[Resolved] Server hacked for 3rd time

[empmdk]

Game: Counter Strike Source
Server OS: CentOS Linux 5.4
Processor: Quad Xeon's
RAM: 8gb
Startup Command:

Code:

./srcds_i686-thegreatmdk_1 -game cstrike -tickrate 66 +fps_max 600 +alias sys_ticrate locked +alias max_fps locked +exec server.cfg +ip 174.37.209.121 +port 27015 -autoupdate +maxplayers 44 +map de_dust2

Is there ANYTHING I can do to block my server from being hacked?
I had Mani on it before with a lot of anti-hacking addons with Eventscripts and it got hacked twice.
I then moved to Sourcemod and used the anti-hack things that I found in their Wiki. Now it just got hacked again. This has all happened within 2 weeks.
These people seem to hack it VERY easily and change server name and password. I am the only one who knows the rcon pass, which is very complicated and I have a thing installed to lock rcon.

Can anyone out there tell me what I can do to stop this? Its ridiculous...

[Nisd]

How did you get hacked? Did they use Rcon or such?

Is your rcon password longer then 10-15 chars?

And I found the most effective way, just be make it so it auto restart if it gets hacked.

[lol554]

Try enable logging, and see what happens. Thats often the best way to determine how they hack your server..

[empmdk]

Yeah they seem to use the RCon password every time. I went through logs and found that out. I have banned their Steam ID's since then. Found some people that keep trying to access RCon with bad password and others just seem to get it right on.
Password is always 20 characters or more and I'm the only one that knows about it. I use randomly generated passwords.

[Beaverbeliever]

Both Mani and Eventscripts has backdoor hacks to get into. (Mani being the easiest to hack) I would use Sourcemod as an admin plugin, and if you are going to use Eventscripts, use IronWall. I would also recommend getting Kigen's Anti Cheat for Sourcemod as well as RCON Lock.

Be sure your RCON pass is mixed case, at least 16 digits, and includes numbers for higher security.

[loopyman]

OR
Just don't use an rcon password at all?

[Tech]

Don't allow TCP through your firewall. You only need UDP for the game server. Access RCON locally if possible. That's what I do.

[Mooga]

(03-09-2010, 08:58 AM)Tech Wrote:  Don't allow TCP through your firewall. You only need UDP for the game server. Access RCON locally if possible. That's what I do.

If you're hosting in a data center, that normally not an option.

I would guess it's a plugin issue.

[lol554]

(03-09-2010, 12:29 PM)Mooga Wrote:  

(03-09-2010, 08:58 AM)Tech Wrote:  Don't allow TCP through your firewall. You only need UDP for the game server. Access RCON locally if possible. That's what I do.

If you're hosting in a data center, that normally not an option.

I would guess it's a plugin issue.

He could use another port for the rcon aswell

[raydan]

Don't use mani admin plugin & eventscript. they have many many exploits and crash. why people still using these 2 suck plugin

[Tech]

Or lockdown the firewall to only allow TCP from a certain IP if that is possible from the datacenter... Just a thought ::shrug::

[SaintGTR]

+rcon_password blah

In your target line, if you don't have target line access....

Rename server.cfg to serv_conf.cfg, create a new server.cfg file and type ONLY exec serv_conf.cfg.

[hankinator]

This may sound bizarre but who else has access to the server exactly? (The centos box itself) because someone could easily mess with it. Also I would recommend using screen because it is easier to deal with a problem directly through ssh rather than restarting the server. Your server could just lack security all around and people have access to it. If your running srcds as root there might be some kind of backdoor problem if you have iptables down. There is so many things that can go wrong. Honestly if nothing works, do a complete reinstall of the server in another DIR. and start from scratch, and use a 64 character long rcon. If all these fail then you should have trust issues with your gaming "friends".


***Harden your OS***
Edit: Create another user, go into /etc/sudoers and add your name under root and fill in the ALL=(ALL) stuff. Disable root login for SSH. restart ssh. shutdown any FTP that you have running. If you use proftpd I highly recommend uninstalling that, that has HUGE holes in the coding.

Code:

yum remove proftpd

I recommend installing vsftpd

Code:

yum install vsftpd

after that, go into ssh and simply type "setup" without the "" and select vsftpd to start at boot time.

Before you start vsftpd add these lines to your config.

Code:

cd /
cd /etc/vsftpd
nano vsftpd.conf

(make sure your root)
add these lines at the BOTTOM of your config.

Code:

write_enable=YES
local_enable=YES

I believe that should be it but don't quote me on that.

after this is all said in done start vsftpd and it should work, if it doesn't you might need to enable something else for your vsftpd config

Code:

/etc/init.d/vsftpd restart

[empmdk]

Thanks for the replies. I've gotten rid of Mani and Eventscripts and now using Sourcemod only. No hacks yet.
I don't have any access to the server box itself and only the host can do that, I don't own it.

[lol554]

(03-10-2010, 12:21 PM)empmdk Wrote:  Thanks for the replies. I've gotten rid of Mani and Eventscripts and now using Sourcemod only. No hacks yet.
I don't have any access to the server box itself and only the host can do that, I don't own it.

Guys, lets make a campaign to get everyone to switch from mani to sm!