Server Protection : How to Protect Your Server From Hackers and DOSERS
Description :
Hi , Today i will tell you how to Protect Your Server From Hackers and dosers. I will tell you all methods and also give you best Anti-Cheat to Protect Your Server.
I hope you will like it.
We are doing Following Methods to Protect Our Server:
1. SMAC R1.F This Anti-Cheat will Protect server from Hackers like aimbot, wallhack, etc.
2. SV_PURE This will Protect Server from Hackers who use Material Wall Hacks.
3. DAF and DOSP Anti-dosers These two Anti-dosers shows doser ip when he/she ddosing.
4. IP-Tables This is main Protection against dos and its very Important.
1. SMAC R1.F
Description :
The latest Anti-Cheat for CSS v34. This Anti-Cheat will Protect server from Hackers like Aimbot, Wallhack, etc.
Installation :
1. First Install SMAC.
2. Extract it to your server/cstrike folder.
3. Restart your server or change map.
Admin Commands :
2. SV_PURE
Description :
If sv_pure is enabled on a server, then the server forces clients to use only files matching with server. This means, any custom files used for modifying texture, sound of the map will be simply ignored. Thus preventing clients to use certain cheats such as Materials Wallhack.
By default sv_pure is set to 0, means disabled. The sv_pure cvar supports 3 values :
Installation :
Credits For sv_pure :
SLAYER
Vertigo
3. DAF and DOSP : Anti DOS
Description :
These two Anti-DOS will show the IP of doser when he/she dosing Server.
Installation of DAF:
1. Download DAF Windows or DAF Linux
2. Extract in yourserver/cstrike folder
3. Goto server/cstrike/cfg open autoexec.cfg and paste this command
4. Restart your server.
5. Type plugin_print in server console to check if the plugin is loaded or not.
Screenshot :
Server Console Commands :
Credits of DAF :
SLAYER
Drunken F00l
Installation of DOSP :
1. Download DOSP Windows or DOSP Linux
2. Extract in yourserver/cstrike folder
4. Restart your server.
5. Type meta list in server console to check if the plugin is loaded or not.
Screenshot :
Server Console Commands :
Credits of DOSP :
ZombieX2.net
4. IP-Tables : The Most Important Part to Protect Your Server From DOS
Description :
Iptables is the interface used by administrators to interact with Netfilter modules. In another words it is the program you use to configure the built in firewall. A lot of people have been asking about how to protect a Linux server against denial of service (DoS) attacks. The vast majority of these attacks involve one individual using a scripted program to execute an attack on a single server target. The goal of using iptables here is to handle networking traffic before it reaches to server where it could cause undesired latency for players. Also, keep in mind that these iptables rules will do nothing in the face of a large-scale sustained DoS attacks. With that in mind, effectively iptables rules will mitigate script kiddies' DoS, small-scale DoS, and even larger pulsed DoS attacks.
Installation :
NOTE : In this IP-Tables process we using Linux VPS and Using 27015 server port if your server port is different from 27015 than where you see 27015 port in below section change it to your server port.
First go out from your server folder or type
To start out we are going to clear all our old rules and recreate the default chains.
Put These lines one by one.
-F = Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.
-P = Set the policy for the chain to the given target. See the section TARGETS for the legal targets. Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined chains can be policy targets.
Now we are going to allow all our need traffic.
In above code you can see two line in these two lines you can see the ip 192.168.10.5 and port 27015
You need to change them according to your server IP and PORT imagine my server ip is 123.456.78.90 and port is 27016 than i will write these two line like this
Now here i tell you commands and there use which we use above :
-A =Append one or more rules to the end of the selected chain. Adds the rule to the chain
-p = Protocol tcp, udp, icmp, or all
--dport = destination port
--jump = Tells the firewall what to do if the packet matches the rule
Now that is all great for a basic firewall but that does not help much with the DoS attack the still effects srcds...
