How to secure Your server? - Read here!

[Dwarden]

This is thread intended for advices, tips, security questions and answers related to servers ...

irrelevant posters receive infraction, so don't post unless You on subject

0.
it's now fully recomended to use BattlEye even on closed community / passworded servers (due to additional layers of protection)

1.
ATTENTION! Warning to All Admins!
Emergency Responder to Event OMFGBBQFAIL#65535: http://dev-heaven.net/issues/20994

Immediately rename Your server -config= files to unique filenames!
http://community.bistudio.com/wiki/A...Server_Options
http://community.bistudio.com/wiki/server.cfg

do NOT share these filenames with anyone who is not trustable! (ideally only Yourself)

Start using custom -BEpath= immediately
http://community.bistudio.com/wiki/B...Epath_location

More countermeasures for beserver.cfg soon(tm)!
beserver.cfg is now automatically renamed to beserver_active_[randomtext].cfg while the server is running to prevent this exploit.

Summary:
move Your -profiles= , -config= and -BEpath= outside Your game/server directory
and use unique filenames (yet rename of file not possible for beserver.cfg)

2.
use verifySignatures=2; and v2 signatures on your server
v2 signatures are supported also in ARMA 2 version 1.10+ and ARMA 2:OA 1.59+!
http://community.bistudio.com/wiki/A..._on_the_server

3.
Use RCON from BattlEye and it's BEGUID to ban players,
forget about in-game UID (they spoofable easily and deprecated)

4.
remove regularCheck line from your config (or comment it out by ; infront of it),
incorrect value negates the defaut setting now

255.
if all fails then password the server up
remove reportIP from gamespy master line in config
and play only with Your trustable friends
but that sort of prevents the public reach it ...

note: this is WIP topic, so any text is subject for change w/o warning

[.kju [PvPscene]]

A few notes:

1) -profile= => -profiles=

2) Add the link to the server.cfg for verifySignatures

3) Example of a parameter configuration:

Arma server location: c:\arma2server
Profiles location: c:\arma2profiles

PHP Code:

"-config=c:\arma2profiles\serverOA.cfg" 
"-cfg=c:\arma2profiles\basicOA.cfg" 
-name=OA 
"-profiles=c:\arma2profiles" 
"-BEpath=c:\arma2profiles" 


(use as one line definition - multiline only for easier viewing)

[GeeBee]

Summary:
move Your -profiles= , -config= and -BEpath= outside Your game/server directory
and use unique filenames (yet rename of file not possible for beserver.cfg)

Very alarmed by this BTW! I have a problem with this solution as I rent a dedicated box (GSP) and do not have access to the C drive only the game directory. If I understand the fix you saying we need to place the above files out of the root and place else ware.

Not too clear for a noob!

[.kju [PvPscene]]

You can also move it into a custom subfolder with custom names like

Arma server location: c:\arma2server
Profiles location: c:\arma2server\arma2profiles4711
BE location: c:\arma2server\BEpath4711

server4711.cfg
basic4711.cfg

[GeeBee]

Problem with GSP’s is you can’t override the Services Command Line but you do have a command line builder in CP with the options below. So the original command line is set to battleye default which would have to be done in the services menu within CP (which I don’t have access to).

Only options that I have are these

-mod "Specify a mod"
-config "enter server.cfg if default is needed"
-world "Changes Default Starting World"
-netlog "enable logging"
-name "sets profile name"

The above use a tick box system and then you fill in the parameters like @xxxx;@yyyy or serverAAAA.cfg etc

I have managed to alter the server.cfg by changing its name and then running that in the command line changer but that’s all so far.

Hope this makes some sort of sense as I am no expert in this field.

[Focher]

The bug on Dev Heaven is flagged as affecting the Linux server. Can you confirm it actually affects both Linux and Windows? The code shown in the bug doesn't have any apparent OS specific aspect, so just think it's good to confirm.

[Xeno]

It does affect both, Linux and Windows.

Xeno

[Hellfire257]

Thanks for this Dwarden. Will forward...

[xjiks]

Immediately rename Your server -config= files to unique filenames!

what about windows "read-only" option for the file instead of renaming ?

[Dwarden]

It does affect both, Linux and Windows.

Xeno

just remember the script command can read files only inside the game dir,

so please avoid placing game ROOT into ROOT of your system drive !
(i hope noone is dumb enough to actually do that ever)

---------- Post added at 18:16 ---------- Previous post was at 18:14 ----------

what about windows "read-only" option for the file instead of renaming ?

i don't get how this would do anything
how will flagging file as read-only prevent engine to read the file?

did you read the original issue explained ?
the problem is in-engine script command capable of reading any file within game own directory and subdirectories ...
so the simple way out of it is
1. rename the files from default/usual names
2. move them outside the game dir

---------- Post added at 18:34 ---------- Previous post was at 18:16 ----------

Summary:
move Your -profiles= , -config= and -BEpath= outside Your game/server directory
and use unique filenames (yet rename of file not possible for beserver.cfg)

Very alarmed by this BTW! I have a problem with this solution as I rent a dedicated box (GSP) and do not have access to the C drive only the game directory. If I understand the fix you saying we need to place the above files out of the root and place else ware.

Not too clear for a noob!

if you can't place files outside the game dir,
then as do i said in the workaround
use unique filename no-one can figure out ...

i'm fully aware not everyone can move files outside the game dir,
hence why i mentioned both approaches
yet i suggest use custom -bepath= to move the EB to uniquely named directory inside the game directory

i suggest to talk to Your host to add support for all newly introduced command-line options into the control panel