Jump to content
Sign in to follow this  
Dwarden

How to secure Your server? - Read here!

Recommended Posts

This is thread intended for advices, tips, security questions and answers related to servers ...

irrelevant posters receive infraction, so don't post unless You on subject

0.

it's now fully recomended to use BattlEye even on closed community / passworded servers (due to additional layers of protection)

1.

ATTENTION! Warning to All Admins!

Emergency Responder to Event OMFGBBQFAIL#65535: http://dev-heaven.net/issues/20994

Immediately rename Your server -config= files to unique filenames!

http://community.bistudio.com/wiki/Arma2:_Startup_Parameters#Server_Options

http://community.bistudio.com/wiki/server.cfg

do NOT share these filenames with anyone who is not trustable! (ideally only Yourself)

Start using custom -BEpath= immediately

http://community.bistudio.com/wiki/BattlEye#The_-BEpath_location

More countermeasures for beserver.cfg soon!

beserver.cfg is now automatically renamed to beserver_active_[randomtext].cfg while the server is running to prevent this exploit.

Summary:

move Your -profiles= , -config= and -BEpath= outside Your game/server directory

and use unique filenames (yet rename of file not possible for beserver.cfg)

2.

use verifySignatures=2; and v2 signatures on your server

v2 signatures are supported also in ARMA 2 version 1.10+ and ARMA 2:OA 1.59+!

http://community.bistudio.com/wiki/ArmA:_Addon_Signatures#Controlling_addon_signature_verification_on_the_server

3.

Use RCON from BattlEye and it's BEGUID to ban players,

forget about in-game UID (they spoofable easily and deprecated)

4.

remove regularCheck line from your config (or comment it out by ; infront of it),

incorrect value negates the defaut setting now

255.

if all fails then password the server up

remove reportIP from gamespy master line in config

and play only with Your trustable friends

but that sort of prevents the public reach it ...

note: this is WIP topic, so any text is subject for change w/o warning :D

Edited by Dwarden

Share this post


Link to post
Share on other sites

A few notes:

1) -profile= => -profiles=

2) Add the link to the server.cfg for verifySignatures

3) Example of a parameter configuration:

Arma server location: c:\arma2server

Profiles location: c:\arma2profiles

"-config=c:\arma2profiles\serverOA.cfg" 
"-cfg=c:\arma2profiles\basicOA.cfg" 
-name=OA 
"-profiles=c:\arma2profiles" 
"-BEpath=c:\arma2profiles"

(use as one line definition - multiline only for easier viewing)

Share this post


Link to post
Share on other sites

Summary:

move Your -profiles= , -config= and -BEpath= outside Your game/server directory

and use unique filenames (yet rename of file not possible for beserver.cfg)

Very alarmed by this BTW! I have a problem with this solution as I rent a dedicated box (GSP) and do not have access to the C drive only the game directory. If I understand the fix you saying we need to place the above files out of the root and place else ware.

Not too clear for a noob!

Share this post


Link to post
Share on other sites

You can also move it into a custom subfolder with custom names like

Arma server location: c:\arma2server

Profiles location: c:\arma2server\arma2profiles4711

BE location: c:\arma2server\BEpath4711

server4711.cfg

basic4711.cfg

Share this post


Link to post
Share on other sites

Problem with GSP’s is you can’t override the Services Command Line but you do have a command line builder in CP with the options below. So the original command line is set to battleye default which would have to be done in the services menu within CP (which I don’t have access to).

Only options that I have are these

-mod "Specify a mod"

-config "enter server.cfg if default is needed"

-world "Changes Default Starting World"

-netlog "enable logging"

-name "sets profile name"

The above use a tick box system and then you fill in the parameters like @xxxx;@yyyy or serverAAAA.cfg etc

I have managed to alter the server.cfg by changing its name and then running that in the command line changer but that’s all so far.

Hope this makes some sort of sense as I am no expert in this field.

Edited by GeeBee

Share this post


Link to post
Share on other sites

The bug on Dev Heaven is flagged as affecting the Linux server. Can you confirm it actually affects both Linux and Windows? The code shown in the bug doesn't have any apparent OS specific aspect, so just think it's good to confirm.

Share this post


Link to post
Share on other sites

It does affect both, Linux and Windows.

Xeno

Share this post


Link to post
Share on other sites
Immediately rename Your server -config= files to unique filenames!

what about windows "read-only" option for the file instead of renaming ?

Share this post


Link to post
Share on other sites
It does affect both, Linux and Windows.