To stop that we can use ip-tables in combo with another program called fail2ban. Fail2ban pronounced Fail 2 Ban reads logs and takes actions based on what it finds.
First we have to install Fail2Ban :
Now just a little configuring
Creating a file called srcdsdos.conf
Now download this file from Filezilla located in
After copy and paste SAVE the file and again put it to folder where you download from :
Now open the jail.conf file located in
In above code you can see the line
Now save the file and Put it to the folder from which you download the file
Now we going to restart fail2ban
others command for fail2ban
Now add these rules :
Now again where i type
Now if any DOSER attack your server it will be stopped and logged in the fail2ban.log like this :
Now we make our Server Harder to access outside world :
The first measure of protection is to develop a white-list of IP addresses that have your permission to access rcon ; otherwise, it's best to completely hide rcon from the outside world.
Many of the programs available in the nether-regions of the Internet spam queries to the server. These programs have a few commonalities such as the length of their packets. One popular iptables rule blocks anything with length 28. To suppress these attacks, we'll block any packets with a length between 0 and 32. You won't see any valid game packets below 32 bytes.
Similarly, how the game responds to fragmented packets is defined by a few net_ cvars. Check the values of your cvars and configure your firewall rules accordingly. This is the calculation I used to determine the maximum acceptable packet size:
Maximum Size = (`net_maxroutable`) + (`net_splitrate`) * (`net_maxfragments`)
which gives 2520 bytes under the default configuration of maximum 32 players allow on server.
Means below code is for that server in which maximum 32 players can join at a time.
Handling 'new' or unsolicited UDP connections such as requests to join the game server or miscellaneous queries will be rate-limitted. A hash-limit is used to throttle connection attempts that become excessive. This is so sensitive that hitting 'Refresh' in the server browser window too often will trigger these rules. There are several different options for how to configure the hash-limits so I'll briefly discuss two different scenarios.
1) You run multiple game servers on different ports but same IP
For this you'd want to make the hash-limit come from the source IP and go to the destination port (srcip,dstport).
2) You run a single game server on a single IP
For this it's easier just to specify the source IP for the hash (srcip).
Finally, for all packets that weren't matched to an acceptance rule above, we'll drop them here.
Now add these lines :
You can write other rules for more accurate filtering!
By the way, so that after restarting the computer [VPS], the rules are restored, you need to execute:
make this file executable:
and add the line which i given below to the file loctated
Some more things i want to tell you about Server Protection i am not telling here becasue Site giving me error : Please enter a message with no more than 20000 characters.
So i am writing more in replay section. So, Go and check my replay down here :
⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩
Description :
Hi , Today i will tell you how to Protect Your Server From Hackers and dosers. I will tell you all methods and also give you best Anti-Cheat to Protect Your Server.
I hope you will like it.
We are doing Following Methods to Protect Our Server:
1. SMAC R1.F This Anti-Cheat will Protect server from Hackers like aimbot, wallhack, etc.
2. SV_PURE This will Protect Server from Hackers who use Material Wall Hacks.
3. DAF and DOSP Anti-dosers These two Anti-dosers shows doser ip when he/she ddosing.
4. IP-Tables This is main Protection against dos and its very Important.
1. SMAC R1.F
Description :
The latest Anti-Cheat for CSS v34. This Anti-Cheat will Protect server from Hackers like Aimbot, Wallhack, etc.
Installation :
1. First Install SMAC.
2. Extract it to your server/cstrike folder.
3. Restart your server or change map.
Admin Commands :
Code:
!smac_status - Show information about current players with SteamID, IP
!smac_addcmd - Adds a command to the block list.
!smac_removecmd - Removes a command from block list.
!smac_addignorecmd - Adds a command to ignore on command spam.
!smac_removeignorecmd - Removes a command from ignore list.
!smac_addcvar - Adds a client cvar to be checked on cvar list.
!smac_removecvar - Removes a cvar from cvar list.
