Difference between revisions of "SRCDS Hardening"

From AlliedModders Wiki
Jump to: navigation, search
Line 1: Line 1:
Any exploits not here that you would like added can be emailed to dn at devicenull.org and I'll update this page.  Note: There's enough information here for Valve to fix the exploits, but hopefully not enough for people to use these exploits.
+
= Securing your server =
 
 
Tips for securing your server:
 
 
* Do not enable sv_cheats, do not run any plugins that do so.
 
* Do not enable sv_cheats, do not run any plugins that do so.
* Between [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix], [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck], [https://forums.alliedmods.net/showthread.php?t=109453 D-FENS], and [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] you should be well-protected against most of these exploits.  Please don't just install every "fix exploit" plugin you can find, many have duplicate features and end up conflicting with each other.
+
* Between [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix], [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck], [https://forums.alliedmods.net/showthread.php?t=109453 D-FENS], and [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] you should be well-protected against most of these exploits.  Please don't just install every "fix exploit" plugin you can find, many have duplicate features and end up conflicting with each other.
 
* [http://www.goodpassword.com/ Use secure rcon passwords.]  This should be obvious, but your clan name is not a good rcon password.
 
* [http://www.goodpassword.com/ Use secure rcon passwords.]  This should be obvious, but your clan name is not a good rcon password.
* Don't blindly give admin out.  Depending on what flags you give people, you could allow them to take over the server.   
+
* Don't blindly give admin out.  Depending on what flags you give people, you could allow them to take over the server.
 +
* Don't piss people offMany servers get attacked because players get pissed off that admins are abusing them.
  
 +
= Current Exploits =
  
----
+
== Crashes ==
  
= Current Exploits =
+
=== Invalid RCON Crash ===
 
 
== Invalid RCON Crash ==
 
 
SRCDS will crash on some machines if you attempt to use an incorrect rcon password too many times.  It seems that some machines are affected by this, while others are not.  Valve has been notified a few times, and has been unwilling/unable to fix this.
 
SRCDS will crash on some machines if you attempt to use an incorrect rcon password too many times.  It seems that some machines are affected by this, while others are not.  Valve has been notified a few times, and has been unwilling/unable to fix this.
  
 
*Fix: Firewall off rcon (TCP port 27015) from everyone except for certain whitelisted IP's.
 
*Fix: Firewall off rcon (TCP port 27015) from everyone except for certain whitelisted IP's.
  
== HalfConnected Crash ==
+
=== HalfConnected Crash ===
 
[http://aluigi.freeforums.org/source-engine-seg-fault-crash-exploit-t993.html Inital thread]
 
[http://aluigi.freeforums.org/source-engine-seg-fault-crash-exploit-t993.html Inital thread]
  
Line 24: Line 22:
 
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]
 
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix]
  
== A2C_PRINT Spam ==
+
== Takeover ==
 +
=== ent_fire server takeover ===
 +
If cheats are enabled on a server, the point_servercommand entity can be created, which can be used by clients to execute rcon commands on the server.  Premade scripts exist for this that will change the rcon password, and add the client as an admin.  Valve has been notified, and is unwilling to fix this.
 +
 
 +
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent the rcon password from being changed, as well as disallowing the point_servercommand entity.  The alternative is to not run with sv_cheats 1, and take other measures to ensure it is never enabled.
 +
=== ES_Tools changelevel exploit ===
 +
The "changelevel" command can be abused when ES_tools is running to execute commands on the server
 +
 
 +
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent this.  Alternatively, remove es_tools if at all possible.
 +
 
 +
== Lag/DOS ==
 +
=== A2C_PRINT Spam ===
 
SRCDS does not do any sort of authentication on A2C_PRINT messages.  This means that anyone can print messages to the servers console, simply by sending UDP packets.  It seems this is a legacy feature, and is not actually used by anything. Valve has been notified, and doesn't see this as a problem.
 
SRCDS does not do any sort of authentication on A2C_PRINT messages.  This means that anyone can print messages to the servers console, simply by sending UDP packets.  It seems this is a legacy feature, and is not actually used by anything. Valve has been notified, and doesn't see this as a problem.
  
 
*Fix: Block any packets beginning with \xFF\xFF\xFF\xFF\x6C or run [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF]
 
*Fix: Block any packets beginning with \xFF\xFF\xFF\xFF\x6C or run [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF]
 
+
=== A2S_INFO Spam ===
== A2S_INFO Spam ==
 
 
If large numbers of A2S_INFO packets are sent at the server, the FPS will severely drop, making the server essentially unplayable.  Since these packets can be spoofed, rate limiting one IP is fairly useless
 
If large numbers of A2S_INFO packets are sent at the server, the FPS will severely drop, making the server essentially unplayable.  Since these packets can be spoofed, rate limiting one IP is fairly useless
  
 
*Fix: You can use sv_max_queries_sec_global to limit this, though that would mean your server would be invisible on the master server list while the attacks are in progress.  [https://forums.alliedmods.net/showthread.php?t=114787 Query Cache] (an SM extension) will also work.
 
