoexec.cfg, and (optionally) "tv_enable 0" to server.cfg (You only need tv_enable 0 if you don't want sourcetv)<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Player disconnect crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefs-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has what may be a partial fix. <br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=SRCDS_Hardening&diff=7522SRCDS Hardening2010-02-19T01:34:29Z<p>Devicenull: /* Takeover */</p>
<hr />
<div>= Securing your server = <br />
* Do not enable sv_cheats, do not run any plugins that do so.<br />
* Between [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix], [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck], [https://forums.alliedmods.net/showthread.php?t=109453 D-FENS], and [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] you should be well-protected against most of these exploits. Please don't just install every "fix exploit" plugin you can find, many have duplicate features and end up conflicting with each other. <br />
* [http://www.goodpassword.com/ Use secure rcon passwords.] This should be obvious, but your clan name is not a good rcon password.<br />
* Don't blindly give admin out. Depending on what flags you give people, you could allow them to take over the server.<br />
* Don't piss people off. Many servers get attacked because players get pissed off that admins are abusing them.<br />
<br />
= Current Exploits =<br />
<br />
== Crashes ==<br />
<br />
=== Invalid RCON Crash ===<br />
SRCDS will crash on some machines if you attempt to use an incorrect rcon password too many times. It seems that some machines are affected by this, while others are not. Valve has been notified a few times, and has been unwilling/unable to fix this.<br />
<br />
*Fix: Firewall off rcon (TCP port 27015) from everyone except for certain whitelisted IP's.<br />
<br />
=== HalfConnected Crash ===<br />
[http://aluigi.freeforums.org/source-engine-seg-fault-crash-exploit-t993.html Inital thread]<br />
<br />
If a command is received as the client is connecting, the server will crash or enter a state where it does not accept new connections, but has not crashed. This exploit can also happen if you remove the players entity, which shouldn't happen under normal circumstances. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]<br />
<br />
== Takeover == <br />
=== ent_fire server takeover ===<br />
If cheats are enabled on a server, the point_servercommand entity can be created, which can be used by clients to execute rcon commands on the server. Premade scripts exist for this that will change the rcon password, and add the client as an admin. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent the rcon password from being changed, as well as disallowing the point_servercommand entity. The alternative is to not run with sv_cheats 1, and take other measures to ensure it is never enabled.<br />
=== ES_Tools changelevel exploit ===<br />
The "changelevel" command can be abused when ES_tools is running to execute commands on the server<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent this. Alternatively, remove es_tools if at all possible.<br />
=== File upload/download ===<br />
It's possible to convince the server to let you upload or download random files from it. Valve has been attempting to fix this, but there still seem to be some workarounds to their fixes.<br />
<br />
If you are running your own servers (not rented from a GSP), you can set file permissions on them to fix the upload issue.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?t=109453 dfens] will prevent this.<br />
<br />
== Lag/DOS ==<br />
=== A2C_PRINT Spam ===<br />
SRCDS does not do any sort of authentication on A2C_PRINT messages. This means that anyone can print messages to the servers console, simply by sending UDP packets. It seems this is a legacy feature, and is not actually used by anything. Valve has been notified, and doesn't see this as a problem.<br />
<br />
*Fix: Block any packets beginning with \xFF\xFF\xFF\xFF\x6C or run [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF]<br />
=== A2S_INFO Spam ===<br />
If large numbers of A2S_INFO packets are sent at the server, the FPS will severely drop, making the server essentially unplayable. Since these packets can be spoofed, rate limiting one IP is fairly useless<br />
<br />
*Fix: You can use sv_max_queries_sec_global to limit this, though that would mean your server would be invisible on the master server list while the attacks are in progress. [https://forums.alliedmods.net/showthread.php?t=114787 Query Cache] (an SM extension) will also work.<br />
*'''Fixed in:''' TF2 (partial fix) (August 13, 2009)<br />
=== Command spam ===<br />
Various commands built into the game can be spammed to lag or crash the server. The fix for most of these is quite simple, just disable them by adding the cheats flag. Valve has been notified, and fixes commands in the occasional patch.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck] can be used to kick players who have been caught spamming, [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] adds the cheats flag to most of the known commands. [https://forums.alliedmods.net/showthread.php?p=880328 Scortched Earth] will disable all commands except for those on a whitelist, which is the "better" way to fix this, but can break other addons.<br />
=== Bell characters in name ===<br />
If your name contains bell characters, this can be used to lag the server on windows.<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will kick players with these characters in their name.<br />
=== Force fullupdate ===<br />
If you send an empty packet to the server, you can force it to send you the full state of the game, which will lag the server if done enough. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] has a partial workaround<br />
<br />
== Annoyances ==<br />
=== Teleport exploit ===<br />
If you use very large values for your mouse sensitivity, you can overwrite your X and Y coordinates, letting you teleport around. This has the potential to crash the server as well. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
*'''Fixed in:''' TF2 (July 14 2009)<br />
=== Clientside plugins ===<br />
The VSP interface built into the game can be used to load plugins on the game client, allowing them to change cheat-flagged cvars. This can allow them to have wallhacks, or alter weapon recharge rates. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
=== Empty name / unconnected ===<br />
Players can set their name to an empty string using the setinfo console command. Some admin plugins will be unable to kick or perform other actions on them. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will automatically kick anyone found to have an empty name<br />
<br />
= Fixed Exploits = <br />
== Memory corruption crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefraghof-adv.txt this link]<br />
<br />
Fix: none<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Arbitrary file upload ==<br />
See [http://aluigi.altervista.org/adv/sourceupfile-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=905647 File upload exploit fix]<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== "ProcessClientInfo: SourceTV can not connect to game directly" crash ==<br />
See [http://aluigi.altervista.org/adv/sourcenotvnull-adv.txt this link]<br />
<br />
Fix: Add "tv_enable 1" to cfg/autoexec.cfg, and (optionally) "tv_enable 0" to server.cfg (You only need tv_enable 0 if you don't want sourcetv)<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Player disconnect crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefs-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has what may be a partial fix. <br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=SRCDS_Hardening&diff=7521SRCDS Hardening2010-02-19T01:31:50Z<p>Devicenull: </p>
<hr />
<div>= Securing your server = <br />
* Do not enable sv_cheats, do not run any plugins that do so.<br />