Description :
If sv_pure is enabled on a server, then the server forces clients to use only files matching with server. This means, any custom files used for modifying texture, sound of the map will be simply ignored. Thus preventing clients to use certain cheats such as Materials Wallhack.
By default sv_pure is set to 0, means disabled. The sv_pure cvar supports 3 values :
- 0 - Disabled setting for sv_pure. Custom files from client is supported on the server.
- 1 - sv_pure is enabled on server. Any custom files to modify the original game files is not allowed. This setting supports a whitelist file pure_server_whitelist.txt, in which server owners can allow certain custom files to be used by the clients such as skins, sprays, server plugin files etc.
- 2 - sv_pure is enabled on server. For this setting, no whitelist file is loaded or read by the server. This setting doesn't allow any modified custom file including server plugins custom files. Everything is ignored except the default files of the server and client.
Installation :
- Install ClientMod Server API on server.
- In cstrike/cfg/sourcemod/ClientMod.cfg, set the value of the CVAR se_allowpure to 1.
- In cstrike/cfg/autoexec.cfg, put the cvar sv_pure. Use value 1 or 2, depending on what type of sv_pure setting you want. It is necessary to have the sv_pure cvar in autoexec.cfg. Because on server start or map change, this file is loaded first, after that server.cfg file or any other map config file. If sv_pure is set on server.cfg instead of autoexec.cfg, then on server start first map doesn't load with sv_pure setting and some clients game may crash. It will only take effect after the map change. Make sure no other cfg file contains sv_pure cvar, otherwise it may not work for you.
- Download pure_server_whitelist.txt
- Paste pure_server_whitelist.txt in yourserver/cstrike folder.
Rich (BB code):
// If set to 1, the server will kick clients with mismatching files. Otherwise, it will issue a warning to the client.
"sv_pure_kick_clients" = "0"
SLAYER
Vertigo
3. DAF and DOSP : Anti DOS
Description :
These two Anti-DOS will show the IP of doser when he/she dosing Server.
Installation of DAF:
1. Download DAF Windows or DAF Linux
2. Extract in yourserver/cstrike folder
3. Goto server/cstrike/cfg open autoexec.cfg and paste this command
Code:
exec daf.cfg
5. Type plugin_print in server console to check if the plugin is loaded or not.
Screenshot :
Server Console Commands :
Code:
daf_status - Shows currently blocked Attacker's IP addresses from the attacks
daf_reset - Resets all the blocked IP addresses
SLAYER
Drunken F00l
Installation of DOSP :
1. Download DOSP Windows or DOSP Linux
2. Extract in yourserver/cstrike folder
4. Restart your server.
5. Type meta list in server console to check if the plugin is loaded or not.
Screenshot :
Server Console Commands :
Code:
dosp_enable - Enable/Disable DoS Protect Plugin (0 - Disabled, 1 - Enabled)
dosp_status - Shows status of attacks with attacker's IP
dosp_version - Show version information of DoS Protect
ZombieX2.net
4. IP-Tables : The Most Important Part to Protect Your Server From DOS
Description :
Iptables is the interface used by administrators to interact with Netfilter modules. In another words it is the program you use to configure the built in firewall. A lot of people have been asking about how to protect a Linux server against denial of service (DoS) attacks. The vast majority of these attacks involve one individual using a scripted program to execute an attack on a single server target. The goal of using iptables here is to handle networking traffic before it reaches to server where it could cause undesired latency for players. Also, keep in mind that these iptables rules will do nothing in the face of a large-scale sustained DoS attacks. With that in mind, effectively iptables rules will mitigate script kiddies' DoS, small-scale DoS, and even larger pulsed DoS attacks.
Installation :
NOTE : In this IP-Tables process we using Linux VPS and Using 27015 server port if your server port is different from 27015 than where you see 27015 port in below section change it to your server port.
First go out from your server folder or type
Code:
cd /home
Put These lines one by one.
Code:
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
-P = Set the policy for the chain to the given target. See the section TARGETS for the legal targets. Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined chains can be policy targets.
