Jump to content

Photo
- - - - -

How to secure Your server? - Read here!


  • Please log in to reply
59 replies to this topic
Thread Starter
Dwarden
Dwarden

    BI Developer

  • 9646 posts
  • LocationBrno, Czech Republic

#1

Posted 28 June 2011 - 06:39

This is thread intended for advices, tips, security questions and answers related to servers ...

irrelevant posters receive infraction, so don't post unless You on subject

0.
it's now fully recomended to use BattlEye even on closed community / passworded servers (due to additional layers of protection)

1.
ATTENTION! Warning to All Admins!
Emergency Responder to Event OMFGBBQFAIL#65535: http://dev-heaven.net/issues/20994

Immediately rename Your server -config= files to unique filenames!
http://community.bis...#Server_Options
http://community.bis...wiki/server.cfg

do NOT share these filenames with anyone who is not trustable! (ideally only Yourself)

Start using custom -BEpath= immediately
http://community.bis...BEpath_location

More countermeasures for beserver.cfg soon™!
beserver.cfg is now automatically renamed to beserver_active_[randomtext].cfg while the server is running to prevent this exploit.

Summary:
move Your -profiles= , -config= and -BEpath= outside Your game/server directory
and use unique filenames (yet rename of file not possible for beserver.cfg)

2.
use verifySignatures=2; and v2 signatures on your server
v2 signatures are supported also in ARMA 2 version 1.10+ and ARMA 2:OA 1.59+!
http://community.bis...n_on_the_server

3.
Use RCON from BattlEye and it's BEGUID to ban players,
forget about in-game UID (they spoofable easily and deprecated)

4.
remove regularCheck line from your config (or comment it out by ; infront of it),
incorrect value negates the defaut setting now

255.
if all fails then password the server up
remove reportIP from gamespy master line in config
and play only with Your trustable friends
but that sort of prevents the public reach it ...

note: this is WIP topic, so any text is subject for change w/o warning :D

Edited by Dwarden, 02 August 2011 - 19:10.

RealTimeChat ~ARMA2 in Your browser (w/o Java), RealTimeChat ~ARMA3 in Your browser (w/o Java),
irc.GameSurge.net/ARMA2 (external IRC clients) irc.GameSurge.net/ARMA3 (external IRC clients)
ARMA 3 Feedback Tracker: http://feedback.arma...y_view_page.php
~100k fans @STEAM ARMA 2 + ARMA 2: OA + ARMA 3: + ~2k @XFIRE A2:OA
Follow my Twitter: http://twitter.com/FoltynD or my Facebook http://facebook.com/FoltynD


.kju -PvPscene-
.kju -PvPscene-

    Brigadier General

  • Members
  • 12275 posts

#2

Posted 28 June 2011 - 07:13

A few notes:

1) -profile= => -profiles=

2) Add the link to the server.cfg for verifySignatures

3) Example of a parameter configuration:

Arma server location: c:\arma2server
Profiles location: c:\arma2profiles
"-config=c:\arma2profiles\serverOA.cfg" 
"-cfg=c:\arma2profiles\basicOA.cfg"
-name=OA
"-profiles=c:\arma2profiles"
"-BEpath=c:\arma2profiles"

(use as one line definition - multiline only for easier viewing)



Current active projects: None :(

Maintained/assisted projects: IFA3, Blitzkrieg


Help: Got a crash? Report it! What is the RPT log file?


GeeBee
GeeBee

    Corporal

  • Members
  • 65 posts

#3

Posted 28 June 2011 - 08:39

Summary:
move Your -profiles= , -config= and -BEpath= outside Your game/server directory
and use unique filenames (yet rename of file not possible for beserver.cfg)


Very alarmed by this BTW! I have a problem with this solution as I rent a dedicated box (GSP) and do not have access to the C drive only the game directory. If I understand the fix you saying we need to place the above files out of the root and place else ware.

Not too clear for a noob!