Xeno

just remember the script command can read files only inside the game dir,

so please avoid placing game ROOT into ROOT of your system drive !

(i hope noone is dumb enough to actually do that ever)

---------- Post added at 18:16 ---------- Previous post was at 18:14 ----------

what about windows "read-only" option for the file instead of renaming ?

i don't get how this would do anything

how will flagging file as read-only prevent engine to read the file? :)

did you read the original issue explained ?

the problem is in-engine script command capable of reading any file within game own directory and subdirectories ...

so the simple way out of it is

1. rename the files from default/usual names

2. move them outside the game dir

---------- Post added at 18:34 ---------- Previous post was at 18:16 ----------

Summary:

move Your -profiles= , -config= and -BEpath= outside Your game/server directory

and use unique filenames (yet rename of file not possible for beserver.cfg)

Very alarmed by this BTW! I have a problem with this solution as I rent a dedicated box (GSP) and do not have access to the C drive only the game directory. If I understand the fix you saying we need to place the above files out of the root and place else ware.

Not too clear for a noob!

if you can't place files outside the game dir,

then as do i said in the workaround

use unique filename no-one can figure out ...

i'm fully aware not everyone can move files outside the game dir,

hence why i mentioned both approaches

yet i suggest use custom -bepath= to move the EB to uniquely named directory inside the game directory

i suggest to talk to Your host to add support for all newly introduced command-line options into the control panel

Share this post


Link to post
Share on other sites
2.

use verifySignatures=2; and v2 signatures on your server

v2 signatures are supported also in ARMA 2 version 1.10+ and ARMA 2:OA 1.59+!

http://community.bistudio.com/wiki/ArmA:_Addon_Signatures#Controlling_addon_signature_verification_on_the_server

Not much good if your dedi doesn't have BAF or PMC installed as only those that don't have them can play as if players have them they get kicked.

Anyone have a fix for this without buying a copy specifically for the server to allow those that have them the ability to join?

Share this post


Link to post
Share on other sites

?

BAF and PMC have version 2 signatures too. bi2 signatures. And that's the key you should have on your server if you've updated it correctly.

Xeno

Share this post


Link to post
Share on other sites

You never install BAF or PMC data on dedicated server! for that exist Lite content ...

Share this post


Link to post
Share on other sites

The server doesn't have BAF or PMC installed as it's never needed them and it has the v2 bikey but as soon as we run v2 signature checks anyone that has BAF and/or PMC installed gets kicked for wrong signatures.

If we remove BAF/PMC from our local installs we can connect and play properly, therefore unless I am missing something it looks like that since the server can't check the full BAF/PMC files against anything it kicks the players.

Some examples of the log (never kicks for the same file for the same person):

20:22:59 Player [RIP]joina412: Wrong signature for file baf\addons\tracked_w_baf.pbo
20:25:12 Player [RIP]Tyson: Wrong signature for file baf\addons\shapur_baf.pbo
20:29:15 Player [RIP]welshterrorist: Wrong signature for file baf\addons\wheeled_w_baf.pbo
20:44:31 Player [RIP]BearBison: Wrong signature for file baf\addons\sounds_baf.pbo
20:45:43 Player [RIP]Tyson: Wrong signature for file ca\characters_d_baf\baf_soldier_2_baf.p3d
20:48:02 Player [RIP]welshterrorist: Wrong signature for file pmc\addons\missions_pmc.pbo
20:49:14 Player [RIP]AacAac: Wrong signature for file pmc\addons\modules_pmc.pbo
20:50:42 Player [RIP]joina412: Wrong signature for file ca\characters_d_baf\baf_soldier_2_baf.p3d
20:51:56 Player [RIP] BabylonCome: Wrong signature for file ca\characters_d_baf\baf_soldier_2_baf.p3d

The server files have been checked against my local files and are a complete match (less the BAF and PMC folders as not on server) so how do we fix?

Share this post


Link to post
Share on other sites

tell these players to update their DLC to 1.02 BAF

Share this post


Link to post
Share on other sites

I have exactly the same problem as BearBison. I get kicked off my dedicated server with v2 enabled for various wrong signatures on BAF/PMC files. I'm using Steam, so pretty sure I have the latest version of both BAF and PMC. Just to be sure, I completely deleted the BAF and PMC folders in the OA root directory. This forced the reinstallation of both when I launched OA. Still get the kick/ban for a wrong signature. It's a different file each time.

Edited by Focher

Share this post


Link to post
Share on other sites
tell these players to update their DLC to 1.02 BAF

All players are fully updated, one is a clean install who even tried using the separate patch for the DLC's after the v1.59 patch just in case there was an issue with the combined patch.