* Between [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix], [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck], [https://forums.alliedmods.net/showthread.php?t=109453 D-FENS], and [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] you should be well-protected against most of these exploits. Please don't just install every "fix exploit" plugin you can find, many have duplicate features and end up conflicting with each other. <br />
* [http://www.goodpassword.com/ Use secure rcon passwords.] This should be obvious, but your clan name is not a good rcon password.<br />
* Don't blindly give admin out. Depending on what flags you give people, you could allow them to take over the server.<br />
* Don't piss people off. Many servers get attacked because players get pissed off that admins are abusing them.<br />
<br />
= Current Exploits =<br />
<br />
== Crashes ==<br />
<br />
=== Invalid RCON Crash ===<br />
SRCDS will crash on some machines if you attempt to use an incorrect rcon password too many times. It seems that some machines are affected by this, while others are not. Valve has been notified a few times, and has been unwilling/unable to fix this.<br />
<br />
*Fix: Firewall off rcon (TCP port 27015) from everyone except for certain whitelisted IP's.<br />
<br />
=== HalfConnected Crash ===<br />
[http://aluigi.freeforums.org/source-engine-seg-fault-crash-exploit-t993.html Inital thread]<br />
<br />
If a command is received as the client is connecting, the server will crash or enter a state where it does not accept new connections, but has not crashed. This exploit can also happen if you remove the players entity, which shouldn't happen under normal circumstances. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]<br />
<br />
== Takeover == <br />
=== ent_fire server takeover ===<br />
If cheats are enabled on a server, the point_servercommand entity can be created, which can be used by clients to execute rcon commands on the server. Premade scripts exist for this that will change the rcon password, and add the client as an admin. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent the rcon password from being changed, as well as disallowing the point_servercommand entity. The alternative is to not run with sv_cheats 1, and take other measures to ensure it is never enabled.<br />
=== ES_Tools changelevel exploit ===<br />
The "changelevel" command can be abused when ES_tools is running to execute commands on the server<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent this. Alternatively, remove es_tools if at all possible.<br />
<br />
== Lag/DOS ==<br />
=== A2C_PRINT Spam ===<br />
SRCDS does not do any sort of authentication on A2C_PRINT messages. This means that anyone can print messages to the servers console, simply by sending UDP packets. It seems this is a legacy feature, and is not actually used by anything. Valve has been notified, and doesn't see this as a problem.<br />
<br />
*Fix: Block any packets beginning with \xFF\xFF\xFF\xFF\x6C or run [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF]<br />
=== A2S_INFO Spam ===<br />
If large numbers of A2S_INFO packets are sent at the server, the FPS will severely drop, making the server essentially unplayable. Since these packets can be spoofed, rate limiting one IP is fairly useless<br />
<br />
*Fix: You can use sv_max_queries_sec_global to limit this, though that would mean your server would be invisible on the master server list while the attacks are in progress. [https://forums.alliedmods.net/showthread.php?t=114787 Query Cache] (an SM extension) will also work.<br />
*'''Fixed in:''' TF2 (partial fix) (August 13, 2009)<br />
=== Command spam ===<br />
Various commands built into the game can be spammed to lag or crash the server. The fix for most of these is quite simple, just disable them by adding the cheats flag. Valve has been notified, and fixes commands in the occasional patch.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck] can be used to kick players who have been caught spamming, [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] adds the cheats flag to most of the known commands. [https://forums.alliedmods.net/showthread.php?p=880328 Scortched Earth] will disable all commands except for those on a whitelist, which is the "better" way to fix this, but can break other addons.<br />
=== Bell characters in name ===<br />
If your name contains bell characters, this can be used to lag the server on windows.<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will kick players with these characters in their name.<br />
=== Force fullupdate ===<br />
If you send an empty packet to the server, you can force it to send you the full state of the game, which will lag the server if done enough. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] has a partial workaround<br />
<br />
== Annoyances ==<br />
=== Teleport exploit ===<br />
If you use very large values for your mouse sensitivity, you can overwrite your X and Y coordinates, letting you teleport around. This has the potential to crash the server as well. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
*'''Fixed in:''' TF2 (July 14 2009)<br />
=== Clientside plugins ===<br />
The VSP interface built into the game can be used to load plugins on the game client, allowing them to change cheat-flagged cvars. This can allow them to have wallhacks, or alter weapon recharge rates. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.<br />
=== Empty name / unconnected ===<br />
Players can set their name to an empty string using the setinfo console command. Some admin plugins will be unable to kick or perform other actions on them. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will automatically kick anyone found to have an empty name<br />
<br />
= Fixed Exploits = <br />
== Memory corruption crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefraghof-adv.txt this link]<br />
<br />
Fix: none<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Arbitrary file upload ==<br />
See [http://aluigi.altervista.org/adv/sourceupfile-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=905647 File upload exploit fix]<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== "ProcessClientInfo: SourceTV can not connect to game directly" crash ==<br />
See [http://aluigi.altervista.org/adv/sourcenotvnull-adv.txt this link]<br />
<br />
Fix: Add "tv_enable 1" to cfg/autoexec.cfg, and (optionally) "tv_enable 0" to server.cfg (You only need tv_enable 0 if you don't want sourcetv)<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Player disconnect crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefs-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has what may be a partial fix. <br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=SRCDS_Hardening&diff=7519SRCDS Hardening2010-02-17T06:21:12Z<p>Devicenull: </p>
<hr />
<div>Any exploits not here that you would like added can be emailed to dn at devicenull.org and I'll update this page. Note: There's enough information here for Valve to fix the exploits, but hopefully not enough for people to use these exploits.<br />
<br />
Tips for securing your server:<br />
* Do not enable sv_cheats, do not run any plugins that do so.<br />
* Between [https://forums.alliedmods.net/showthread.php?p=841590 this plugin], [https://forums.alliedmods.net/showthread.php?p=779851 this plugin], and [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 this plugin] you should be well-protected against most of these exploits. Please don't just install every "fix exploit" plugin you can find, many have duplicate features and end up conflicting with each other.<br />
* Use secure rcon passwords. This should be obvious, but your clan name is not a good rcon password.<br />
* Don't blindly give admin out. Depending on what flags you give people, you could allow them to take over the server. <br />
<br />
<br />
----<br />
<br />
= Current Exploits =<br />
<br />
== Invalid RCON Crash ==<br />
SRCDS will crash on some machines if you attempt to use an incorrect rcon password too many times. It seems that some machines are affected by this, while others are not. Valve has been notified a few times, and has been unwilling/unable to fix this.<br />
<br />
*Fix: Firewall off rcon (TCP port 27015) from everyone except for certain whitelisted IP's<br />
<br />
== HalfConnected Crash ==<br />