Now we are going to allow all our need traffic.
Rich (BB code):
Accept anything from localhost
sudo iptables -A INPUT -s 127.0.0.1/32 --jump ACCEPT
FTP
sudo iptables -A INPUT -p tcp --dport 21 --jump ACCEPT
SSH
sudo iptables -A INPUT -p tcp --dport ssh --jump ACCEPT
MySql
sudo iptables -A INPUT -p tcp --dport 3306 --jump ACCEPT
Steam Friends Service
sudo iptables -A INPUT -p udp --dport 1200 --jump ACCEPT
Steam Main UDP
sudo iptables -A INPUT -p udp --dport 27000 --jump ACCEPT
Steam Main TCP
sudo iptables -A INPUT -p tcp --dport 27020 --jump ACCEPT
sudo iptables -A INPUT -p tcp --dport 27039 --jump ACCEPT
Steam Dedicated Server HLTV
sudo iptables -A INPUT -p udp --dport 27020 --jump ACCEPT
your server info go's here
sudo iptables -A INPUT -p udp -d 192.168.10.5 --dport 27015
allow rcon to thoes servers
sudo iptables -A INPUT -p tcp -d 192.168.10.5 --dport 27015 --jump ACCEPT
now to drop all other traffic :)
sudo iptables -A INPUT -p tcp --dport 1:1023 --jump DROP
sudo iptables -A INPUT -p udp --dport 1:1023 --jump DROP
You need to change them according to your server IP and PORT imagine my server ip is 123.456.78.90 and port is 27016 than i will write these two line like this
Rich (BB code):
sudo iptables -A INPUT -p udp -d 123.456.78.90 --dport 27016
sudo iptables -A INPUT -p tcp -d 123.456.78.90[/B] --dport 27016 --jump ACCEPT
-A =Append one or more rules to the end of the selected chain. Adds the rule to the chain
-p = Protocol tcp, udp, icmp, or all
--dport = destination port
--jump = Tells the firewall what to do if the packet matches the rule
Now that is all great for a basic firewall but that does not help much with the DoS attack the still effects srcds...
To stop that we can use ip-tables in combo with another program called fail2ban. Fail2ban pronounced Fail 2 Ban reads logs and takes actions based on what it finds.
First we have to install Fail2Ban :
Code:
apt-get install fail2ban
Creating a file called srcdsdos.conf
Code:
nano /etc/fail2ban/filter.d/srcdsdos.conf
/etc/fail2ban/filter.d/
than open the file with Notepad ++ and than copy these lines in to the file which i given below :
Rich (BB code):
[Definition]
failregex= IPTABLES-FLOOD LENGTH (28|48): IN=eth0 OUT= MAC=[a-zA-F0-9:]+ SRC=<HOST> DST=([0-9]{1,3}\.?){4} LEN=28
/etc/fail2ban/filter.d/
Now open the jail.conf file located in
/etc/fail2ban/
by the steps which i tell you above and add copy and paste these line which i given below :
Rich (BB code):
[srcdsdos]
enabled = true
port = 27015,27025,27035
protocol = udp
filter = srcdsdos
logpath = /var/log/messages.log
maxretry = 3
bantime = 6000
port = 27015,27025,27035
In this line you need to change the Port 27015 to your server port if you dont using 27015 Port for server.Now save the file and Put it to the folder from which you download the file
/etc/fail2ban/
Now we going to restart fail2ban
Rich (BB code):
/etc/init.d/fail2ban restart
Rich (BB code):
/etc/init.d/fail2ban stop
/etc/init.d/fail2ban start
Rich (BB code):
Creation channel rejection flood udp 28
sudo iptables -N REJECT_FLOOD28
sudo iptables -A REJECT_FLOOD28 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 28: ' --log-level info
sudo iptables -A REJECT_FLOOD28 -j DROP
Creation channel rejection flood udp 46
sudo iptables -N REJECT_FLOOD46
sudo iptables -A REJECT_FLOOD46 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 46: ' --log-level info
sudo iptables -A REJECT_FLOOD46 -j DROP
sudo iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28
sudo iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46
your_port
delete it and enter your server port.Now if any DOSER attack your server it will be stopped and logged in the fail2ban.log like this :
Rich (BB code):
2009-10-14 19:11:43,702 fail2ban.actions: WARNING [srcdsdos] Ban 78.22.165.162
The first measure of protection is to develop a white-list of IP addresses that have your permission to access rcon ; otherwise, it's best to completely hide rcon from the outside world.