Share this post


Link to post
Share on other sites

do you have \Keys\ (this one should not be needed but depends where you have actual profile root) and \Expansion\Keys\

with latest

bi2.bikey

bi.bikey

files?

Share this post


Link to post
Share on other sites

My profile root is the default. I don't use the -profiles command line when starting the server. I checked the MD5 hashes across all 3 computers for both bi.sgn and bi2.sgn located under the OA root "keys" folder and the "expansion/keys". It's the same for all of them.

bi.bikey - f40916be05b3bfd8bdb860275ce922e3

bi2.bikey - 5b5c9a1e7033150e8ffe7307ce385b25

On both the server and the client, I have both Arma 2 and OA installed through Steam. Have done a Verify Cache multiple times to ensure everything is fine. I then issued the following commands for both client and server to make OA into a CO configuration. Client is launching from Steam.

mklink /j ".\Addons" "..\ARMA 2\Addons"

mklink /j ".\Dta" "..\ARMA 2\Dta"

mklink /j ".\Keys" "..\ARMA 2\Keys"

mklink /j ".\userconfig" "..\ARMA 2\userconfig"

Server Start Command File

cd "d:\Steam\steamapps\common\arma 2 operation arrowhead\"

arma2oaserver -config=d:\Server-Cfg\server.cfg -cfg=d:\Server-Cfg\serverbasic.cfg -BEpath=d:\Server-Cfg\BE -netlog

server.cfg

hostname="Server Name";

password="";

passwordAdmin="XXXXXXXXXXXXXXXXXXXXX";

reportingIP="arma2oapc.master.gamespy.com";

logFile="server_console.log";

motd[]=

{

"Welcome",

};

motdInterval=2;

checkfiles[]={};

maxPlayers=64;

kickDuplicate=1;

verifySignatures=2;

equalModRequired=0;

voteThreshold = 5;

voteMissionPlayers=5;

disableVoN=0;

vonCodecQuality=10;

persistent=1;

onUserConnected="";

onUserDisconnected="";

doubleIdDetected="";

onUnsignedData="kick (_this select 0)";

onHackedData="ban (_this select 0)";

onDifferentData="Vanilla Only!";

BattlEye=1;

class Missions

{

class Domination_AI

{

template="co30_Domination_2_60c_West_OA.Takistan";

difficulty="Expert";

};

};

Windowed=0;

serverbasic.cfg

MaxMsgSend=2048;

MaxSizeGuaranteed=1024;

MaxSizeNonguaranteed=64;

MinBandwidth=20480000;

MaxBandwidth=40960000;

MinErrorToSend=0.0099999998;

MaxCustomFileSize=131720;

adapter=-1;

3D_Performance=1;

Resolution_W=0;

Resolution_H=0;

Resolution_Bpp=32;

Windowed=0;

If I switch back to version 1 signatures, I don't get the error / kick / ban.

Share this post


Link to post
Share on other sites

so i have no idea what's wrong, can You get me list of all files these players have

\PMC

\BAF

same goes i need list of the server files (ideally MD5 hashes included)

also what's your server IP ?

Share this post


Link to post
Share on other sites
so i have no idea what's wrong, can You get me list of all files these players have

\PMC

\BAF

same goes i need list of the server files (ideally MD5 hashes included)

also what's your server IP ?

Hi, I kind of feel like I hijacked this thread so I'll put that information in the other thread I created at Wrong Signature - v1 / v2.

Share this post


Link to post
Share on other sites
ATTENTION! Warning to All Admins!

Emergency Responder to Event OMFGBBQFAIL#65535: http://dev-heaven.net/issues/20994

[...]

More countermeasures for beserver.cfg soon!

beserver.cfg is now automatically renamed to beserver_active_[randomtext].cfg while the server is running to prevent this exploit.

Share this post


Link to post
Share on other sites

Sable,

we have an issue with our linux box.

The server reports only 500MB ram usage. Which is normal for us.

However, it is actually eating up all 4Gigs of RAM.

Furthermore, BE fails to start with -bepath full or relative.

And the beserver.so gets automatically deleted.

And question #2

if we run multiple servers off the same config, will that "autorename" interfere with each other?

FYI: the file get's renamed to beserver_ac<random>.cfg and not the format you posted.

Edited by nomad_man

Share this post


Link to post
Share on other sites

Yeah, we're having the same issue. RCon stops working randomly (when the file gets renamed) and beserver.so gets removed.

Share this post


Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×