[http://aluigi.freeforums.org/source-engine-seg-fault-crash-exploit-t993.html Inital thread]<br />
<br />
If a command is received as the client is connecting, the server will crash or enter a state where it does not accept new connections, but has not crashed. This exploit can also happen if you remove the players entity, which shouldn't happen under normal circumstances. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 my plugin]<br />
<br />
== A2C_PRINT Spam ==<br />
SRCDS does not do any sort of authentication on A2C_PRINT messages. This means that anyone can print messages to the servers console, simply by sending UDP packets. It seems this is a legacy feature, and is not actually used by anything. Valve has been notified, and doesn't see this as a problem.<br />
<br />
*Fix: Block any packets beginning with \xFF\xFF\xFF\xFF\x6C or run [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 this plugin]<br />
<br />
== A2S_INFO Spam ==<br />
If large numbers of A2S_INFO packets are sent at the server, the FPS will severely drop, making the server essentially unplayable. Since these packets can be spoofed, rate limiting one IP is fairly useless<br />
<br />
*Fix: You can use sv_max_queries_sec_global to limit this, though that would mean your server would be invisible on the master server list while the attacks are in progress. [https://forums.alliedmods.net/showthread.php?t=114787 This SM extension] will also work.<br />
*'''Fixed in:''' TF2 (partial fix) (August 13, 2009)<br />
<br />
== Teleport exploit ==<br />
If you use very large values for your mouse sensitivity, you can overwrite your X and Y coordinates, letting you teleport around. This has the potential to crash the server as well. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 my plugin] has a partial fix for this.<br />
*'''Fixed in:''' TF2 (July 14 2009)<br />
<br />
== Clientside plugins ==<br />
The VSP interface built into the game can be used to load plugins on the game client, allowing them to change cheat-flagged cvars. This can allow them to have wallhacks, or alter weapon recharge rates. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 my plugin] has a partial fix for this.<br />
<br />
== Command spam ==<br />
Various commands built into the game can be spammed to lag or crash the server. The fix for most of these is quite simple, just disable them by adding the cheats flag. Valve has been notified, and fixes commands in the occasional patch.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=779851 this pluin] can be used to kick players who have been caught spamming, [https://forums.alliedmods.net/showthread.php?p=841590 my plugin] adds the cheats flag to most of the known commands. [http://forums.alliedmods.net/showthread.php?p=880328 my other plugin] will disable all commands except for those on a whitelist, which is the "better" way to fix this, but can break other addons.<br />
<br />
== Empty name / unconnected ==<br />
Players can set their name to an empty string using the setinfo console command. Some admin plugins will be unable to kick or perform other actions on them. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 my plugin] will automatically kick anyone found to have an empty name<br />
<br />
== Bell characters in name ==<br />
If your name contains bell characters, this can be used to lag the server on windows.<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 my plugin] will kick players with these characters in their name.<br />
<br />
== ent_fire server takeover ==<br />
If cheats are enabled on a server, the point_servercommand entity can be created, which can be used by clients to execute rcon commands on the server. Premade scripts exist for this that will change the rcon password, and add the client as an admin. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 my plugin] will prevent the rcon password from being changed, as well as disallowing the point_servercommand entity. The alternative is to not run with sv_cheats 1, and take other measures to ensure it is never enabled.<br />
<br />
== Force fullupdate ==<br />
If you send an empty packet to the server, you can force it to send you the full state of the game, which will lag the server if done enough. Valve has been notified, and is unwilling to fix this.<br />
<br />
*Fix: [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 this plugin] has a partial workaround<br />
<br />
== Plugin Exploits ==<br />
=== Mani nextmap/timeleft spam ===<br />
The "nextmap" and "timeleft" commands in Mani can be spammed to lag/crash the server.<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 my plugin] will disable these commands.<br />
<br />
=== Eventscripts changelevel exploit ===<br />
The "changelevel" command can be abused when Eventscripts is running to execute commands on the server<br />
<br />
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 my plugin] will prevent this.<br />
<br />
= Fixed Exploits = <br />
== Memory corruption crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefraghof-adv.txt this link]<br />
<br />
Fix: none<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Arbitrary file upload ==<br />
See [http://aluigi.altervista.org/adv/sourceupfile-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=905647#post905647 this plugin]<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== "ProcessClientInfo: SourceTV can not connect to game directly" crash ==<br />
See [http://aluigi.altervista.org/adv/sourcenotvnull-adv.txt this link]<br />
<br />
Fix: Add "tv_enable 1" to cfg/autoexec.cfg, and (optionally) "tv_enable 0" to server.cfg (You only need tv_enable 0 if you don't want sourcetv)<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)<br />
<br />
== Player disconnect crash ==<br />
See [http://aluigi.altervista.org/adv/sourcefs-adv.txt this link]<br />
<br />
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 my plugin] has what may be a partial fix. I can't really make any promises though.<br />
*'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009)</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=SRCDS_Hardening&diff=7518SRCDS Hardening2010-02-17T06:19:09Z<p>Devicenull: Created page with 'SRCDS by itself is vulnerable to a number of exploits. This page will eventually host a list of all known exploits and solutions.'</p>
<hr />
<div>SRCDS by itself is vulnerable to a number of exploits. This page will eventually host a list of all known exploits and solutions.</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=Vice_keys&diff=7485Vice keys2010-01-09T19:45:02Z<p>Devicenull: Created page with '{| | Game | Key |- | Dystopia | pH3apO8w |- | Insurgency | DrA5e3EB |- | TF2 (items.ctx) | A5fSXbf7 |- | TF2 (everything else) | E2NcUkG2 |}'</p>
<hr />
<div>{|<br />
| Game<br />
| Key<br />
|-<br />
| Dystopia<br />
| pH3apO8w<br />
|- <br />
| Insurgency<br />
| DrA5e3EB<br />
|-<br />
| TF2 (items.ctx)<br />
| A5fSXbf7<br />
|- <br />
| TF2 (everything else)<br />
| E2NcUkG2<br />
|}</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=Category:SourceMod_Scripting&diff=7484Category:SourceMod Scripting2010-01-09T19:40:40Z<p>Devicenull: /* Resources */</p>
<hr />
<div>This category contains articles about scripting for SourceMod with SourcePawn.<br />
<br />
===Introductions===<br />
*[[Introduction to SourcePawn]] - Learning language syntax.<br />
*[[Introduction to SourceMod Plugins]] - Writing your "first plugin."<br />
*[http://docs.sourcemod.net/api API Reference] - Searchable scripting API reference.<br />
<br />
===Basic API===<br />
*[[AutoConfigs (SourceMod Scripting)|AutoConfigs]] - Automatic .cfg creation for cvars.<br />
*[[Commands (SourceMod Scripting)|Commands]] - Console commands/input.<br />
*[[ConVars (SourceMod Scripting)|ConVars]] - Console variables (cvars).<br />
*[[Events (SourceMod Scripting)|Events]] - Half-Life 2 Game Events.<br />
*[[KeyValues (SourceMod Scripting)|KeyValues]] - KeyValues file parsing/writing.<br />
*[[Menu API (SourceMod)|Menus]] - Building and drawing menus.<br />
*[[SQL (SourceMod Scripting)|SQL]] - Using databases (MySQL, SQLite).<br />
*[[Timers (SourceMod Scripting)|Timers]] - Timed callbacks.<br />
