Difference between revisions of "SRCDS Hardening"
Devicenull (talk | contribs) (Created page with 'SRCDS by itself is vulnerable to a number of exploits. This page will eventually host a list of all known exploits and solutions.') |
Mavrick4283 (talk | contribs) (→Windows Server Firewall and Hardening) |
||
(28 intermediate revisions by 6 users not shown) | |||
Line 1: | Line 1: | ||
− | SRCDS by | + | = Securing your server = |
+ | == General Tips == | ||
+ | * Do not enable sv_cheats, do not run any plugins that do so. | ||
+ | * [http://www.pctools.com/guides/password/ Use secure passwords.] This should be obvious, but your clan name is not a good rcon password, nor is "password". | ||
+ | * Don't blindly give admin out. Depending on what flags you give people, you could allow them to take over the server. | ||
+ | * Don't piss people off. Many servers get attacked because players get pissed off that admins are abusing them. | ||
+ | |||
+ | == File Permissions == | ||
+ | If you are running your own server (not renting one from a GSP), there are some things you can do to prevent many of the more malicious exploits. The basic theory here is to give srcds as little access to the machine as possible. It only needs write access to the following directories: | ||
+ | * downloads/ | ||
+ | * cache/ | ||
+ | * addons/sourcemod/gamedata/ | ||
+ | * addons/sourcemod/data/ | ||
+ | * addons/sourcemod/logs/ | ||
+ | * logs/ | ||
+ | Note that some plugins rely on being able to write to directories other then these, and permissions may break them. At the very least, it's a good idea to make sure srcds is running as a user that does not have permission to change anything outside of it's own directory. That will prevent your machine from being comprised and made into a botnet client. | ||
+ | |||
+ | == Windows Server Firewall and Hardening == | ||
+ | https://forums.alliedmods.net/showthread.php?t=189327 | ||
+ | |||
+ | == Linux General Hardening == | ||
+ | |||
+ | https://forums.alliedmods.net/showthread.php?t=166037 | ||
+ | |||
+ | == Linux Iptables Setup == | ||
+ | |||
+ | https://forums.alliedmods.net/showthread.php?t=165560 | ||
+ | |||
+ | == Linux File Permission Setup == | ||
+ | |||
+ | Create a unprivileged users to run the server. | ||
+ | |||
+ | '''useradd -m -s /bin/bash -d /home/srcds srcds''' | ||
+ | |||
+ | * useradd = Linux command to add users | ||
+ | * -m = Creates the user's home directory if it does not exist. | ||
+ | * -s /bin/bash = Users login shell ( if you are not sure what this should be leave it blank) | ||
+ | * -d /home/srcds = Location of users home directory. | ||
+ | |||
+ | Set a password for the account make sure it is secure. | ||
+ | |||
+ | '''passwd srcds''' | ||
+ | |||
+ | * passwd srcds = Linux change password command | ||
+ | |||
+ | Now move your existing srcds install to the new home dir or do a fresh install. | ||
+ | |||
+ | '''cp -r /path/to/old/install /path/to/new/users/home''' | ||
+ | |||
+ | *cp = Linux copy command | ||
+ | |||
+ | '''chown -R srcds:scrds''' | ||
+ | |||
+ | * chown = Linux command to change owner of files | ||
+ | * -R = Changes all the directory you are in and all subdirectories | ||
+ | |||
+ | The last things you want to do is make the files read only and run the srcds as the new user. | ||
+ | |||
+ | '''chmod -R 444 * /path/to/srcds/''' | ||
+ | |||
+ | *chmod = Linux change permission command | ||
+ | * -R = Change files and directories recursively | ||
+ | * 444 = Read only | ||
+ | * <nowiki>*</nowiki> = wild card[http://www.tuxfiles.org/linuxhelp/wildcards.html] | ||
+ | |||
+ | Now you need to make the files mentioned above to read and write and a few exec. | ||
+ | |||
+ | Read Write (chmod 644): | ||
+ | * downloads/ | ||
+ | * cache/ | ||
+ | * addons/sourcemod/gamedata/ | ||
+ | * addons/sourcemod/data/ | ||
+ | * addons/sourcemod/logs/ | ||
+ | * logs/ | ||
+ | |||
+ | Read and exec (cmond 744): | ||
+ | * /orangebox/srcds_linux | ||
+ | * /orangebox/srcds_run | ||
+ | |||
+ | == Plugins == | ||
+ | There are a few plugins that can be installed to prevent exploits. Some of the recommended ones include [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix], [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck], [https://forums.alliedmods.net/showthread.php?t=109453 D-FENS], and [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF]. | ||
