Server Protection : How to Protect Your Server From Hackers and DDOSERS

bornforgaming3201

Member
Content Writer
Server Protection : How to Protect Your Server From Hackers and DOSERS

Description :
Hi , Today i will tell you how to Protect Your Server From Hackers and dosers. I will tell you all methods and also give you best Anti-Cheat to Protect Your Server.
I hope you will like it.

We are doing Following Methods to Protect Our Server:

1. SMAC R1.F This Anti-Cheat will Protect server from Hackers like aimbot, wallhack, etc.
2. SV_PURE This will Protect Server from Hackers who use Material Wall Hacks.
3. DAF and DOSP Anti-dosers These two Anti-dosers shows doser ip when he/she ddosing.
4. IP-Tables This is main Protection against dos and its very Important.

1. SMAC R1.F

Description :

The latest Anti-Cheat for CSS v34. This Anti-Cheat will Protect server from Hackers like Aimbot, Wallhack, etc.

Installation :
1. First Install SMAC.
2. Extract it to your server/cstrike folder.
3. Restart your server or change map.

Admin Commands :
Code:
!smac_status                     -                   Show information about current players with SteamID, IP
!smac_addcmd                     -                   Adds a command to the block list.
!smac_removecmd                  -                   Removes a command from block list.
!smac_addignorecmd               -                   Adds a command to ignore on command spam.
!smac_removeignorecmd            -                   Removes a command from ignore list.
!smac_addcvar                    -                   Adds a client cvar to be checked on cvar list.
!smac_removecvar                 -                   Removes a cvar from cvar list.
2. SV_PURE

Description :

If sv_pure is enabled on a server, then the server forces clients to use only files matching with server. This means, any custom files used for modifying texture, sound of the map will be simply ignored. Thus preventing clients to use certain cheats such as Materials Wallhack.

By default sv_pure is set to 0, means disabled. The sv_pure cvar supports 3 values :

  • 0 - Disabled setting for sv_pure. Custom files from client is supported on the server.
  • 1 - sv_pure is enabled on server. Any custom files to modify the original game files is not allowed. This setting supports a whitelist file pure_server_whitelist.txt, in which server owners can allow certain custom files to be used by the clients such as skins, sprays, server plugin files etc.
  • 2 - sv_pure is enabled on server. For this setting, no whitelist file is loaded or read by the server. This setting doesn't allow any modified custom file including server plugins custom files. Everything is ignored except the default files of the server and client.
Before the ClientMod API, the sv_pure was broken on CS: Source v34 servers. ClientMod API fixes this bug, so now server owners can use the sv_pure setting on their server.

Installation :
  • Install ClientMod Server API on server.
  • In cstrike/cfg/sourcemod/ClientMod.cfg, set the value of the CVAR se_allowpure to 1.
  • In cstrike/cfg/autoexec.cfg, put the cvar sv_pure. Use value 1 or 2, depending on what type of sv_pure setting you want. It is necessary to have the sv_pure cvar in autoexec.cfg. Because on server start or map change, this file is loaded first, after that server.cfg file or any other map config file. If sv_pure is set on server.cfg instead of autoexec.cfg, then on server start first map doesn't load with sv_pure setting and some clients game may crash. It will only take effect after the map change. Make sure no other cfg file contains sv_pure cvar, otherwise it may not work for you.
  • Download pure_server_whitelist.txt
  • Paste pure_server_whitelist.txt in yourserver/cstrike folder.
CVARs :

Rich (BB code):
// If set to 1, the server will kick clients with mismatching files. Otherwise, it will issue a warning to the client.
"sv_pure_kick_clients" = "0"
Credits For sv_pure :
SLAYER
Vertigo

3. DAF and DOSP : Anti DOS

Description :

These two Anti-DOS will show the IP of doser when he/she dosing Server.

Installation of DAF:
1.
Download DAF Windows or DAF Linux
2. Extract in yourserver/cstrike folder
3. Goto server/cstrike/cfg open autoexec.cfg and paste this command
Code:
exec daf.cfg
4.
Restart your server.
5. Type plugin_print in server console to check if the plugin is loaded or not.

Screenshot :
741

Server Console Commands :
Code:
daf_status             -              Shows currently blocked Attacker's IP addresses from the attacks
daf_reset              -              Resets all the blocked IP addresses
Credits of DAF :
SLAYER
Drunken F00l

Installation of DOSP :
1.
Download DOSP Windows or DOSP Linux
2. Extract in yourserver/cstrike folder
4. Restart your server.
5. Type meta list in server console to check if the plugin is loaded or not.