*[[Translations (SourceMod Scripting)|Translations]] - Internationalization.<br />
*[[Entity References (SourceMod)|Entity References]] - A safe way of storing entities.<br />
<br />
===Advanced API===<br />
*[[Admin API (SourceMod)|Administration API]] - Using the Admin Cache.<br />
*[[Admin Menu (SourceMod Scripting)|Admin Menu API]] - Attaching to the Admin Menu.<br />
*[[Creating Natives (SourceMod Scripting)|Creating Natives]] - Exposing API to other plugins.<br />
*[[Function Calling API (SourceMod Scripting)|Function Calling API]] - Calling external functions.<br />
*[[Optional Requirements (SourceMod Scripting)|Optional Requirements]] - Managing dependencies.<br />
*[[SDKTools (SourceMod Scripting)|SDKTools]] - Using the powerful SDK abstraction layer.<br />
*[[TempEnts (SourceMod SDKTools)|Temporary Entities]] - Using temporary entities.<br />
<br />
===Information===<br />
*[[Format Class Functions (SourceMod Scripting)|Format Class Functions]] - All about text formatting.<br />
*[[Handles (SourceMod Scripting)|Handles]] - Overview of Handles and some common types.<br />
*[[Optimizing Plugins (SourceMod Scripting)|Optimizing Plugins]] - Optimization hints.<br />
*[[Tags (Scripting)|Tags]] - All about tags.<br />
*[[Vectors Explained (Scripting)|Vectors Explained]] - Explanation of Vector types.<br />
<br />
===Resources===<br />
*[http://docs.sourcemod.net/api API Reference] - Searchable scripting API reference.<br />
*[[Entity Properties]] - Explanation of Source entity properties.<br />
*[[Game Events (Source)|Game Events]] - Game events listings for popular mods.<br />
*[[Mod TempEnt List (Source)|Temp Entity Lists]] - Temporary entities for popular mods.<br />
*[[SourceMod Profiler]] - Performance tracking and optimizing.<br />
*[[Vice_keys]] - Decryption keys for ctx files<br />
<br />
[[Category:SourceMod]]<br />
[[Category:SourceMod Development]]</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=Format_Class_Functions_(SourceMod_Scripting)&diff=7443Format Class Functions (SourceMod Scripting)2009-11-18T04:58:38Z<p>Devicenull: /* Making your function Format-Class */</p>
<hr />
<div>=Introduction=<br />
Format-class functions are variable argument functions in [[SourceMod]] which allow you to format a string. A simple example of this is the <tt>Format()</tt> function, which looks like:<br />
<br />
<pawn>decl String:buffer[512];<br />
Format(buffer, sizeof(buffer), "Your name is: %s", userName);</pawn><br />
<br />
If userName contains "<tt>Mark</tt>," the contents of <tt>buffer</tt> will then be: "<tt>Your name is: Mark</tt>." The prototype of these functions almost always contains the following parameters:<br />
<pawn>const String:fmt[], {Handle,Float,_}:...</pawn><br />
<br />
For example, observe the following two natives:<br />
<pawn>native Format(String:buffer[], maxlength, const String:fmt[], {Handle,Float,_}:...);<br />
native PrintToClient(client, String:fmt[], {Handle,Float,_}:...);</pawn><br />
<br />
Thus, <tt>PrintToClient</tt> is a format-class function. It can be used exactly as shown earlier:<br />
<pawn>PrintToClient(client, "Your name is: %s", userName);</pawn><br />
<br />
=Format Specifiers=<br />
A format specifier is a code that allows you to specify what data-type to print. The most common specifiers are:<br />
*'''Numerical'''<br />
**'''d''' or '''i''': Integer number as decimal<br />
**'''b''': Binary digits in the value<br />
**'''f''': Floating-point number<br />
**'''x''' or '''X''': Hexadecimal representation of the binary value (capitalization affects hex letter casing)<br />
*'''Character(s)'''<br />
**'''s''': String<br />
**'''t''' or '''T''': Translates a phrase (explained in [[Translations (SourceMod_Scripting)#Usage_in_a_Plugin|Translations]])<br />
**'''c''': Prints one character (UTF-8 compliant)<br />
*'''Special'''<br />
**'''L''': Requires a client index; expands to 1<2><3><> where 1 is the player's name, 2 is the player's userid, and 3 is the player's Steam ID. If the client index is 0, the string will be: <tt><nowiki>Console<0><Console><Console></nowiki></tt><br />
**'''N''': Requires a client index; expands to a string containing the player's name. If the client index is 0, the string will be: <tt>Console</tt><br />
<br />
=Usage=<br />
Format specifiers are denoted with a <tt>'%s'</tt> symbol. For example, to print a float, a number, and a string, you might use this code:<br />
<pawn>new Float:fNum = 5.0;<br />
new iNum = 5<br />
new String:str[] = "5"<br />
<br />
PrintToClient(client, "Number: %d Float: %f String: %s", iNum, fNum, str);</pawn><br />
<br />
'''Note''': Using the wrong data type with a specifier can be very dangerous. Always make sure you are printing as the right type. For example, specifying a string and passing a number can crash the server.<br />
<br />
=Advanced Formatting=<br />
Format specifiers have an extended syntax for controlling various aspects of how data is printed. The full syntax is:<br />
<tt>%[flags][width][.precision]specifier</tt><br />
<br />
Each bracketed section is an optional extension. Explanations of supported SourceMod format extensions:<br />
*'''%''': Obviously, this is always required.<br />
*'''flags''':<br />
**'''-''': Left-justify (right-justify is set by default)<br />
**'''0''': Pads with 0s instead of spaces when needed (see '''width''' below).<br />
*'''width''': Minimum number of characters to be printed. If the value to be printed is shorter than this number, the result is padded with blank spaces. The value is not truncated even if the result is larger.<br />
*'''precision''': <br />
**'''For integers''': specifies the minimum number of digits to print (or pad with spaces/zeroes if below the minimum). <br />
**'''For strings''': specifies the maximum number of characters to print.<br />
**'''For floats''': specifies the number of digits to be printed ''after the decimal point''.<br />
**'''For all other types''': no effect.<br />
*'''specifier''': character specifying the data type (always required).<br />
<br />
todo: examples<br />
<br />
For more information, see [http://www.cplusplus.com/reference/clibrary/cstdio/printf.html printf] from the C Standard Library, although not all modes are supported from C.<br />
<br />
=Making your function Format-Class=<br />
<br />
Sourcemod allows you to make your function Format-class, ie. pass parameters to format string variables.<br />
Here's an example :<br />
<br />
<pawn>public formatExample(const String:myString[] , any:...)<br />
{<br />
new String:myFormattedString[strlen(myString)+255];<br />
VFormat(myFormattedString, sizeof(myFormattedString), myString, 2);<br />
<br />
PrintToServer(myFormattedString);<br />
}</pawn><br />
<br />
Using the parameter "any: ...", we can pass data(s) to format our string.<br />
Now, in order to replace the Format Specifiers by our data(s), we use the API "VFormat", which documentation can be found here : [http://docs.sourcemod.net/api/].<br />
<br />
The three first parameters passed in VFormat are pretty obvious since they are the as in the Format(..) API.<br />
<br />
The 4th parameter indicate the "any: ..." parameter position in your function prototype.<br />
<br />
[[Category:SourceMod Scripting]]</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=Format_Class_Functions_(SourceMod_Scripting)&diff=7442Format Class Functions (SourceMod Scripting)2009-11-18T04:58:23Z<p>Devicenull: /* Making your function Format-Class */</p>
<hr />
<div>=Introduction=<br />
Format-class functions are variable argument functions in [[SourceMod]] which allow you to format a string. A simple example of this is the <tt>Format()</tt> function, which looks like:<br />
<br />
<pawn>decl String:buffer[512];<br />
Format(buffer, sizeof(buffer), "Your name is: %s", userName);</pawn><br />
<br />
If userName contains "<tt>Mark</tt>," the contents of <tt>buffer</tt> will then be: "<tt>Your name is: Mark</tt>." The prototype of these functions almost always contains the following parameters:<br />
<pawn>const String:fmt[], {Handle,Float,_}:...</pawn><br />
<br />
For example, observe the following two natives:<br />
<pawn>native Format(String:buffer[], maxlength, const String:fmt[], {Handle,Float,_}:...);<br />