+ | |||
+ | Many of the Eventscripts plugins that claim to fix exploits are mostly useless at best, or actively harmful to your server at worst. If you are running the plugins listed in the previous paragraph, you do not need anything else to protect your server. Installing extra plugins other then those will likely cause issues with your server, and is not recommended. | ||
+ | |||
+ | = Current Exploits = | ||
+ | |||
+ | == Crashes == | ||
+ | |||
+ | === Invalid RCON Crash === | ||
+ | SRCDS will crash on some machines if you attempt to use an incorrect rcon password too many times. It seems that some machines are affected by this, while others are not. Valve has been notified a few times, and has been unwilling/unable to fix this. | ||
+ | |||
+ | *Fix: Firewall off rcon (TCP port 27015) from everyone except for certain whitelisted IP's. | ||
+ | |||
+ | === HalfConnected Crash === | ||
+ | If a command is received as the client is connecting, the server will crash or enter a state where it does not accept new connections, but has not crashed. This exploit can also happen if you remove the players entity, which shouldn't happen under normal circumstances. Valve has been notified, and is unwilling to fix this. | ||
+ | |||
+ | *Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] | ||
+ | |||
+ | === Disconnect Crash === | ||
+ | Using modified clients, it is possible to send disconnect messages with large numbers of special characters. These have a variety of effects, including crashing the server or crashing all connected clients. | ||
+ | |||
+ | *Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] | ||
+ | |||
+ | === "K" packet Crash === | ||
+ | Using modified clients, it is possible to send a Steam auth packet that contains an invalid header length. Upon receiving this packet, the server will crash. | ||
+ | |||
+ | *Fix: 4/19/10: Apply the latest steam beta patch. Run hldsupdatetool with "-beta cs0419" to get this. | ||
+ | |||
+ | == Takeover == | ||
+ | === ent_fire server takeover === | ||
+ | If cheats are enabled on a server, the point_servercommand entity can be created, which can be used by clients to execute rcon commands on the server. Premade scripts exist for this that will change the rcon password, and add the client as an admin. Valve has been notified, and is unwilling to fix this. | ||
+ | |||
+ | *Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent the rcon password from being changed, as well as disallowing the point_servercommand entity. The alternative is to not run with sv_cheats 1, and take other measures to ensure it is never enabled. | ||
+ | === ES_Tools changelevel exploit === | ||
+ | The "changelevel" command can be abused when ES_tools is running to execute commands on the server | ||
+ | |||
+ | *Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent this. Alternatively, remove es_tools if at all possible. | ||
+ | === File upload/download === | ||
+ | It's possible to convince the server to let you upload or download random files from it. Valve has been attempting to fix this, but there still seem to be some workarounds to their fixes. | ||
+ | |||
+ | If you are running your own servers (not rented from a GSP), you can set file permissions on them to fix the upload issue. | ||
+ | |||
+ | *Fix: [https://forums.alliedmods.net/showthread.php?t=109453 dfens] will prevent this. | ||
+ | |||
+ | == Lag/DOS == | ||
+ | === A2C_PRINT Spam === | ||
+ | SRCDS does not do any sort of authentication on A2C_PRINT messages. This means that anyone can print messages to the servers console, simply by sending UDP packets. It seems this is a legacy feature, and is not actually used by anything. Valve has been notified, and doesn't see this as a problem. | ||
+ | |||
+ | *Fix: Block any packets beginning with \xFF\xFF\xFF\xFF\x6C or run [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] | ||
+ | === A2S_INFO Spam === | ||
+ | If large numbers of A2S_INFO packets are sent at the server, the FPS will severely drop, making the server essentially unplayable. Since these packets can be spoofed, rate limiting one IP is fairly useless | ||
+ | |||
+ | *Fix: You can use sv_max_queries_sec_global to limit this, though that would mean your server would be invisible on the master server list while the attacks are in progress. [https://forums.alliedmods.net/showthread.php?t=114787 Query Cache] (a SM extension) will also work. | ||
+ | *'''Fixed in:''' TF2 (partial fix) (August 13, 2009) | ||
+ | |||
+ | === Command spam === | ||
+ | Various commands built into the game can be spammed to lag or crash the server. Some of these commands can cause the ingame physiscs to freeze up. The fix for most of these is quite simple, just disable them by adding the cheats flag. Valve has been notified, and fixes commands in the occasional patch. | ||
+ | |||
+ | *Fix: [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck] can be used to kick players who have been caught spamming, [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] adds the cheats flag to most of the known commands. [https://forums.alliedmods.net/showthread.php?p=880328 Scortched Earth] will disable all commands except for those on a whitelist, which is the "better" way to fix this, but can break other addons. | ||
+ | |||
+ | === Bell characters in name === | ||
+ | If your name contains bell characters, this can be used to lag the server on windows. | ||
+ | |||
+ | Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will kick players with these characters in their name. | ||
+ | === Force fullupdate === | ||
+ | If you send an empty packet to the server, you can force it to send you the full state of the game, which will lag the server if done enough. Valve has been notified, and is unwilling to fix this. | ||
+ | |||
+ | *Fix: [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] has a partial workaround | ||
+ | |||
+ | == Annoyances == | ||
+ | === Teleport exploit === | ||
+ | If you use very large values for your mouse sensitivity, you can overwrite your X and Y coordinates, letting you teleport around. This has the potential to crash the server as well. Valve has been notified, and is unwilling to fix this. | ||
+ | |||
+ | *Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this. | ||
+ | *'''Fixed in:''' TF2 (July 14 2009) | ||
+ | === Clientside plugins === | ||
+ | The VSP interface built into the game can be used to load plugins on the game client, allowing them to change cheat-flagged cvars. This can allow them to have wallhacks, or alter weapon recharge rates. Valve has been notified, and is unwilling to fix this. | ||
+ | |||
+ | *Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this. | ||
+ | |||
+ | These plugins may be detected by VAC. | ||
+ | |||
+ | === Empty name / unconnected === | ||
+ | Players can set their name to an empty string using the setinfo console command. Some admin plugins will be unable to kick or perform other actions on them. Valve has been notified, and is unwilling to fix this. | ||
+ | |||
+ | *Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will automatically kick anyone found to have an empty name | ||
+ | === Special name characters === | ||
+ | If certain special characters are added to your name, you can create messages that appear to be sent by the server administrator. | ||
+ | |||
+ | *Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] | ||
+ | |||
+ | = Fixed Exploits = | ||
+ | == Memory corruption crash == | ||
+ | See [http://aluigi.altervista.org/adv/sourcefraghof-adv.txt this link] | ||
+ | |||
+ | Fix: none | ||
+ | *'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009) | ||
+ | |||
+ | == Arbitrary file upload == | ||
+ | See [http://aluigi.altervista.org/adv/sourceupfile-adv.txt this link] | ||
+ | |||
+ | Fix: [https://forums.alliedmods.net/showthread.php?p=905647 File upload exploit fix] | ||
+ | *'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009) | ||
+ | |||
+ | == "ProcessClientInfo: SourceTV can not connect to game directly" crash == | ||
+ | See [http://aluigi.altervista.org/adv/sourcenotvnull-adv.txt this link] | ||
+ | |||
+ | Fix: Add "tv_enable 1" to cfg/autoexec.cfg, and (optionally) "tv_enable 0" to server.cfg (You only need tv_enable 0 if you don't want sourcetv) | ||
+ | *'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009) | ||
+ | |||
+ | == Player disconnect crash == | ||
+ | See [http://aluigi.altervista.org/adv/sourcefs-adv.txt this link] | ||
+ | |||
+ | Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has what may be a partial fix. | ||
+ | *'''Fixed in:''' Orangebox, L4D (August 21 2009) CSS (August 25 2009) |
Latest revision as of 01:55, 8 July 2012
Contents
Securing your server
General Tips
- Do not enable sv_cheats, do not run any plugins that do so.