Screenshot :
742

Server Console Commands :
Code:
dosp_enable           -           Enable/Disable DoS Protect Plugin (0 - Disabled, 1 - Enabled)
dosp_status           -           Shows status of attacks with attacker's IP
dosp_version          -           Show version information of DoS Protect
Credits of DOSP :
ZombieX2.net

4. IP-Tables : The Most Important Part to Protect Your Server From DOS


Description :
Iptables is the interface used by administrators to interact with Netfilter modules. In another words it is the program you use to configure the built in firewall. A lot of people have been asking about how to protect a Linux server against denial of service (DoS) attacks. The vast majority of these attacks involve one individual using a scripted program to execute an attack on a single server target. The goal of using iptables here is to handle networking traffic before it reaches to server where it could cause undesired latency for players. Also, keep in mind that these iptables rules will do nothing in the face of a large-scale sustained DoS attacks. With that in mind, effectively iptables rules will mitigate script kiddies' DoS, small-scale DoS, and even larger pulsed DoS attacks.

Installation :
NOTE :
In this IP-Tables process we using Linux VPS and Using 27015 server port if your server port is different from 27015 than where you see 27015 port in below section change it to your server port.

First go out from your server folder or type
Code:
cd /home
To start out we are going to clear all our old rules and recreate the default chains.
Put These lines one by one.

Code:
iptables -F
iptables -P INPUT   ACCEPT
iptables -P OUTPUT  ACCEPT
iptables -P FORWARD ACCEPT
-F = Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.
-P = Set the policy for the chain to the given target. See the section TARGETS for the legal targets. Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined chains can be policy targets.

Now we are going to allow all our need traffic.

Rich (BB code):
Accept anything from localhost
sudo iptables -A INPUT -s 127.0.0.1/32 --jump ACCEPT

FTP
sudo iptables -A INPUT -p tcp --dport 21 --jump ACCEPT

SSH
sudo iptables -A INPUT -p tcp --dport ssh --jump ACCEPT

MySql
sudo iptables -A INPUT -p tcp --dport 3306 --jump ACCEPT

Steam Friends Service
sudo iptables -A INPUT -p udp --dport 1200 --jump ACCEPT

Steam Main UDP
sudo iptables -A INPUT -p udp --dport 27000 --jump ACCEPT

Steam Main TCP
sudo iptables -A INPUT -p tcp --dport 27020 --jump ACCEPT
sudo iptables -A INPUT -p tcp --dport 27039 --jump ACCEPT

Steam Dedicated Server HLTV
sudo iptables -A INPUT -p udp --dport 27020 --jump ACCEPT

your server info go's here
sudo iptables -A INPUT -p udp -d 192.168.10.5 --dport 27015

allow rcon to thoes servers
sudo iptables -A INPUT -p tcp -d 192.168.10.5 --dport 27015 --jump ACCEPT

now to drop all other traffic :)
sudo iptables -A INPUT -p tcp --dport 1:1023 --jump DROP
sudo iptables -A INPUT -p udp --dport 1:1023 --jump DROP
In above code you can see two line in these two lines you can see the ip 192.168.10.5 and port 27015
You need to change them according to your server IP and PORT imagine my server ip is 123.456.78.90 and port is 27016 than i will write these two line like this
Rich (BB code):
sudo iptables -A INPUT -p udp -d 123.456.78.90 --dport 27016

sudo iptables -A INPUT -p tcp -d 123.456.78.90[/B] --dport 27016 --jump ACCEPT
Now here i tell you commands and there use which we use above :

-A =Append one or more rules to the end of the selected chain. Adds the rule to the chain
-p = Protocol tcp, udp, icmp, or all
--dport = destination port
--jump = Tells the firewall what to do if the packet matches the rule

Now that is all great for a basic firewall but that does not help much with the DoS attack the still effects srcds...
To stop that we can use ip-tables in combo with another program called fail2ban. Fail2ban pronounced Fail 2 Ban reads logs and takes actions based on what it finds.
First we have to install Fail2Ban :
Code:
apt-get install fail2ban
Now just a little configuring
Creating a file called srcdsdos.conf
Code:
nano /etc/fail2ban/filter.d/srcdsdos.conf
Now download this file from Filezilla located in /etc/fail2ban/filter.d/ than open the file with Notepad ++ and than copy these lines in to the file which i given below :
Rich (BB code):
[Definition]

failregex= IPTABLES-FLOOD LENGTH (28|48): IN=eth0 OUT= MAC=[a-zA-F0-9:]+ SRC=<HOST> DST=([0-9]{1,3}\.?){4} LEN=28
After copy and paste SAVE the file and again put it to folder where you download from : /etc/fail2ban/filter.d/

Now open the jail.conf file located in /etc/fail2ban/ by the steps which i tell you above and add copy and paste these line which i given below :
Rich (BB code):
[srcdsdos]
enabled = true
port      = 27015,27025,27035
protocol = udp
filter = srcdsdos
logpath = /var/log/messages.log
maxretry = 3
bantime = 6000
In above code you can see the line port = 27015,27025,27035 In this line you need to change the Port 27015 to your server port if you dont using 27015 Port for server.
Now save the file and Put it to the folder from which you download the file /etc/fail2ban/