native PrintToClient(client, String:fmt[], {Handle,Float,_}:...);</pawn><br />
<br />
Thus, <tt>PrintToClient</tt> is a format-class function. It can be used exactly as shown earlier:<br />
<pawn>PrintToClient(client, "Your name is: %s", userName);</pawn><br />
<br />
=Format Specifiers=<br />
A format specifier is a code that allows you to specify what data-type to print. The most common specifiers are:<br />
*'''Numerical'''<br />
**'''d''' or '''i''': Integer number as decimal<br />
**'''b''': Binary digits in the value<br />
**'''f''': Floating-point number<br />
**'''x''' or '''X''': Hexadecimal representation of the binary value (capitalization affects hex letter casing)<br />
*'''Character(s)'''<br />
**'''s''': String<br />
**'''t''' or '''T''': Translates a phrase (explained in [[Translations (SourceMod_Scripting)#Usage_in_a_Plugin|Translations]])<br />
**'''c''': Prints one character (UTF-8 compliant)<br />
*'''Special'''<br />
**'''L''': Requires a client index; expands to 1<2><3><> where 1 is the player's name, 2 is the player's userid, and 3 is the player's Steam ID. If the client index is 0, the string will be: <tt><nowiki>Console<0><Console><Console></nowiki></tt><br />
**'''N''': Requires a client index; expands to a string containing the player's name. If the client index is 0, the string will be: <tt>Console</tt><br />
<br />
=Usage=<br />
Format specifiers are denoted with a <tt>'%s'</tt> symbol. For example, to print a float, a number, and a string, you might use this code:<br />
<pawn>new Float:fNum = 5.0;<br />
new iNum = 5<br />
new String:str[] = "5"<br />
<br />
PrintToClient(client, "Number: %d Float: %f String: %s", iNum, fNum, str);</pawn><br />
<br />
'''Note''': Using the wrong data type with a specifier can be very dangerous. Always make sure you are printing as the right type. For example, specifying a string and passing a number can crash the server.<br />
<br />
=Advanced Formatting=<br />
Format specifiers have an extended syntax for controlling various aspects of how data is printed. The full syntax is:<br />
<tt>%[flags][width][.precision]specifier</tt><br />
<br />
Each bracketed section is an optional extension. Explanations of supported SourceMod format extensions:<br />
*'''%''': Obviously, this is always required.<br />
*'''flags''':<br />
**'''-''': Left-justify (right-justify is set by default)<br />
**'''0''': Pads with 0s instead of spaces when needed (see '''width''' below).<br />
*'''width''': Minimum number of characters to be printed. If the value to be printed is shorter than this number, the result is padded with blank spaces. The value is not truncated even if the result is larger.<br />
*'''precision''': <br />
**'''For integers''': specifies the minimum number of digits to print (or pad with spaces/zeroes if below the minimum). <br />
**'''For strings''': specifies the maximum number of characters to print.<br />
**'''For floats''': specifies the number of digits to be printed ''after the decimal point''.<br />
**'''For all other types''': no effect.<br />
*'''specifier''': character specifying the data type (always required).<br />
<br />
todo: examples<br />
<br />
For more information, see [http://www.cplusplus.com/reference/clibrary/cstdio/printf.html printf] from the C Standard Library, although not all modes are supported from C.<br />
<br />
=Making your function Format-Class=<br />
<br />
Sourcemod allows you to make your function Format-class, ie. pass parameters to format string variables.<br />
Here's an exemple :<br />
<br />
<pawn>public formatExample(const String:myString[] , any:...)<br />
{<br />
new String:myFormattedString[strlen(myString)+255];<br />
VFormat(myFormattedString, sizeof(myFormattedString), myString, 2);<br />
<br />
PrintToServer(myFormattedString);<br />
}</pawn><br />
<br />
Using the parameter "any: ...", we can pass data(s) to format our string.<br />
Now, in order to replace the Format Specifiers by our data(s), we use the API "VFormat", which documentation can be found here : [http://docs.sourcemod.net/api/].<br />
<br />
The three first parameters passed in VFormat are pretty obvious since they are the as in the Format(..) API.<br />
<br />
The 4th parameter indicate the "any: ..." parameter position in your function prototype.<br />
<br />
[[Category:SourceMod Scripting]]</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=Format_Class_Functions_(SourceMod_Scripting)&diff=7441Format Class Functions (SourceMod Scripting)2009-11-18T04:57:53Z<p>Devicenull: </p>
<hr />
<div>=Introduction=<br />
Format-class functions are variable argument functions in [[SourceMod]] which allow you to format a string. A simple example of this is the <tt>Format()</tt> function, which looks like:<br />
<br />
<pawn>decl String:buffer[512];<br />
Format(buffer, sizeof(buffer), "Your name is: %s", userName);</pawn><br />
<br />
If userName contains "<tt>Mark</tt>," the contents of <tt>buffer</tt> will then be: "<tt>Your name is: Mark</tt>." The prototype of these functions almost always contains the following parameters:<br />
<pawn>const String:fmt[], {Handle,Float,_}:...</pawn><br />
<br />
For example, observe the following two natives:<br />
<pawn>native Format(String:buffer[], maxlength, const String:fmt[], {Handle,Float,_}:...);<br />
native PrintToClient(client, String:fmt[], {Handle,Float,_}:...);</pawn><br />
<br />
Thus, <tt>PrintToClient</tt> is a format-class function. It can be used exactly as shown earlier:<br />
<pawn>PrintToClient(client, "Your name is: %s", userName);</pawn><br />
<br />
=Format Specifiers=<br />
A format specifier is a code that allows you to specify what data-type to print. The most common specifiers are:<br />
*'''Numerical'''<br />
**'''d''' or '''i''': Integer number as decimal<br />
**'''b''': Binary digits in the value<br />
**'''f''': Floating-point number<br />
**'''x''' or '''X''': Hexadecimal representation of the binary value (capitalization affects hex letter casing)<br />
*'''Character(s)'''<br />
**'''s''': String<br />
**'''t''' or '''T''': Translates a phrase (explained in [[Translations (SourceMod_Scripting)#Usage_in_a_Plugin|Translations]])<br />
**'''c''': Prints one character (UTF-8 compliant)<br />
*'''Special'''<br />
**'''L''': Requires a client index; expands to 1<2><3><> where 1 is the player's name, 2 is the player's userid, and 3 is the player's Steam ID. If the client index is 0, the string will be: <tt><nowiki>Console<0><Console><Console></nowiki></tt><br />
**'''N''': Requires a client index; expands to a string containing the player's name. If the client index is 0, the string will be: <tt>Console</tt><br />
<br />
=Usage=<br />
Format specifiers are denoted with a <tt>'%s'</tt> symbol. For example, to print a float, a number, and a string, you might use this code:<br />
<pawn>new Float:fNum = 5.0;<br />
new iNum = 5<br />
new String:str[] = "5"<br />
<br />
PrintToClient(client, "Number: %d Float: %f String: %s", iNum, fNum, str);</pawn><br />
<br />
'''Note''': Using the wrong data type with a specifier can be very dangerous. Always make sure you are printing as the right type. For example, specifying a string and passing a number can crash the server.<br />
<br />
=Advanced Formatting=<br />
Format specifiers have an extended syntax for controlling various aspects of how data is printed. The full syntax is:<br />
<tt>%[flags][width][.precision]specifier</tt><br />
<br />
Each bracketed section is an optional extension. Explanations of supported SourceMod format extensions:<br />
*'''%''': Obviously, this is always required.<br />
*'''flags''':<br />
**'''-''': Left-justify (right-justify is set by default)<br />
**'''0''': Pads with 0s instead of spaces when needed (see '''width''' below).<br />
*'''width''': Minimum number of characters to be printed. If the value to be printed is shorter than this number, the result is padded with blank spaces. The value is not truncated even if the result is larger.<br />
*'''precision''': <br />
**'''For integers''': specifies the minimum number of digits to print (or pad with spaces/zeroes if below the minimum). <br />
**'''For strings''': specifies the maximum number of characters to print.<br />
**'''For floats''': specifies the number of digits to be printed ''after the decimal point''.<br />
**'''For all other types''': no effect.<br />
*'''specifier''': character specifying the data type (always required).<br />