*Fix: You can use sv_max_queries_sec_global to limit this, though that would mean your server would be invisible on the master server list while the attacks are in progress.  [https://forums.alliedmods.net/showthread.php?t=114787 Query Cache] (an SM extension) will also work.
 
*'''Fixed in:''' TF2 (partial fix) (August 13, 2009)
 
*'''Fixed in:''' TF2 (partial fix) (August 13, 2009)
 
+
=== Command spam ===
== Teleport exploit ==
 
If you use very large values for your mouse sensitivity, you can overwrite your X and Y coordinates, letting you teleport around.  This has the potential to crash the server as well.  Valve has been notified, and is unwilling to fix this.
 
 
 
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.
 
*'''Fixed in:''' TF2 (July 14 2009)
 
 
 
== Clientside plugins ==
 
The VSP interface built into the game can be used to load plugins on the game client, allowing them to change cheat-flagged cvars.  This can allow them to have wallhacks, or alter weapon recharge rates.  Valve has been notified, and is unwilling to fix this.
 
 
 
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.
 
 
 
== Command spam ==
 
 
Various commands built into the game can be spammed to lag or crash the server.  The fix for most of these is quite simple, just disable them by adding the cheats flag. Valve has been notified, and fixes commands in the occasional patch.
 
Various commands built into the game can be spammed to lag or crash the server.  The fix for most of these is quite simple, just disable them by adding the cheats flag. Valve has been notified, and fixes commands in the occasional patch.
  
 
*Fix: [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck] can be used to kick players who have been caught spamming, [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] adds the cheats flag to most of the known commands.  [https://forums.alliedmods.net/showthread.php?p=880328 Scortched Earth] will disable all commands except for those on a whitelist, which is the "better" way to fix this, but can break other addons.
 
*Fix: [https://forums.alliedmods.net/showthread.php?p=779851 Forlix FloodCheck] can be used to kick players who have been caught spamming, [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] adds the cheats flag to most of the known commands.  [https://forums.alliedmods.net/showthread.php?p=880328 Scortched Earth] will disable all commands except for those on a whitelist, which is the "better" way to fix this, but can break other addons.
 
+
=== Bell characters in name ===
== Empty name / unconnected ==
 
Players can set their name to an empty string using the setinfo console command.  Some admin plugins will be unable to kick or perform other actions on them.  Valve has been notified, and is unwilling to fix this.
 
 
 
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will automatically kick anyone found to have an empty name
 
 
 
== Bell characters in name ==
 
 
If your name contains bell characters, this can be used to lag the server on windows.
 
If your name contains bell characters, this can be used to lag the server on windows.
  
 
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will kick players with these characters in their name.
 
Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will kick players with these characters in their name.
 
+
=== Force fullupdate ===
== ent_fire server takeover ==
 
If cheats are enabled on a server, the point_servercommand entity can be created, which can be used by clients to execute rcon commands on the server.  Premade scripts exist for this that will change the rcon password, and add the client as an admin.  Valve has been notified, and is unwilling to fix this.
 
 
 
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent the rcon password from being changed, as well as disallowing the point_servercommand entity.  The alternative is to not run with sv_cheats 1, and take other measures to ensure it is never enabled.
 
 
 
== Force fullupdate ==
 
 
If you send an empty packet to the server, you can force it to send you the full state of the game, which will lag the server if done enough.  Valve has been notified, and is unwilling to fix this.
 
If you send an empty packet to the server, you can force it to send you the full state of the game, which will lag the server if done enough.  Valve has been notified, and is unwilling to fix this.
  
 
*Fix: [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] has a partial workaround
 
*Fix: [http://www.sourceop.com/modules.php?name=Downloads&d_op=viewdownload&cid=9 DAF] has a partial workaround
  
== Plugin Exploits ==
+
== Annoyances ==
=== Mani nextmap/timeleft spam ===
+
=== Teleport exploit ===
The "nextmap" and "timeleft" commands in Mani can be spammed to lag/crash the server.
+
If you use very large values for your mouse sensitivity, you can overwrite your X and Y coordinates, letting you teleport around.  This has the potential to crash the server as well.  Valve has been notified, and is unwilling to fix this.
  
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will disable these commands.
+
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.
 +
*'''Fixed in:''' TF2 (July 14 2009)
 +
=== Clientside plugins ===
 +
The VSP interface built into the game can be used to load plugins on the game client, allowing them to change cheat-flagged cvars.  This can allow them to have wallhacks, or alter weapon recharge rates.  Valve has been notified, and is unwilling to fix this.
  
=== Eventscripts changelevel exploit ===
+
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] has a partial fix for this.
The "changelevel" command can be abused when Eventscripts is running to execute commands on the server
+
=== Empty name / unconnected ===
 +
Players can set their name to an empty string using the setinfo console command.  Some admin plugins will be unable to kick or perform other actions on them.  Valve has been notified, and is unwilling to fix this.
  