Now we going to restart fail2ban
Rich (BB code):
/etc/init.d/fail2ban restart
others command for fail2ban
Rich (BB code):
/etc/init.d/fail2ban stop
/etc/init.d/fail2ban start
Now add these rules :
Rich (BB code):
Creation channel rejection flood udp 28
sudo iptables -N REJECT_FLOOD28
sudo iptables -A REJECT_FLOOD28 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 28: ' --log-level info
sudo iptables -A REJECT_FLOOD28 -j DROP

Creation channel rejection flood udp 46
sudo iptables -N REJECT_FLOOD46
sudo iptables -A REJECT_FLOOD46 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 46: ' --log-level info
sudo iptables -A REJECT_FLOOD46 -j DROP

sudo iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28

sudo iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46
Now again where i type your_port delete it and enter your server port.

Now if any DOSER attack your server it will be stopped and logged in the fail2ban.log like this :

Rich (BB code):
2009-10-14 19:11:43,702 fail2ban.actions: WARNING [srcdsdos] Ban 78.22.165.162
Now we make our Server Harder to access outside world :
The first measure of protection is to develop a white-list of IP addresses that have your permission to access rcon ; otherwise, it's best to completely hide rcon from the outside world.
Rich (BB code):
sudo iptables -A INPUT -p tcp --destination-port 27015 -j LOG --log-prefix "SRCDS-RCON " -m limit --limit 1/m --limit-burst 1
sudo iptables -A INPUT -p tcp --destination-port 27015 -j DROP
Many of the programs available in the nether-regions of the Internet spam queries to the server. These programs have a few commonalities such as the length of their packets. One popular iptables rule blocks anything with length 28. To suppress these attacks, we'll block any packets with a length between 0 and 32. You won't see any valid game packets below 32 bytes.
Rich (BB code):
sudo iptables -A INPUT -p udp --destination-port 27015 -m length --length 0:32 -j LOG --log-prefix "SRCDS-XSQUERY " --log-ip-options -m limit --limit 1/m --limit-burst 1
sudo iptables -A INPUT -p udp --destination-port 27015 -m length --length 0:32 -j DROP
Similarly, how the game responds to fragmented packets is defined by a few net_ cvars. Check the values of your cvars and configure your firewall rules accordingly. This is the calculation I used to determine the maximum acceptable packet size:
Maximum Size = (`net_maxroutable`) + (`net_splitrate`) * (`net_maxfragments`)
which gives 2520 bytes under the default configuration of maximum 32 players allow on server.
Means below code is for that server in which maximum 32 players can join at a time.
maxplayers 32

Rich (BB code):
sudo iptables -A INPUT -p udp --destination-port 27015 -m length --length 2521:65535 -j LOG --log-prefix "SRCDS-XLFRAG " --log-ip-options -m limit --limit 1/m --limit-burst 1
sudo iptables -A INPUT -p udp --destination-port 27015 -m length --length 2521:65535 -j DROP
sudo iptables -A INPUT -p udp -m state --state ESTABLISH -j ACCEPT
Handling 'new' or unsolicited UDP connections such as requests to join the game server or miscellaneous queries will be rate-limitted. A hash-limit is used to throttle connection attempts that become excessive. This is so sensitive that hitting 'Refresh' in the server browser window too often will trigger these rules. There are several different options for how to configure the hash-limits so I'll briefly discuss two different scenarios.
1) You run multiple game servers on different ports but same IP
For this you'd want to make the hash-limit come from the source IP and go to the destination port (srcip,dstport).

Rich (BB code):
sudo iptables -A INPUT -p udp -m state --state NEW -m hashlimit --hashlimit-mode srcip,dstport --hashlimit-name StopDoS --hashlimit 1/s --hashlimit-burst 3 -j ACCEPT
2) You run a single game server on a single IP
For this it's easier just to specify the source IP for the hash (srcip).