- Use secure passwords. This should be obvious, but your clan name is not a good rcon password, nor is "password".
- Don't blindly give admin out. Depending on what flags you give people, you could allow them to take over the server.
- Don't piss people off. Many servers get attacked because players get pissed off that admins are abusing them.
File Permissions
If you are running your own server (not renting one from a GSP), there are some things you can do to prevent many of the more malicious exploits. The basic theory here is to give srcds as little access to the machine as possible. It only needs write access to the following directories:
- downloads/
- cache/
- addons/sourcemod/gamedata/
- addons/sourcemod/data/
- addons/sourcemod/logs/
- logs/
Note that some plugins rely on being able to write to directories other then these, and permissions may break them. At the very least, it's a good idea to make sure srcds is running as a user that does not have permission to change anything outside of it's own directory. That will prevent your machine from being comprised and made into a botnet client.
Windows Server Firewall and Hardening
https://forums.alliedmods.net/showthread.php?t=189327
Linux General Hardening
https://forums.alliedmods.net/showthread.php?t=166037
Linux Iptables Setup
https://forums.alliedmods.net/showthread.php?t=165560
Linux File Permission Setup
Create a unprivileged users to run the server.
useradd -m -s /bin/bash -d /home/srcds srcds
- useradd = Linux command to add users
- -m = Creates the user's home directory if it does not exist.
- -s /bin/bash = Users login shell ( if you are not sure what this should be leave it blank)
- -d /home/srcds = Location of users home directory.
Set a password for the account make sure it is secure.
passwd srcds
- passwd srcds = Linux change password command
Now move your existing srcds install to the new home dir or do a fresh install.
cp -r /path/to/old/install /path/to/new/users/home
- cp = Linux copy command
chown -R srcds:scrds
- chown = Linux command to change owner of files
- -R = Changes all the directory you are in and all subdirectories
The last things you want to do is make the files read only and run the srcds as the new user.
chmod -R 444 * /path/to/srcds/
- chmod = Linux change permission command
- -R = Change files and directories recursively
- 444 = Read only
- * = wild card[1]
Now you need to make the files mentioned above to read and write and a few exec.
Read Write (chmod 644):
- downloads/
- cache/
- addons/sourcemod/gamedata/
- addons/sourcemod/data/
- addons/sourcemod/logs/
- logs/
Read and exec (cmond 744):
- /orangebox/srcds_linux
- /orangebox/srcds_run
Plugins
There are a few plugins that can be installed to prevent exploits. Some of the recommended ones include Rcon locker / exploit fix, Forlix FloodCheck, D-FENS, and DAF.
Many of the Eventscripts plugins that claim to fix exploits are mostly useless at best, or actively harmful to your server at worst. If you are running the plugins listed in the previous paragraph, you do not need anything else to protect your server. Installing extra plugins other then those will likely cause issues with your server, and is not recommended.
Current Exploits
Crashes
Invalid RCON Crash
SRCDS will crash on some machines if you attempt to use an incorrect rcon password too many times. It seems that some machines are affected by this, while others are not. Valve has been notified a few times, and has been unwilling/unable to fix this.
- Fix: Firewall off rcon (TCP port 27015) from everyone except for certain whitelisted IP's.
HalfConnected Crash
If a command is received as the client is connecting, the server will crash or enter a state where it does not accept new connections, but has not crashed. This exploit can also happen if you remove the players entity, which shouldn't happen under normal circumstances. Valve has been notified, and is unwilling to fix this.
Disconnect Crash
Using modified clients, it is possible to send disconnect messages with large numbers of special characters. These have a variety of effects, including crashing the server or crashing all connected clients.
"K" packet Crash
Using modified clients, it is possible to send a Steam auth packet that contains an invalid header length. Upon receiving this packet, the server will crash.
- Fix: 4/19/10: Apply the latest steam beta patch. Run hldsupdatetool with "-beta cs0419" to get this.
Takeover
ent_fire server takeover
If cheats are enabled on a server, the point_servercommand entity can be created, which can be used by clients to execute rcon commands on the server. Premade scripts exist for this that will change the rcon password, and add the client as an admin. Valve has been notified, and is unwilling to fix this.