<br />
todo: examples<br />
<br />
For more information, see [http://www.cplusplus.com/reference/clibrary/cstdio/printf.html printf] from the C Standard Library, although not all modes are supported from C.<br />
<br />
=Making your function Format-Class=<br />
<br />
Sourcemod allows you to make your function Format-class, ie. pass parameters to format string variables.<br />
Here's an exemple :<br />
<br />
<pawn>public formatExemple(const String:myString[] , any:...)<br />
{<br />
new String:myFormatedString[strlen(myString)+255];<br />
VFormat(myFormatedString, sizeof(myFormatedString), myString, 2);<br />
<br />
PrintToServer(myFormatedString);<br />
}</pawn><br />
<br />
Using the parameter "any: ...", we can pass data(s) to format our string.<br />
Now, in order to replace the Format Specifiers by our data(s), we use the API "VFormat", which documentation can be found here : [http://docs.sourcemod.net/api/].<br />
<br />
The three first parameters passed in VFormat are pretty obvious since they are the as in the Format(..) API.<br />
<br />
The 4th parameter indicate the "any: ..." parameter position in your function prototype.<br />
<br />
[[Category:SourceMod Scripting]]</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=Packaging_Plugins_(SourceMod)&diff=6938Packaging Plugins (SourceMod)2009-02-24T21:29:00Z<p>Devicenull: </p>
<hr />
<div>Any plugins requiring supporting files would need to include a zip (NOT rar, tar.gz, etc) file containing these. This zip file should be based on the mods root directory, so that if you were to extract it to the "cstrike" directory on a server, everything would go to the correct place.<br />
<br />
The sp file of your plugin should still be attached directly to the post. It should not go in this zip file.<br />
<br />
Example:<br />
<pre><br />
cfg/sourcemod/myconfig.cfg<br />
addons/sourcemod/configs/admin_myadmin.cfg<br />
addons/sourcemod/gamedata/obscuregame.gamedata.txt<br />
addons/sourcemod/translations/myplugin.phrases.txt<br />
models/player/someplayer.vdf<br />
maps/somemap.bsp<br />
</pre><br />
<br />
This zip file should be named the same as your plugins name (IE, if your compiled plugin is "adminfly.smx", this file should be "adminfly.zip")<br />
<br />
<br />
An example of what NOT to do (DON'T DO THIS):<br />
<pre><br />
cstrike/cfg/sourcemod/myconfig.cfg<br />
cstrike/maps/mymap.bsp<br />
</pre><br />
<br />
[[Category:SourceMod Development]]<br />
[[Category:SourceMod Scripting]]</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=Packaging_Plugins_(SourceMod)&diff=6937Packaging Plugins (SourceMod)2009-02-24T20:48:14Z<p>Devicenull: New page: Any plugins requiring supporting files would need to include a zip (NOT rar, tar.gz, etc) file containing these. This zip file should be based on the mods root directory, so that if you w...</p>
<hr />
<div>Any plugins requiring supporting files would need to include a zip (NOT rar, tar.gz, etc) file containing these. This zip file should be based on the mods root directory, so that if you were to extract it to the "cstrike" directory on a server, everything would go to the correct place.<br />
<br />
Example:<br />
<pre><br />
cfg/sourcemod/myconfig.cfg<br />
addons/sourcemod/configs/admin_myadmin.cfg<br />
addons/sourcemod/gamedata/obscuregame.gamedata.txt<br />
addons/sourcemod/translations/myplugin.phrases.txt<br />
models/player/someplayer.vdf<br />
maps/somemap.bsp<br />
</pre><br />
<br />
This zip file should be named the same as your plugins name (IE, if your compiled plugin is "adminfly.smx", this file should be "adminfly.zip")<br />
<br />
<br />
An example of what NOT to do (DON'T DO THIS):<br />
<pre><br />
cstrike/cfg/sourcemod/myconfig.cfg<br />
cstrike/maps/mymap.bsp<br />
</pre><br />
<br />
[[Category:SourceMod Development]]<br />
[[Category:SourceMod Scripting]]</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=User_talk:Devicenull&diff=6936User talk:Devicenull2009-02-24T20:41:05Z<p>Devicenull: </p>
<hr />
<div>== Standard Zip format ==<br />
Any plugins requiring supporting files would need to upload a zip file containing them. This zip file should be based on the mods root directory, so that if you were to extract it to the "cstrike" on a server, everything would go to the correct place.<br />
<br />
Example:<br />
<pre><br />
cfg/sourcemod/myconfig.cfg<br />
addons/sourcemod/configs/admin_myadmin.cfg<br />
addons/sourcemod/gamedata/obscuregame.gamedata.txt<br />
addons/sourcemod/translations/myplugin.phrases.txt<br />
models/player/someplayer.vdf<br />
maps/somemap.bsp<br />
</pre><br />
<br />
This zip file should be named the same as your plugins name (IE, if your compiled plugin is "adminfly.smx", this file should be "adminfly.zip")</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=User_talk:Devicenull&diff=6935User talk:Devicenull2009-02-24T20:09:35Z<p>Devicenull: </p>
<hr />
<div>== Standard Zip format ==<br />
Any plugins requiring supporting files would need to upload a zip file containing them. This zip file should be based on the sourcemod directory, so that if you were to extract it to the sourcemod directory on the server, everything would go to the correct place.<br />
<br />
Example:<br />
<pre><br />
configs/admin_myadmin.cfg<br />
gamedata/obscuregame.gamedata.txt<br />
translations/myplugin.phrases.txt<br />
</pre><br />
<br />
This zip file should be named the same as your plugins name (IE, if your compiled plugin is "adminfly.smx", this file should be "adminfly.zip")</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=User_talk:Devicenull&diff=6934User talk:Devicenull2009-02-24T20:09:19Z<p>Devicenull: </p>
<hr />
<div>== Standard Zip format ==<br />
Any plugins requiring supporting files would need to upload a zip file containing them. This zip file should be based on the sourcemod directory, so that if you were to extract it to the sourcemod directory on the server, everything would go to the correct place.<br />
<br />
Example:<br />
<pre><br />
configs/admin_myadmin.cfg<br />
gamedata/obscuregame.gamedata.txt<br />
translations/myplugin/phrases.txt<br />
</pre><br />
<br />
This zip file should be named the same as your plugins name (IE, if your compiled plugin is "adminfly.smx", this file should be "adminfly.zip")</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=User_talk:Devicenull&diff=6933User talk:Devicenull2009-02-24T20:08:59Z<p>Devicenull: New page: == Standard Zip format == Any plugins requiring supporting files would need to upload a zip file containing them. This zip file should be based on the sourcemod directory, so that if you ...</p>
<hr />
<div>== Standard Zip format ==<br />
Any plugins requiring supporting files would need to upload a zip file containing them. This zip file should be based on the sourcemod directory, so that if you were to extract it to the sourcemod directory on the server, everything would go to the correct place.<br />
<br />
Example:<br />
<blockquote><br />
configs/admin_myadmin.cfg<br />
gamedata/obscuregame.gamedata.txt<br />
translations/myplugin/phrases.txt<br />
</blockquote><br />
<br />
This zip file should be named the same as your plugins name (IE, if your compiled plugin is "adminfly.smx", this file should be "adminfly.zip")</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=Left_4_Voting&diff=6500Left 4 Voting2008-11-27T05:47:02Z<p>Devicenull: /* Example voting plugin */</p>
<hr />
<div>Left 4 Dead has a new VGUI voting system, it's controlled by a bunch of events. You can use either a string from the resource file, or L4D_TargetID_Player which will let you create any vote you want.<br />
<br />
== How voting works ==<br />
Server begins by sending a vote_started event, followed by a vote_changed event. Client's use the "Vote" command to register their votes, after which the server sends a vote_cast_yes or vote_case_no event, along with a vote_changed event.<br />
<br />
When the vote is complete, the server sends vote_ended, followed by either vote_passed or vote_failed. <br />
<br />
== Example voting plugin ==<br />