.kju -PvPscene-
.kju -PvPscene-

    Brigadier General

  • Members
  • 12275 posts

#4

Posted 28 June 2011 - 08:46

You can also move it into a custom subfolder with custom names like

Arma server location: c:\arma2server
Profiles location: c:\arma2server\arma2profiles4711
BE location: c:\arma2server\BEpath4711

server4711.cfg
basic4711.cfg



Current active projects: None :(

Maintained/assisted projects: IFA3, Blitzkrieg


Help: Got a crash? Report it! What is the RPT log file?


GeeBee
GeeBee

    Corporal

  • Members
  • 65 posts

#5

Posted 28 June 2011 - 10:00

Problem with GSP’s is you can’t override the Services Command Line but you do have a command line builder in CP with the options below. So the original command line is set to battleye default which would have to be done in the services menu within CP (which I don’t have access to).

Only options that I have are these

-mod "Specify a mod"
-config "enter server.cfg if default is needed"
-world "Changes Default Starting World"
-netlog "enable logging"
-name "sets profile name"

The above use a tick box system and then you fill in the parameters like @xxxx;@yyyy or serverAAAA.cfg etc

I have managed to alter the server.cfg by changing its name and then running that in the command line changer but that’s all so far.

Hope this makes some sort of sense as I am no expert in this field.

Edited by GeeBee, 28 June 2011 - 10:02.


focher
focher

    Corporal

  • Members
  • 99 posts

#6

Posted 28 June 2011 - 12:16

The bug on Dev Heaven is flagged as affecting the Linux server. Can you confirm it actually affects both Linux and Windows? The code shown in the bug doesn't have any apparent OS specific aspect, so just think it's good to confirm.

Xeno
Xeno

    ACE Team Leader

  • Members
  • 1814 posts

#7

Posted 28 June 2011 - 13:39

It does affect both, Linux and Windows.

Xeno
[SIZE=1][/SIZE]

hellfire257
hellfire257

    Master Gunnery Sergeant

  • Members
  • 1267 posts

#8

Posted 28 June 2011 - 14:52

Thanks for this Dwarden. Will forward...

xjiks
xjiks

    Corporal

  • Members
  • 71 posts

#9

Posted 28 June 2011 - 15:35

Immediately rename Your server -config= files to unique filenames!


what about windows "read-only" option for the file instead of renaming ?

Thread Starter
Dwarden
Dwarden

    BI Developer

  • 9646 posts
  • LocationBrno, Czech Republic

#10

Posted 28 June 2011 - 16:34

It does affect both, Linux and Windows.

Xeno


just remember the script command can read files only inside the game dir,

so please avoid placing game ROOT into ROOT of your system drive !
(i hope noone is dumb enough to actually do that ever)

---------- Post added at 18:16 ---------- Previous post was at 18:14 ----------

what about windows "read-only" option for the file instead of renaming ?


i don't get how this would do anything
how will flagging file as read-only prevent engine to read the file? :)

did you read the original issue explained ?
the problem is in-engine script command capable of reading any file within game own directory and subdirectories ...
so the simple way out of it is
1. rename the files from default/usual names
2. move them outside the game dir

---------- Post added at 18:34 ---------- Previous post was at 18:16 ----------

Summary:
move Your -profiles= , -config= and -BEpath= outside Your game/server directory
and use unique filenames (yet rename of file not possible for beserver.cfg)

Very alarmed by this BTW! I have a problem with this solution as I rent a dedicated box (GSP) and do not have access to the C drive only the game directory. If I understand the fix you saying we need to place the above files out of the root and place else ware.

Not too clear for a noob!


if you can't place files outside the game dir,
then as do i said in the workaround
use unique filename no-one can figure out ...

i'm fully aware not everyone can move files outside the game dir,
hence why i mentioned both approaches
yet i suggest use custom -bepath= to move the EB to uniquely named directory inside the game directory

i suggest to talk to Your host to add support for all newly introduced command-line options into the control panel

RealTimeChat ~ARMA2 in Your browser (w/o Java), RealTimeChat ~ARMA3 in Your browser (w/o Java),
irc.GameSurge.net/ARMA2 (external IRC clients) irc.GameSurge.net/ARMA3 (external IRC clients)
ARMA 3 Feedback Tracker: http://feedback.arma...y_view_page.php
~100k fans @STEAM ARMA 2 + ARMA 2: OA + ARMA 3: + ~2k @XFIRE A2:OA
Follow my Twitter: http://twitter.com/FoltynD or my Facebook http://facebook.com/FoltynD


BearBison
BearBison

    Staff Sergeant

  • Members
  • 253 posts

#11

Posted 29 June 2011 - 20:24

2.
use verifySignatures=2; and v2 signatures on your server
v2 signatures are supported also in ARMA 2 version 1.10+ and ARMA 2:OA 1.59+!
http://community.bis...n_on_the_server

Not much good if your dedi doesn't have BAF or PMC installed as only those that don't have them can play as if players have them they get kicked.

Anyone have a fix for this without buying a copy specifically for the server to allow those that have them the ability to join?

Xeno
Xeno

    ACE Team Leader

  • Members
  • 1814 posts

#12

Posted 30 June 2011 - 01:17

?

BAF and PMC have version 2 signatures too. bi2 signatures. And that's the key you should have on your server if you've updated it correctly.

Xeno
[SIZE=1][/SIZE]

Thread Starter
Dwarden
Dwarden

    BI Developer

  • 9646 posts
  • LocationBrno, Czech Republic

#13

Posted 30 June 2011 - 06:21

You never install BAF or PMC data on dedicated server! for that exist Lite content ...

RealTimeChat ~ARMA2 in Your browser (w/o Java), RealTimeChat ~ARMA3 in Your browser (w/o Java),
irc.GameSurge.net/ARMA2 (external IRC clients) irc.GameSurge.net/ARMA3 (external IRC clients)
ARMA 3 Feedback Tracker: http://feedback.arma...y_view_page.php
~100k fans @STEAM ARMA 2 + ARMA 2: OA + ARMA 3: + ~2k @XFIRE A2:OA
Follow my Twitter: http://twitter.com/FoltynD or my Facebook http://facebook.com/FoltynD


BearBison
BearBison

    Staff Sergeant

  • Members
  • 253 posts

#14

Posted 30 June 2011 - 19:00

The server doesn't have BAF or PMC installed as it's never needed them and it has the v2 bikey but as soon as we run v2 signature checks anyone that has BAF and/or PMC installed gets kicked for wrong signatures.

If we remove BAF/PMC from our local installs we can connect and play properly, therefore unless I am missing something it looks like that since the server can't check the full BAF/PMC files against anything it kicks the players.

Some examples of the log (never kicks for the same file for the same person):
20:22:59 Player [RIP]joina412: Wrong signature for file baf\addons\tracked_w_baf.pbo
20:25:12 Player [RIP]Tyson: Wrong signature for file baf\addons\shapur_baf.pbo
20:29:15 Player [RIP]welshterrorist: Wrong signature for file baf\addons\wheeled_w_baf.pbo
20:44:31 Player [RIP]BearBison: Wrong signature for file baf\addons\sounds_baf.pbo
20:45:43 Player [RIP]Tyson: Wrong signature for file ca\characters_d_baf\baf_soldier_2_baf.p3d
20:48:02 Player [RIP]welshterrorist: Wrong signature for file pmc\addons\missions_pmc.pbo
20:49:14 Player [RIP]AacAac: Wrong signature for file pmc\addons\modules_pmc.pbo
20:50:42 Player [RIP]joina412: Wrong signature for file ca\characters_d_baf\baf_soldier_2_baf.p3d
20:51:56 Player [RIP] BabylonCome: Wrong signature for file ca\characters_d_baf\baf_soldier_2_baf.p3d
The server files have been checked against my local files and are a complete match (less the BAF and PMC folders as not on server) so how do we fix?