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will prevent this.
+
*Fix: [https://forums.alliedmods.net/showthread.php?p=841590 Rcon locker / exploit fix] will automatically kick anyone found to have an empty name
  
 
= Fixed Exploits =  
 
= Fixed Exploits =  

Revision as of 20:31, 18 February 2010

Securing your server

  • Do not enable sv_cheats, do not run any plugins that do so.
  • Between Rcon locker / exploit fix, Forlix FloodCheck, D-FENS, and DAF you should be well-protected against most of these exploits. Please don't just install every "fix exploit" plugin you can find, many have duplicate features and end up conflicting with each other.
  • Use secure rcon passwords. This should be obvious, but your clan name is not a good rcon password.
  • Don't blindly give admin out. Depending on what flags you give people, you could allow them to take over the server.
  • Don't piss people off. Many servers get attacked because players get pissed off that admins are abusing them.

Current Exploits

Crashes

Invalid RCON Crash

SRCDS will crash on some machines if you attempt to use an incorrect rcon password too many times. It seems that some machines are affected by this, while others are not. Valve has been notified a few times, and has been unwilling/unable to fix this.

  • Fix: Firewall off rcon (TCP port 27015) from everyone except for certain whitelisted IP's.

HalfConnected Crash

Inital thread

If a command is received as the client is connecting, the server will crash or enter a state where it does not accept new connections, but has not crashed. This exploit can also happen if you remove the players entity, which shouldn't happen under normal circumstances. Valve has been notified, and is unwilling to fix this.

Takeover

ent_fire server takeover

If cheats are enabled on a server, the point_servercommand entity can be created, which can be used by clients to execute rcon commands on the server. Premade scripts exist for this that will change the rcon password, and add the client as an admin. Valve has been notified, and is unwilling to fix this.

  • Fix: Rcon locker / exploit fix will prevent the rcon password from being changed, as well as disallowing the point_servercommand entity. The alternative is to not run with sv_cheats 1, and take other measures to ensure it is never enabled.

ES_Tools changelevel exploit

The "changelevel" command can be abused when ES_tools is running to execute commands on the server

Lag/DOS

A2C_PRINT Spam

SRCDS does not do any sort of authentication on A2C_PRINT messages. This means that anyone can print messages to the servers console, simply by sending UDP packets. It seems this is a legacy feature, and is not actually used by anything. Valve has been notified, and doesn't see this as a problem.

  • Fix: Block any packets beginning with \xFF\xFF\xFF\xFF\x6C or run DAF

A2S_INFO Spam

If large numbers of A2S_INFO packets are sent at the server, the FPS will severely drop, making the server essentially unplayable. Since these packets can be spoofed, rate limiting one IP is fairly useless

  • Fix: You can use sv_max_queries_sec_global to limit this, though that would mean your server would be invisible on the master server list while the attacks are in progress. Query Cache (an SM extension) will also work.
  • Fixed in: TF2 (partial fix) (August 13, 2009)

Command spam

Various commands built into the game can be spammed to lag or crash the server. The fix for most of these is quite simple, just disable them by adding the cheats flag. Valve has been notified, and fixes commands in the occasional patch.

  • Fix: Forlix FloodCheck can be used to kick players who have been caught spamming, Rcon locker / exploit fix adds the cheats flag to most of the known commands. Scortched Earth will disable all commands except for those on a whitelist, which is the "better" way to fix this, but can break other addons.

Bell characters in name

If your name contains bell characters, this can be used to lag the server on windows.

Fix: Rcon locker / exploit fix will kick players with these characters in their name.

Force fullupdate

If you send an empty packet to the server, you can force it to send you the full state of the game, which will lag the server if done enough. Valve has been notified, and is unwilling to fix this.

  • Fix: DAF has a partial workaround

Annoyances

Teleport exploit

If you use very large values for your mouse sensitivity, you can overwrite your X and Y coordinates, letting you teleport around. This has the potential to crash the server as well. Valve has been notified, and is unwilling to fix this.

Clientside plugins

The VSP interface built into the game can be used to load plugins on the game client, allowing them to change cheat-flagged cvars. This can allow them to have wallhacks, or alter weapon recharge rates. Valve has been notified, and is unwilling to fix this.

Empty name / unconnected

Players can set their name to an empty string using the setinfo console command. Some admin plugins will be unable to kick or perform other actions on them. Valve has been notified, and is unwilling to fix this.

Fixed Exploits

Memory corruption crash

See this link

Fix: none

  • Fixed in: Orangebox, L4D (August 21 2009) CSS (August 25 2009)

Arbitrary file upload

See this link

Fix: File upload exploit fix

  • Fixed in: Orangebox, L4D (August 21 2009) CSS (August 25 2009)

"ProcessClientInfo: SourceTV can not connect to game directly" crash

See this link

Fix: Add "tv_enable 1" to cfg/autoexec.cfg, and (optionally) "tv_enable 0" to server.cfg (You only need tv_enable 0 if you don't want sourcetv)

  • Fixed in: Orangebox, L4D (August 21 2009) CSS (August 25 2009)

Player disconnect crash

See this link

Fix: Rcon locker / exploit fix has what may be a partial fix.

  • Fixed in: Orangebox, L4D (August 21 2009) CSS (August 25 2009)