Rich (BB code):
sudo iptables -A INPUT -p tcp --destination-port 27015 -j LOG --log-prefix "SRCDS-RCON " -m limit --limit 1/m --limit-burst 1
sudo iptables -A INPUT -p tcp --destination-port 27015 -j DROP
Rich (BB code):
sudo iptables -A INPUT -p udp --destination-port 27015 -m length --length 0:32 -j LOG --log-prefix "SRCDS-XSQUERY " --log-ip-options -m limit --limit 1/m --limit-burst 1
sudo iptables -A INPUT -p udp --destination-port 27015 -m length --length 0:32 -j DROP
Maximum Size = (`net_maxroutable`) + (`net_splitrate`) * (`net_maxfragments`)
which gives 2520 bytes under the default configuration of maximum 32 players allow on server.
Means below code is for that server in which maximum 32 players can join at a time.
maxplayers 32
Rich (BB code):
sudo iptables -A INPUT -p udp --destination-port 27015 -m length --length 2521:65535 -j LOG --log-prefix "SRCDS-XLFRAG " --log-ip-options -m limit --limit 1/m --limit-burst 1
sudo iptables -A INPUT -p udp --destination-port 27015 -m length --length 2521:65535 -j DROP
sudo iptables -A INPUT -p udp -m state --state ESTABLISH -j ACCEPT
1) You run multiple game servers on different ports but same IP
For this you'd want to make the hash-limit come from the source IP and go to the destination port (srcip,dstport).
Rich (BB code):
sudo iptables -A INPUT -p udp -m state --state NEW -m hashlimit --hashlimit-mode srcip,dstport --hashlimit-name StopDoS --hashlimit 1/s --hashlimit-burst 3 -j ACCEPT
For this it's easier just to specify the source IP for the hash (srcip).
Rich (BB code):
sudo iptables -A INPUT -p udp -m state --state NEW -m hashlimit --hashlimit-mode srcip --hashlimit-name StopDoS --hashlimit 1/s --hashlimit-burst 3 -j ACCEPT
Rich (BB code):
sudo iptables -A INPUT -p udp -j LOG --log-prefix "UDP-SPAM " --log-ip-options -m limit --limit 1/m --limit-burst 1
sudo iptables -A INPUT -p udp -j DROP
Rich (BB code):
sudo iptables -A INPUT -p udp --dport 27015 -m hashlimit --hashlimit 50 / s --hashlimit-burst 50 --hashlimit-mode srcip --hashlimit-name CSS -j ACCEPT
sudo iptables -A INPUT -p udp - dport 27015 -j DROP
Rich (BB code):
sudo iptables -A INPUT -p udp -m udp --dport 27015 -m state --state RELATED, ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p udp --dport 27015 -m state --state NEW -m hashlimit --hashlimit 100 / s --hashlimit-burst 100 --hashlimit-mode srcip --hashlimit-name TF -j ACCEPT
sudo iptables -A INPUT -p udp --dport 27015 -j DROP
Rich (BB code):
sudo iptables-save > /etc/iptables.rules
Rich (BB code):
chmod +x /etc/iptables.rules
/etc/rc.local
:
Rich (BB code):
sudo iptables-restore < /etc/iptables.rules
So i am writing more in replay section. So, Go and check my replay down here :
⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩
Last edited by a moderator: