Advice needed

qwerty · **Joined:** 20 May 2010 06:22 **Posts:** 3

I have read several of your advisories for cod4 and i would like some advice.

In the past i had a problem with people stealing my rcon password and banning players/killing the server.

I thought i had fixed this problem by using a fake password in the server.cfg and setting the rcon via the command line used to run the server as i had no problems for several months untill now now.

Yesterday i tried using rcon to ban a cheater but it would not respond, like rcon was disabled or something. I restarted the server several times but it was not working. Anyhow it started working again by itself overnight.

Today someone managed to access the rcon and change the servers public slots to 0.
I managed to capture this from the console..

Code:

02:52:27 Rcon from 86.143.147.106:-12817:
         say
02:52:27 Rcon from 86.143.147.106:-12817:
         say
02:52:28 Rcon from 86.143.147.106:-12817:
         set
02:52:29 Rcon from 86.143.147.106:-12817:
         sv_hostname
         "sv_hostname" is: "***" default: "CoD4Host^7"
           Domain is any text
02:52:35       dvar set axis_allow_assault 1
               dvar set axis_allow_specops 1
               dvar set axis_allow_demolitions 1
               dvar set axis_allow_sniper 1
02:52:40       dvar set allies_allow_assault 1
               dvar set allies_allow_specops 1
               dvar set allies_allow_demolitions 1
               dvar set allies_allow_sniper 0
02:52:42       dvar set allies_allow_assault 1
               dvar set allies_allow_specops 1
               dvar set allies_allow_demolitions 1
               dvar set allies_allow_sniper 0
02:52:43 Rcon from 86.143.147.106:-12817:
         serverinfo
         Server info settings:
         fs_game             mods/promodlive204
         g_compassShowEnemies0
         g_gametype          sd
         gamename            Call of Duty 4
         mapname             mp_crossfire
         protocol            6
         shortversion        1.7
         sv_allowAnonymous   1
         sv_disableClientConsole0
         sv_floodprotect     1
         sv_hostname         ***
         sv_maxclients       32
         sv_maxPing          150
         sv_maxRate          25000
         sv_minPing          0
         sv_privateClients   2
         sv_punkbuster       1
         sv_pure             1
         sv_voice            0
         ui_maxclients       32
02:52:43 Rcon from 86.143.147.106:-12817:
         sv_privatepassword
         "sv_privatePassword" is: "***" default: "^7"
           Domain is any text
02:52:44 Rcon from 86.143.147.106:-12817:
         _maps
         Unknown command "_maps"
02:52:44 Rcon from 86.143.147.106:-12817:
         g_password
         "g_password" is: "^7" default: "^7"
           Domain is any text
02:52:45 Rcon from 86.143.147.106:-12817:
         sv_kickBanTime
         "sv_kickBanTime" is: "0^7" default: "300^7"
           Domain is any number from 0 to 3600
02:52:45 Rcon from 86.143.147.106:-12817:
         sv_reconnectlimit
         "sv_reconnectlimit" is: "3^7" default: "3^7"
           Domain is any integer from 0 to 1800
02:52:46 Rcon from 86.143.147.106:-12817:
         scr_game_spectatetype
         "scr_game_spectatetype" is: "1^7" default: "1^7"
           Domain is any text
02:52:47 Rcon from 86.143.147.106:-12817:
         scr_team_fftype
         "scr_team_fftype" is: "0^7" default: "0^7"
           Domain is any text
               dvar set axis_allow_assault 1
               dvar set axis_allow_specops 1
               dvar set axis_allow_demolitions 1
               dvar set axis_allow_sniper 0
02:52:47 Rcon from 86.143.147.106:-12817:
         g_allowvote
         "g_allowVote" is: "0^7" default: "1^7"
           Domain is 0 or 1
02:52:48 Rcon from 86.143.147.106:-12817:
         scr_game_allowkillcam
         "scr_game_allowkillcam" is: "0^7" default: "1^7"
           Domain is any text
02:52:49 Rcon from 86.143.147.106:-12817:
         sv_voice
         "sv_voice" is: "0^7" default: "0^7"
           Domain is 0 or 1
02:52:49 Rcon from 86.143.147.106:-12817:
         sv_voicequality
         "sv_voiceQuality" is: "1^7" default: "3^7"
           Domain is any integer from 0 to 9
02:52:50 Rcon from 86.143.147.106:-12817:
         sv_connectTimeout
         "sv_connectTimeout" is: "45^7" default: "45^7"
           Domain is any integer from 0 to 1800
02:52:50 Rcon from 86.143.147.106:-12817:
         sv_timeout
         "sv_timeout" is: "300^7" default: "240^7"
           Domain is any integer from 0 to 1800
02:52:51 Rcon from 86.143.147.106:-12817:
         scr_game_spectatetype
         "scr_game_spectatetype" is: "1^7" default: "1^7"
           Domain is any text
02:52:52 Rcon from 86.143.147.106:-12817:
         scr_teambalance
         "scr_teamBalance" is: "0^7" default: "1^7"
           Domain is any text
02:52:52 Rcon from 86.143.147.106:-12817:
         g_antilag
         "g_antilag" is: "1^7" default: "1^7"
           Domain is 0 or 1
02:53:02 Rcon from 86.143.147.106:-12817:
         sv_privateclients
               dvar set sv_privateClients 32

I have replaced my sensitive data with ***
Do you have any suggestions/patches that could possibly help me out?

aluigi · **Posted:** 25 May 2010 10:43

the "non responding" rcon thing is for sure the rcon blocking bug (half-second check performed by the server), check if you have already applied my q3rconz.lpatch fix.

while I don't know much about the other problem maybe because it's not much clear.
I see various rcon commands other than sv_privateClients, and they are for sure most important than this last one, so why are you worry only to the public slots command?

are you 100% sure that nobody else has rcon access to your server?
is it running on a dedicated server (your computer) or an hoster?
then the most paranoid solution would be to change the rcon password at runtime each time so that who has access to the processes list can't see it

qwerty · **Joined:** 20 May 2010 06:22 **Posts:** 3

All the rcon commands i posted from 86.143.147.106 are of an unknown source to me, and yes all the other rcon commands entered are of concern. My server is populated %90 of the time and i guess will be a prime target for "children" or other server admins for attack, in the hope of getting there not so popular servers populated.

Yes other people do have the rcon pw to my servers, but only those who i have known for a long time and are trusted %150. The others i give access to a php rcon system. (which does not allow the "rcon_password" command to be executed).

Is it possible that i noticed the rcon blocking bug as someone was doing a brute force attack on my server? and is it possible that they were successful? If i applied your q3rconz patch i would be more vulnerable from the same attack in the future?, as since i changed the rcon i have had no other issues to date..

The server is rented from a hosting company, i was just lucky enough to have hlsw running to capture the abuse from that person.

aluigi · **Posted:** 25 May 2010 15:28

Quote:

Yes other people do have the rcon pw to my servers, but only those who i have known for a long time and are trusted %150. The others i give access to a php rcon system. (which does not allow the "rcon_password" command to be executed).

yeah but the trusted people are often the worst problem because they can be (indirectly) the cause.
for example could exist a bug in your php code or the password was got from one of your friends (untrusted PC or connection).
obviously could exist also the security bug cause but if you have the voting disabled there should be no problems.

Quote:

Is it possible that i noticed the rcon blocking bug as someone was doing a brute force attack on my server?

sure, it's enough that instead of leaving the default 500ms delay someone made it lower or there were 2 concurrent brute forcers to cause that effect

Quote:

and is it possible that they were successful? If i applied your q3rconz patch i would be more vulnerable from the same attack in the future?

guessing a strong rcon password through brute forcing and/or wordlist is only a dream so don't worry

qwerty · **Joined:** 20 May 2010 06:22 **Posts:** 3

Thanks for your input, if i experience any more rcon dos attacks i shall apply your patch.
Thx again for input.

Sethioz · **Posted:** 25 May 2010 15:59

just a small add about passwords, ive had lot of field experience with password cracking and only weak link is human element, it means if you have weak rcon password, it can be cracked easily, use something long and use symbols and numbers, then, as Luigi said, there is no reason to worry that it can be cracked. rcon like "tHis_is_my_RCON_password_right_here1003" is nearly impossible to crack, but quite easy to remember.

Luigi Auriemma

Advice needed