Rich (BB code):
sudo iptables -A INPUT -p udp -m state --state NEW -m hashlimit --hashlimit-mode srcip --hashlimit-name StopDoS --hashlimit 1/s --hashlimit-burst 3 -j ACCEPT
Finally, for all packets that weren't matched to an acceptance rule above, we'll drop them here.
Rich (BB code):
sudo iptables -A INPUT -p udp -j LOG --log-prefix "UDP-SPAM " --log-ip-options -m limit --limit 1/m --limit-burst 1
sudo iptables -A INPUT -p udp -j DROP
Now add these lines :
Rich (BB code):
sudo iptables -A INPUT -p udp --dport 27015 -m hashlimit --hashlimit 50 / s --hashlimit-burst 50 --hashlimit-mode srcip --hashlimit-name CSS -j ACCEPT

sudo iptables -A INPUT -p udp - dport 27015 -j DROP
You can write other rules for more accurate filtering!
Rich (BB code):
sudo iptables -A INPUT -p udp -m udp --dport 27015 -m state --state RELATED, ESTABLISHED -j ACCEPT

sudo iptables -A INPUT -p udp --dport 27015 -m state --state NEW -m hashlimit --hashlimit 100 / s --hashlimit-burst 100 --hashlimit-mode srcip --hashlimit-name TF -j ACCEPT

sudo iptables -A INPUT -p udp --dport 27015 -j DROP
By the way, so that after restarting the computer [VPS], the rules are restored, you need to execute:
Rich (BB code):
sudo iptables-save > /etc/iptables.rules
make this file executable:
Rich (BB code):
chmod +x /etc/iptables.rules
and add the line which i given below to the file loctated /etc/rc.local:
Rich (BB code):
sudo iptables-restore < /etc/iptables.rules
Some more things i want to tell you about Server Protection i am not telling here becasue Site giving me error : Please enter a message with no more than 20000 characters.

So i am writing more in replay section. So, Go and check my replay down here :
⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩
 
Last edited by a moderator:

bornforgaming3201

Member
Content Writer
Some more things i want to tell you about Server Protection i am not telling here becasue Site giving me error : Please enter a message with no more than 20000 characters.

So i am writing more in replay section. So, Go and check my replay down here :
⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩
So here the remaining Part of The Server Protection Thread :

Protecting Server by baning the IP of DOSER through IP-Tables :
Install the plugin DAF/DOSP which we discuss in above Point 3 ! Further, if there was a DoS attack, look in the log from which IP address the attack was from, and ban the IP address through iptables! Ban on iptables is a very reliable thing, I checked it myself =)!

Offtopic : Although it is written that this DAF/DOSP plugin protects the server from DOS, but in my opinion and experience, it doesn’t protect a little bit from DOS. These plugins ONLY SHOW the IP of DOSER.

You ban should through iptables like this :
Code:
sudo iptables -A INPUT -s xxx.xxx .xxx.xxx -j DROP
Where
xxx.xxx.xxx.xxx is the DOSER's IP address!

If the DOSER has a dynamic IP, changed the IP and DoS it further, then we will ban a subnet or several subnets!
Code:
sudo iptables -A INPUT -s xxx.xxx.xxx.0/24 -j DROP

Example:

Code:
sudo  iptables -A INPUT -s 187.34.232.0/24 -j DROP -> This will ban the range of IP addresses from 187.34.232.0 to 187.34.232.255 by iptables
Unban IP like this :
Code:
sudo iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP

Note 1:

By the way, Ban on iptables does not seem to be Banning on the server CS: S , that is, a User banned on iptables will be able to play on your Server, but will not be able to DoS!

if you want to BAN DOSER from IP-tables and Server both than you can do like this :
Code:
sudo iptables -A INPUT -s xxx.xxx.xxx.xxx -p udp -m udp --dport 27015: 27018 -j DROP
Where xxx.xxx.xxx.xxx is the DOSER's IP address!
Then the banned person will not be able to play on these ports :)

Note 2:
And yet, all these rules and Bans prevent only from external DOS attacks, i.e. when you can do DoS through all kinds of flood programs without going to the Server! For scripts that flood commands into the console on the server itself, you can try using KAC Anti-Cheat!

Note 3 :
The Information which i tell you above well protect your server 50% to 70% because CSS is nearly dead no one cares about it. All community is going to play CSGO. And which methods i tell you are the good methods to Protect Server.

Tips :
1.
Always make your Server on Linux VPS.
2. if you want to stop real DOS you need to buy VPS from that site which gives you DOS protection like Google Cloud give you DOS protection and its also my experience that Server which running on Google Cloud has 20% to 30% chance to DOS.

Things to Remembered :
1. Never trust on Anti-DOS plugins they ONLY show IP of little DOSERS. The best DOSER can crash your server in a Minute.
2. After adding all IP-Tables which i give you above will protect your server 50% to 60%. Yeah its truth, you cant save your server from best doser but you can stop small scale DOS.

Credits :
Vertigo Thanks vertigo to helping me to bring this information to you :D

Donation :
If you like the information about Server Protection. Please Subscribe my Youtube Channel : League of Gamers
OR
Share the link of this thread to peoples than more downloads = money.
 
Last edited by a moderator:
Top
AdBlock Detected

We get it, advertisements are annoying!

Sure, ad-blocking software does a great job at blocking ads, but it also blocks useful features of our website. For the best site experience please disable your AdBlocker.

I've Disabled AdBlock