GSP Starting Guide: Internal Security

[kaine]

Hi Again,

As usual, before positing here, please read the introduction thread first.

Securing your servers/network attacks from outside attacks requires some skills that could not be described here as it would take pages and it is not related directly to the gaming servers or precisely to srcds. What I would like to discuss here are the plugin hacks and the game hacks in general and most important, the way to protect against it. The provider could say that is to the client to manage and it's actually true but your customers may want to know.

1. Game Hacks
   To what I've understand, the cheats or source hacks are quite difficult, not to say impossible to be detected totally as new hacks come out sooner than detected and the player (that is by VAC). On the side, you can use a banning system like SteamBans or Globan (Eventscript) to submit and eventually manage your bans but these are human operated. Is there a really good plugin or tool that we could offer to our customers? I have been using detox for a while and it showed some detections but still got cheaters on the servers. Can someone please provide us with more informations about these tools plz?
   .
2. Plugin Hacks
   What i can only call plugin hack is some one getting admin rights on a server through the use of a plugin like mani or amx. As far as I know, there is no tool to counter that sort of hack but to replicate and analize logs. That is something that may help in tracing the steam_ids of that kind of hacker wich is by far more dangerous than the cheating act, technically speaking. As this may seriously affect one and so much more customers, I think a GSP may consider involving time to fight that kind of hacks. I also wanted to know if some GSP did use internal banning systems and if they are any tool to protect from that kind of attack?
   .
3. Other Hacks
   Also, as there seems to be some leaks or bugs into some plugins, I wanted to know if there are any similar issues for the srcds itself that would provide rcon access or whathever the hack may do. If anyone knows of any security advice and issues about the srcds that he/she thought would be use sharing, any ideas are welcome.
   

[Spartanfrog]

Really, the game hacks doesnt have anything to do with a GSP. Its up the customer to prevent hackers. Then to combat Plugin hacks, tell your customers to install only secure plugins. Those probelms are customer security problems and shouldnt be the focus of a GSP. Sure you can help them out but they shouldnt be your responsibility. What you need to worry about is Dos attacks and encrypting secure files, etc.

[kaine]

Well you are right, the GSP main concern should be about Denial of Services, IPTables configuration and Port Forwarding Issues, File Encryption and Log Replication, Securised Access (like only allow ssh from a certain host if possible), Permissions over user and system directories (to make sure a user only access what blongs to him or to refrain accessing files you don't want him to read/modify) and probably many other networking essentials and system administration rules.

Protecting users from cheaters is probably impossible (decently at least) but detecting in-game intrusions is much more feasable and maybe more usefull and more dangerous as one srcds might affect all other customers on the same machine. Can common users manage their server properly without mani admin? Because that one is currently a beta an makes your customer vulnerable while I am sure that none of our customers would never be able to defend against such an attack. I assume as the GSP is "technically" responsible it could be a clever approach to develop and implement protection solutions that the client can enable/disable. Also what about offering or forcing customers to use a banlisting system of the "intruders" you detect with such a system?

This is similar to the email provider or web hoster offering you an anti-virus or anti-spam protection to filter your emails directly on the server-side. Most client antivirus or antispam software may not work as well as the server ones but it could also be anoying to your customers. And then every client "maintains" his own spamlist individually while all of them could be protected. What you think about it?

Also, on the same topic, do you know if any provider out there disable or restricts the use to certain plugins. For instance, I've read that AMX can lead to potential ressource consumption thus, again, affecting all of the customers on the same machine. Shall I regroup all the customers who want to run AMX on the same machine or are they "Plugins Security Policies" that I could apply to help users protect themselves from heavy software or plugins. What do you know about that, are there any tools for that?

[skeletor]

Well since I was invited to post here. I suppose I should put in my 2 cents..

As far as getting the game servers themselves hacked, I would say thats 100% the customers responsibility. I manage game servers for DarkStar, and pretty much whenever a customer complains their server got hacked, generally its because their rcon password was 111 (no lie). Very few times is it actually because someone hacked their server.

As for securing the actual server. Main thing is 20 character passwords that are randomly generated is the best way to go. Brute force attacks are the most common. Denial of service attacks are the next most common, but you just have to have either the bandwidth to ignore them, or the ability to null route ip's. We don't see DDOS attacks happen as often as you may think, although someone really tried last week with a 34Gbps one.. lol. I suppose if somone was able to gain ftp access they could upload a self loading "virus" or trojan or something of the like to gain access to the server, but this would really require know how, and this person would probably get in regardless. At this time the only thing that will save you is backups.

As for implementing different protection, that would be a waste. Many server owners would not want to run a server that had stuff on it before they got it. That and to develop something like that would be very time consuming with the upkeep and would really not be practical at all. Mani is probably one of the best admin plugins out there, even in its beta stages. Most of our customers use Mani (at least CS:S ones) and we have yet to have any issues. You will find that 90% of hacked servers are caused by poor rcon passwords.

As for limiting plugins, we do restrict some addons. Mostly for hl1 though, and mainly because of the resources they eat. For instance the blockmaker plugin will manage to peg our dual xeon harpertowns to about 50% usage with an empty server, even if its the only server on the box. The only way around that is to have something in the TOS that state they can't use upsurd amounts of resources, and stuff like that. Then you will need to monitor servers usage. Really the best way to do that is to have good core management and then to monitor usage on the cores of each server, and if ones bad, look at the individual usage of that server. We use tcadmin to manage just about everything. It does a lot, but really lacks in some areas.

I think thats about it On another note, sorry I haven't been around so much lately! lol. Been pretty busy working on getting the game server side of DarkStar going.

[Spartanfrog]

Hey Skeletor! Long time no see! And good advice you said there.

[skeletor]

Thank ya spartanfrog, like I said been kinda busy lately. Workin 50 hours a week and having a family takes a lot of time

See you still haven't caught up to my post count gettin close tho

[Spartanfrog]

Im gonna catch ya !

[skeletor]

yea yea.. probably..

[Spartanfrog]

lol