This is a basic plugin that starts a vote, "Is gaben fat?". It does not ensure the same client does not vote multiple times, nor does it actually kick the user.<br />
<br />
<pre>#include <sourcemod><br />
new yesvotes;<br />
new novotes;<br />
#define MAX_VOTES 4<br />
<br />
public OnPluginStart()<br />
{<br />
RegConsoleCmd("testvote",Callvote_Handler);<br />
RegConsoleCmd("Vote",vote);<br />
}<br />
public Action:Callvote_Handler(client, args)<br />
{<br />
new Handle:msg = CreateEvent("vote_started");<br />
SetEventString(msg,"issue","#L4D_TargetID_Player");<br />
SetEventString(msg,"param1","Is gaben fat?");<br />
SetEventInt(msg,"team",0);<br />
SetEventInt(msg,"initiator",0);<br />
FireEvent(msg);<br />
<br />
yesvotes = 0;<br />
novotes = 0;<br />
UpdateVotes();<br />
<br />
return Plugin_Handled;<br />
}<br />
public UpdateVotes()<br />
{<br />
new Handle:msg = CreateEvent("vote_changed");<br />
SetEventInt(msg,"yesVotes",yesvotes);<br />
SetEventInt(msg,"noVotes",novotes);<br />
SetEventInt(msg,"potentialVotes",MAX_VOTES);<br />
FireEvent(msg);<br />
<br />
if (yesvotes+novotes == MAX_VOTES)<br />
{<br />
PrintToServer("voting complete!");<br />
msg = CreateEvent("vote_ended");<br />
FireEvent(msg);<br />
if (yesvotes > novotes)<br />
{<br />
msg = CreateEvent("vote_passed");<br />
SetEventString(msg,"details","#L4D_TargetID_Player");<br />
SetEventString(msg,"param1","Gaben is fat");<br />
SetEventInt(msg,"team",0);<br />
FireEvent(msg);<br />
}<br />
else<br />
{<br />
msg = CreateEvent("vote_failed");<br />
SetEventInt(msg,"team",0);<br />
FireEvent(msg);<br />
}<br />
}<br />
}<br />
public Action:vote(client, args)<br />
{<br />
new String:arg[8];<br />
GetCmdArg(1,arg,8);<br />
PrintToServer("Got vote %s from %i",arg,client);<br />
if (strcmp(arg,"Yes",true) == 0)<br />
{<br />
yesvotes++;<br />
}<br />
else if (strcmp(arg,"No",true) == 0)<br />
{<br />
novotes++;<br />
}<br />
<br />
UpdateVotes();<br />
return Plugin_Continue;<br />
}</pre><br />
<br />
See the following images for examples what this looks like:<br />
<br />
http://devicenull.org/temp/l4d_question.jpg <br />
<br />
http://devicenull.org/temp/l4d_result.jpg</div>Devicenullhttps://wiki.alliedmods.net/index.php?title=Left_4_Voting&diff=6499Left 4 Voting2008-11-27T05:40:21Z<p>Devicenull: </p>
<hr />
<div>Left 4 Dead has a new VGUI voting system, it's controlled by a bunch of events. You can use either a string from the resource file, or L4D_TargetID_Player which will let you create any vote you want.<br />
<br />
== How voting works ==<br />
Server begins by sending a vote_started event, followed by a vote_changed event. Client's use the "Vote" command to register their votes, after which the server sends a vote_cast_yes or vote_case_no event, along with a vote_changed event.<br />
<br />
When the vote is complete, the server sends vote_ended, followed by either vote_passed or vote_failed. <br />
<br />
== Example voting plugin ==<br />
This is a basic plugin that starts a vote, "Is gaben fat?". It does not ensure the same client does not vote multiple times, nor does it actually kick the user.<br />
<br />
<pre>#include <sourcemod><br />
new yesvotes;<br />
new novotes;<br />
#define MAX_VOTES 4<br />
<br />
public OnPluginStart()<br />
{<br />
RegConsoleCmd("testvote",Callvote_Handler);<br />
RegConsoleCmd("Vote",vote);<br />
}<br />
public Action:Callvote_Handler(client, args)<br />
{<br />
new Handle:msg = CreateEvent("vote_started");<br />
SetEventString(msg,"issue","#L4D_TargetID_Player");<br />
SetEventString(msg,"param1","Is gaben fat?");<br />
SetEventInt(msg,"team",0);<br />
SetEventInt(msg,"initiator",0);<br />
FireEvent(msg);<br />
<br />
yesvotes = 0;<br />
novotes = 0;<br />
UpdateVotes();<br />
<br />
return Plugin_Handled;<br />
}<br />
public UpdateVotes()<br />
{<br />
new Handle:msg = CreateEvent("vote_changed");<br />
SetEventInt(msg,"yesVotes",yesvotes);<br />
SetEventInt(msg,"noVotes",novotes);<br />
SetEventInt(msg,"potentialVotes",MAX_VOTES);<br />
FireEvent(msg);<br />
<br />
if (yesvotes+novotes == MAX_VOTES)<br />
{<br />
PrintToServer("voting complete!");<br />
msg = CreateEvent("vote_ended");<br />
FireEvent(msg);<br />
if (yesvotes > novotes)<br />
{<br />
msg = CreateEvent("vote_passed");<br />
SetEventString(msg,"details","#L4D_TargetID_Player");<br />
SetEventString(msg,"param1","Gaben is fat");<br />
SetEventInt(msg,"team",0);<br />
FireEvent(msg);<br />
}<br />
else<br />
{<br />
msg = CreateEvent("vote_failed");<br />
SetEventInt(msg,"team",0);<br />
FireEvent(msg);<br />
}<br />
}<br />
}<br />
public Action:vote(client, args)<br />
{<br />
new String:arg[8];<br />
GetCmdArg(1,arg,8);<br />
PrintToServer("Got vote %s from %i",arg,client);<br />
if (strcmp(arg,"Yes",true) == 0)<br />
{<br />
yesvotes++;<br />
}<br />
else if (strcmp(arg,"No",true) == 0)<br />
{<br />
novotes++;<br />
}<br />
<br />
UpdateVotes();<br />
return Plugin_Continue;<br />
}</pre></div>Devicenullhttps://wiki.alliedmods.net/index.php?title=Left_4_Voting&diff=6498Left 4 Voting2008-11-27T05:31:05Z<p>Devicenull: /* Example voting plugin */</p>
<hr />
<div>Left 4 Dead has a new VGUI voting system, it's controlled by a bunch of events. If you want to use this, you are fairly limited as there's no way of adding your own issues, you are stuck with what's there. Still, some of the issues allowed in the resource file are not implemented in game.<br />
<br />
You can use a question from the left4dead_english.txt file. <br />
<br />
== How voting works ==<br />
Server begins by sending a vote_started event, followed by a vote_changed event. Client's use the "Vote" command to register their votes, after which the server sends a vote_cast_yes or vote_case_no event, along with a vote_changed event.<br />
<br />
When the vote is complete, the server sends vote_ended, followed by either vote_passed or vote_failed. <br />
<br />
== Example voting plugin ==<br />
This is a basic plugin that handles voting to kick a user named "gaben" from the server. It does not ensure the same client does not vote multiple times, nor does it actually kick the user.<br />
<br />
<pre>#include <sourcemod><br />
new yesvotes;<br />
new novotes;<br />
#define MAX_VOTES 4<br />
<br />
public OnPluginStart()<br />
{<br />
RegConsoleCmd("testvote",Callvote_Handler);<br />
RegConsoleCmd("Vote",vote);<br />
}<br />
public Action:Callvote_Handler(client, args)<br />
{<br />
new Handle:msg = CreateEvent("vote_started");<br />
SetEventString(msg,"issue","#L4D_vote_kick_player");<br />
SetEventString(msg,"param1","gaben");<br />
SetEventInt(msg,"team",0);<br />
SetEventInt(msg,"initiator",0);<br />
FireEvent(msg);<br />
<br />
yesvotes = 0;<br />
novotes = 0;<br />
UpdateVotes();<br />
<br />
return Plugin_Handled;<br />
}<br />
public UpdateVotes()<br />
{<br />
new Handle:msg = CreateEvent("vote_changed");<br />
SetEventInt(msg,"yesVotes",yesvotes);<br />
SetEventInt(msg,"noVotes",novotes);<br />
SetEventInt(msg,"potentialVotes",MAX_VOTES);<br />
FireEvent(msg);<br />
<br />
if (yesvotes+novotes == MAX_VOTES)<br />
{<br />
PrintToServer("voting complete!");<br />
msg = CreateEvent("vote_ended");<br />
FireEvent(msg);<br />
if (yesvotes > novotes)<br />
{<br />
msg = CreateEvent("vote_passed");<br />
SetEventString(msg,"details","#L4D_vote_kick_player");<br />
SetEventString(msg,"param1","gaben");<br />
SetEventInt(msg,"team",0);<br />
FireEvent(msg);<br />
}<br />
else<br />
{<br />
msg = CreateEvent("vote_failed");<br />
SetEventInt(msg,"team",0);<br />
FireEvent(msg);<br />
}<br />
}<br />
}<br />
public Action:vote(client, args)<br />
{<br />
new String:arg[8];<br />
GetCmdArg(1,arg,8);<br />
PrintToServer("Got vote %s from %i",arg,client);<br />
if (strcmp(arg,"Yes",true) == 0)<br />
{<br />
yesvotes++;<br />
}<br />
else if (strcmp(arg,"No",true) == 0)<br />
{<br />
novotes++;<br />
}<br />
<br />
UpdateVotes();<br />
return Plugin_Continue;<br />
}</pre></div>Devicenullhttps://wiki.alliedmods.net/index.php?title=Left_4_Voting&diff=6497Left 4 Voting2008-11-27T05:30:00Z<p>Devicenull: New page: Left 4 Dead has a new VGUI voting system, it's controlled by a bunch of events. If you want to use this, you are fairly limited as there's no way of adding your own issues, you are stuck ...</p>
<hr />
<div>Left 4 Dead has a new VGUI voting system, it's controlled by a bunch of events. If you want to use this, you are fairly limited as there's no way of adding your own issues, you are stuck with what's there. Still, some of the issues allowed in the resource file are not implemented in game.<br />
<br />
You can use a question from the left4dead_english.txt file. <br />
<br />
== How voting works ==<br />
Server begins by sending a vote_started event, followed by a vote_changed event. Client's use the "Vote" command to register their votes, after which the server sends a vote_cast_yes or vote_case_no event, along with a vote_changed event.<br />
<br />
When the vote is complete, the server sends vote_ended, followed by either vote_passed or vote_failed. <br />
<br />
== Example voting plugin ==<br />
<pre>#include <sourcemod><br />
new yesvotes;<br />
new novotes;<br />
#define MAX_VOTES 4<br />
<br />
public OnPluginStart()<br />
{<br />
RegConsoleCmd("testvote",Callvote_Handler);<br />
RegConsoleCmd("Vote",vote);<br />
}<br />
public Action:Callvote_Handler(client, args)<br />
{<br />
new Handle:msg = CreateEvent("vote_started");<br />
SetEventString(msg,"issue","#L4D_vote_kick_player");<br />
SetEventString(msg,"param1","gaben");<br />
SetEventInt(msg,"team",0);<br />
SetEventInt(msg,"initiator",0);<br />
FireEvent(msg);<br />
<br />
yesvotes = 0;<br />
novotes = 0;<br />
UpdateVotes();<br />
<br />
return Plugin_Handled;<br />
}<br />
public UpdateVotes()<br />
{<br />
new Handle:msg = CreateEvent("vote_changed");<br />
SetEventInt(msg,"yesVotes",yesvotes);<br />
SetEventInt(msg,"noVotes",novotes);<br />
SetEventInt(msg,"potentialVotes",MAX_VOTES);<br />
FireEvent(msg);<br />
<br />
if (yesvotes+novotes == MAX_VOTES)<br />
{<br />
PrintToServer("voting complete!");<br />
msg = CreateEvent("vote_ended");<br />
FireEvent(msg);<br />
if (yesvotes > novotes)<br />
{<br />
msg = CreateEvent("vote_passed");<br />
SetEventString(msg,"details","#L4D_vote_kick_player");<br />
SetEventString(msg,"param1","gaben");<br />
SetEventInt(msg,"team",0);<br />
FireEvent(msg);<br />
}<br />
else<br />
{<br />
msg = CreateEvent("vote_failed");<br />
SetEventInt(msg,"team",0);<br />
FireEvent(msg);<br />
}<br />
}<br />
}<br />
public Action:vote(client, args)<br />
{<br />
new String:arg[8];<br />
GetCmdArg(1,arg,8);<br />
PrintToServer("Got vote %s from %i",arg,client);<br />
if (strcmp(arg,"Yes",true) == 0)<br />
{<br />
yesvotes++;<br />
}<br />
else if (strcmp(arg,"No",true) == 0)<br />
{<br />
novotes++;<br />
}<br />
<br />
UpdateVotes();<br />
return Plugin_Continue;<br />
}</pre></div>Devicenullhttps://wiki.alliedmods.net/index.php?title=Open_Source_Plugins_for_Metamod:Source&diff=3049Open Source Plugins for Metamod:Source2006-06-04T23:04:45Z<p>Devicenull: Added global banlist</p>
<hr />
<div>= Open Source Plugins for SourceMM =<br />
This page lists known plugins with available source code. Please check the licenses for each one as they may not truly be "open source."<br />
<br><br><br />
== Basic Templates ==<br />
=== stub_mm ===<br />
<b>Author:</b> [[User:BAILOPAN|BAILOPAN]]<br><br />
<b>Description:</b> minmum implentation of a valid SourceMM plugin<br><br />
<b>Features:</b> starting template<br><br />
<b>Download:</b> Included in the SourceMM source code package: [http://prdownloads.sourceforge.net/sourcemm/sourcemm-1.2.2-source.tar.gz?download prdownloads.sourceforge.net/sourcemm/sourcemm-1.2.2-source.tar.gz?download]<br />
<br><br><br />
=== sample_mm ===<br />
<b>Author:</b> [[User:BAILOPAN|BAILOPAN]]<br><br />
<b>Description:</b> implements the features of the standard Valve server plugin from the SDK<br><br />
<b>Features:</b> starting template with similar functionality to the Valve sample_plugin<br><br />
<b>Download:</b> Included in the SourceMM source code package: [http://prdownloads.sourceforge.net/sourcemm/sourcemm-1.2.2-source.tar.gz?download prdownloads.sourceforge.net/sourcemm/sourcemm-1.2.2-source.tar.gz?download]<br />
<br><br><br />
=== sample2_mm ===<br />
<b>Author:</b> [[User:BAILOPAN|BAILOPAN]], edited by [[User:L._Duke|L. Duke]]<br><br />
<b>Description:</b> fixes (by inheriting from IGameEventListener2 instead of hooking FireGameEvent) the problem in sample_mm plugin where some events are not received<br><br />
<b>Features:</b> starting template with similar functionality to the Valve sample_plugin<br><br />
<b>Download: </b>[http://www.sourcemod.net/forums/viewtopic.php?p=34891 www.sourcemod.net/forums/viewtopic.php?p=34891] (you must be logged in to view the download link) <br />
<br><br><br />
<br />
== Functional Plugins ==<br />
=== Basic Admin Tool (BAT) ===<br />
<b>Author:</b> [[User:EKS|EKS]]<br><br />
<b>Description:</b> Provides basic admin functions<br><br />
<b>Features:</b> Kick, ban, menus, reserved slots, timeleft/nextmap say commands, etc.<br><br />
<b>Download:</b> [http://www.sourcemod.net/forums/viewtopic.php?t=2923 www.sourcemod.net/forums/viewtopic.php?t=2923]<br />
<br><br><br />
=== CS:S Weapon Restrictions 2 ===<br />
<b>Author:</b> [[User:L._Duke|L. Duke]]<br><br />
<b>Description:</b> Prevents players from picking up restricted weapons (if bought, they fall to the ground). Also includes an option to remove restricted weapons from the game.<br><br />
<b>Features:</b> Hook <i>CCSPlayer::Weapon_CanUse(CBaseCombatWeapon *pWeapon)</i> and returns false for restricted weapons. Also shows how to use virtual functions on weapons such as Delete()and GetName() and on players for Weapon_GetSlot(int) and Drop(CBaseCombatWeapon*).<br><br />
<b>Download:</b> [http://www.sourcemod.net/forums/viewtopic.php?p=34892 www.sourcemod.net/forums/viewtopic.php?p=34892]<br />
<br><br><br />
=== Last Users Connected ===<br />
<b>Author:</b> [[User:devicenull|devicenull]]<br><br />
<b>Description:</b> With this plugin, every player who comes onto your server has their steamid logged, along with any name they used on the server. You can then either view the names/steamid's of the last people to disconnect, or you can search for a name/steamid and see everyone who has used that name. <br><br />
<b>Features:</b> shows how to embed sqlite3, send basic messages/basic hooks. <br><br />
<b>Download:</b> [http://www.sourcemod.net/forums/viewtopic.php?t=3339 http://www.sourcemod.net/forums/viewtopic.php?t=3339]<br />
<br><br><br />
=== Stripper:Source ===<br />
<b>Author:</b> [[User:BAILOPAN|BAILOPAN]]<br><br />
<b>Description:</b> You can add any type of entity - hostage, spawn point, physics prop, permanently to the map. You can also filter out entities for deletion, either by specific entries or regular expressions. Stripper:Source lets you define global rules and per-map rules. It also lets other plugins (both SourceMM plugins and Server Plugins) use its API. <br><br />
<b>Features:</b> shows how to edit the map entity lump in memory to change map entities<br><br />
<b>Download:</b> [http://www.sourcemod.net/forums/viewtopic.php?t=3008 www.sourcemod.net/forums/viewtopic.php?t=3008]<br />
<br><br><br />
=== Global Banlist===<br />
<b>Author:</b> [[User:devicenull|devicenull]]<br><br />
<b>Description:</b> This plugin allows srcds to reguarly connect to an external PHP page, and download updates about it's banlist. Srcds then stores these in a SQLite database. <br><br />
<b>Features:</b> Embedding sqlite, using pthreads, using libcurl.<br><br />
<b>Download:</b> [http://www.sourcemod.net/forums/viewtopic.php?t=3539]http://www.sourcemod.net/forums/viewtopic.php?t=3539]<br />
<br><br><br />
=== Anti-Griefer ===<br />
<b>Author:</b> [[User:devicenull|devicenull]]<br><br />
<b>Description:</b> This plugin is for the mod SourceForts. In keeps track of what player unfreezes or freezes a block, and allows any other player to retrieve this information by aiming at a block.<br><br />
<b>Features:</b> Basic VFuncs, listening for events, partial traceline (The method used for traceline might not be effective for any other mod)<br><br />
<b>Download:</b> [http://www.sourcemod.net/forums/viewtopic.php?t=3652]http://www.sourcemod.net/forums/viewtopic.php?t=3652]<br />
<br><br><br />
[[Category:Documentation (SourceMM)]]</div>Devicenull