.kju -PvPscene-
.kju -PvPscene-

    Brigadier General

  • Members
  • 12275 posts

#15

Posted 30 June 2011 - 19:15

tell these players to update their DLC to 1.02 BAF



Current active projects: None :(

Maintained/assisted projects: IFA3, Blitzkrieg


Help: Got a crash? Report it! What is the RPT log file?


focher
focher

    Corporal

  • Members
  • 99 posts

#16

Posted 01 July 2011 - 07:29

I have exactly the same problem as BearBison. I get kicked off my dedicated server with v2 enabled for various wrong signatures on BAF/PMC files. I'm using Steam, so pretty sure I have the latest version of both BAF and PMC. Just to be sure, I completely deleted the BAF and PMC folders in the OA root directory. This forced the reinstallation of both when I launched OA. Still get the kick/ban for a wrong signature. It's a different file each time.

Edited by Focher, 03 July 2011 - 01:27.


BearBison
BearBison

    Staff Sergeant

  • Members
  • 253 posts

#17

Posted 01 July 2011 - 12:40

tell these players to update their DLC to 1.02 BAF


All players are fully updated, one is a clean install who even tried using the separate patch for the DLC's after the v1.59 patch just in case there was an issue with the combined patch.

Thread Starter
Dwarden
Dwarden

    BI Developer

  • 9646 posts
  • LocationBrno, Czech Republic

#18

Posted 01 July 2011 - 15:32

do you have \Keys\ (this one should not be needed but depends where you have actual profile root) and \Expansion\Keys\

with latest
bi2.bikey
bi.bikey

files?

RealTimeChat ~ARMA2 in Your browser (w/o Java), RealTimeChat ~ARMA3 in Your browser (w/o Java),
irc.GameSurge.net/ARMA2 (external IRC clients) irc.GameSurge.net/ARMA3 (external IRC clients)
ARMA 3 Feedback Tracker: http://feedback.arma...y_view_page.php
~100k fans @STEAM ARMA 2 + ARMA 2: OA + ARMA 3: + ~2k @XFIRE A2:OA
Follow my Twitter: http://twitter.com/FoltynD or my Facebook http://facebook.com/FoltynD


focher
focher

    Corporal

  • Members
  • 99 posts

#19

Posted 01 July 2011 - 23:15

My profile root is the default. I don't use the -profiles command line when starting the server. I checked the MD5 hashes across all 3 computers for both bi.sgn and bi2.sgn located under the OA root "keys" folder and the "expansion/keys". It's the same for all of them.

bi.bikey - f40916be05b3bfd8bdb860275ce922e3
bi2.bikey - 5b5c9a1e7033150e8ffe7307ce385b25

On both the server and the client, I have both Arma 2 and OA installed through Steam. Have done a Verify Cache multiple times to ensure everything is fine. I then issued the following commands for both client and server to make OA into a CO configuration. Client is launching from Steam.

Spoiler


Server Start Command File
Spoiler


server.cfg
Spoiler


serverbasic.cfg
Spoiler


If I switch back to version 1 signatures, I don't get the error / kick / ban.

Thread Starter
Dwarden
Dwarden

    BI Developer

  • 9646 posts
  • LocationBrno, Czech Republic

#20

Posted 02 July 2011 - 19:05

so i have no idea what's wrong, can You get me list of all files these players have
\PMC
\BAF

same goes i need list of the server files (ideally MD5 hashes included)

also what's your server IP ?

RealTimeChat ~ARMA2 in Your browser (w/o Java), RealTimeChat ~ARMA3 in Your browser (w/o Java),
irc.GameSurge.net/ARMA2 (external IRC clients) irc.GameSurge.net/ARMA3 (external IRC clients)
ARMA 3 Feedback Tracker: http://feedback.arma...y_view_page.php
~100k fans @STEAM ARMA 2 + ARMA 2: OA + ARMA 3: + ~2k @XFIRE A2:OA
Follow my Twitter: http://twitter.com/FoltynD or my Facebook http://facebook.com/FoltynD