- Fix: Rcon locker / exploit fix will prevent the rcon password from being changed, as well as disallowing the point_servercommand entity. The alternative is to not run with sv_cheats 1, and take other measures to ensure it is never enabled.
ES_Tools changelevel exploit
The "changelevel" command can be abused when ES_tools is running to execute commands on the server
- Fix: Rcon locker / exploit fix will prevent this. Alternatively, remove es_tools if at all possible.
File upload/download
It's possible to convince the server to let you upload or download random files from it. Valve has been attempting to fix this, but there still seem to be some workarounds to their fixes.
If you are running your own servers (not rented from a GSP), you can set file permissions on them to fix the upload issue.
- Fix: dfens will prevent this.
Lag/DOS
A2C_PRINT Spam
SRCDS does not do any sort of authentication on A2C_PRINT messages. This means that anyone can print messages to the servers console, simply by sending UDP packets. It seems this is a legacy feature, and is not actually used by anything. Valve has been notified, and doesn't see this as a problem.
- Fix: Block any packets beginning with \xFF\xFF\xFF\xFF\x6C or run DAF
A2S_INFO Spam
If large numbers of A2S_INFO packets are sent at the server, the FPS will severely drop, making the server essentially unplayable. Since these packets can be spoofed, rate limiting one IP is fairly useless
- Fix: You can use sv_max_queries_sec_global to limit this, though that would mean your server would be invisible on the master server list while the attacks are in progress. Query Cache (a SM extension) will also work.
- Fixed in: TF2 (partial fix) (August 13, 2009)
Command spam
Various commands built into the game can be spammed to lag or crash the server. Some of these commands can cause the ingame physiscs to freeze up. The fix for most of these is quite simple, just disable them by adding the cheats flag. Valve has been notified, and fixes commands in the occasional patch.
- Fix: Forlix FloodCheck can be used to kick players who have been caught spamming, Rcon locker / exploit fix adds the cheats flag to most of the known commands. Scortched Earth will disable all commands except for those on a whitelist, which is the "better" way to fix this, but can break other addons.
Bell characters in name
If your name contains bell characters, this can be used to lag the server on windows.
Fix: Rcon locker / exploit fix will kick players with these characters in their name.
Force fullupdate
If you send an empty packet to the server, you can force it to send you the full state of the game, which will lag the server if done enough. Valve has been notified, and is unwilling to fix this.
- Fix: DAF has a partial workaround
Annoyances
Teleport exploit
If you use very large values for your mouse sensitivity, you can overwrite your X and Y coordinates, letting you teleport around. This has the potential to crash the server as well. Valve has been notified, and is unwilling to fix this.
- Fix: Rcon locker / exploit fix has a partial fix for this.
- Fixed in: TF2 (July 14 2009)
Clientside plugins
The VSP interface built into the game can be used to load plugins on the game client, allowing them to change cheat-flagged cvars. This can allow them to have wallhacks, or alter weapon recharge rates. Valve has been notified, and is unwilling to fix this.
- Fix: Rcon locker / exploit fix has a partial fix for this.
These plugins may be detected by VAC.
Empty name / unconnected
Players can set their name to an empty string using the setinfo console command. Some admin plugins will be unable to kick or perform other actions on them. Valve has been notified, and is unwilling to fix this.
- Fix: Rcon locker / exploit fix will automatically kick anyone found to have an empty name
Special name characters
If certain special characters are added to your name, you can create messages that appear to be sent by the server administrator.
Fixed Exploits
Memory corruption crash
See this link
Fix: none
- Fixed in: Orangebox, L4D (August 21 2009) CSS (August 25 2009)
Arbitrary file upload
See this link
- Fixed in: Orangebox, L4D (August 21 2009) CSS (August 25 2009)
"ProcessClientInfo: SourceTV can not connect to game directly" crash
See this link
Fix: Add "tv_enable 1" to cfg/autoexec.cfg, and (optionally) "tv_enable 0" to server.cfg (You only need tv_enable 0 if you don't want sourcetv)
- Fixed in: Orangebox, L4D (August 21 2009) CSS (August 25 2009)
Player disconnect crash
See this link
Fix: Rcon locker / exploit fix has what may be a partial fix.
- Fixed in: Orangebox, L4D (August 21 2009) CSS (August 25 2009)