| View previous topic :: View next topic |
| Author |
Message |
primus
Apprentice
Joined: 07 Jun 2003
Posts: 230
|
 Posted: Mon Aug 04, 2003 12:39 pm Post subject: dedicated gaming server security |
 |
|
hey all,
i am setting up a dedicated game server for games like neverwinter, quake, etc... and i was wondering if there are any specific security measures i should be taking?
i will be using the box for nothing besides the dedicated server, so there will not be anything on there personal, or that i would mind losing. though, i dont really want to have to re-install, so i was wondering if there was anything i should do to prevent people from hacking it, or whatnot?
the server will be run on a college campus, and not be accessible to the outside world.
thanks for the help all.
_________________
$japh=qq/62D112U107N106E28D89U104N109E89 D86U96N102E14D77U87N106E96D12U68N95E98 D102U101N101E/;
map { $i++ while chop; push (@dune,$i); undef $i; } split /[eE]/;
map { print chr ${\(shift(@dune) + $_)}; } split /[DUNE]/,$japh;
|
|
| Back to top |
|
 |
cchapman
Guru
Joined: 16 Jan 2003
Posts: 440
Location: Fremont, NE
|
| Posted: Mon Aug 04, 2003 2:37 pm Post subject: |
|
|
| Leave only the services that you need required running. Otherwise turn leave them off. A good idea would be to only enable game server and sshd. |
|
| Back to top |
|
|
abrand15
n00b
Joined: 18 Jul 2002
Posts: 38
Location: Providence, TX USA
|
| Posted: Mon Aug 04, 2003 3:52 pm Post subject: Quake II |
|
|
I'm not sure about all versions of Quake, but there are 2 possible exploits I know of for Quake II:
1) Quake II Server Spoof
2) id Software RCON exploit
The first one, a client can connect to a server using a spoofed port (the same that the game is running on). This will give then full control of the game server. I use the following IPTables line to guard against it:
| Code: | | iptables -A INPUT -i eth0 -p udp --sport 27910 --dport 27910 -j DROP |
You would, of course need to change the port number for your server.
The second, if someone at id Software (or someone who spoofed one of their IP address') connects, they will get full RCON access and will not be logged. I use the following IPTables line to guard against it:
| Code: | | iptables -A INPUT -i eth0 -s 192.246.40.0/24 -p all -j DROP |
Hope this helps. |
|
| Back to top |
|
|
primus
Apprentice
Joined: 07 Jun 2003
Posts: 230
|
| Posted: Mon Aug 04, 2003 3:57 pm Post subject: |
|
|
awesome! thanks for the input all, once i get it up and going, i will test out these fixes... and as for the services, i think i will only have sshd and possible ftp... using pure-ftp (which i hear is very secure).
thanks again!
_________________
$japh=qq/62D112U107N106E28D89U104N109E89 D86U96N102E14D77U87N106E96D12U68N95E98 D102U101N101E/;
map { $i++ while chop; push (@dune,$i); undef $i; } split /[eE]/;
map { print chr ${\(shift(@dune) + $_)}; } split /[DUNE]/,$japh;
|
|
| Back to top |
|
|
devon
l33t
Joined: 23 Jun 2003
Posts: 943
|
|
| Back to top |
|
|
cchapman
Guru
Joined: 16 Jan 2003
Posts: 440
Location: Fremont, NE
|
| Posted: Fri Aug 08, 2003 9:14 pm Post subject: |
|
|
| I would advise against FTP... Unless you have a compelling need for it I would leave it off by default and turn it on only when you need it. |
|
| Back to top |
|
|
uzik
Apprentice
Joined: 17 Apr 2003
Posts: 257
|
| Posted: Fri Aug 08, 2003 10:32 pm Post subject: |
|
|
Install IPTABLES and implement a firewall. Only allow traffic from
computers on your list of allowed users. Don't install anything on
it you don't need, since it might have a security hole. |
|
| Back to top |
|
|
elzbal
Guru
Joined: 31 Aug 2002
Posts: 364
Location: Seattle, WA, USA
|
| Posted: Fri Aug 08, 2003 10:38 pm Post subject: |
|
|
If you want to be really anal, configure the server to run the game in a chroot jail.
Some games (Quake2, any game running on the Unreal/UT engine, others) have known exploits. If I was running any game with a known explot, I would definately run the game in a chroot jail. |
|
| Back to top |
|
|
fragbert
Tux's lil' helper
Joined: 18 Apr 2003
Posts: 75
Location: Dallas, TX
|
| Posted: Sat Aug 09, 2003 3:04 am Post subject: |
|
|
| elzbal wrote: | If you want to be really anal, configure the server to run the game in a chroot jail.
Some games (Quake2, any game running on the Unreal/UT engine, others) have known exploits. If I was running any game with a known explot, I would definately run the game in a chroot jail. |
I agree. At the *very* least, you should not run these services as root. Game servers are well known for being written without regard to security, so be aware your box may be compromised at any time. Your security policy, imho, should be to consider the box as if anyone in your Uni could open up a shell on it. Therefore, you should get rid of all the suid root programs you can (see the Gentoo Security guide) and possibly run with the grsecurity use flags, the goal being to minimize the damage they can do to/with the machine once they're in.
Best of luck,
Michael |
|
| Back to top |
|
|
siti
Tux's lil' helper
Joined: 05 May 2003
Posts: 118
Location: Canterbury, New Zealand
|
| Posted: Sat Aug 09, 2003 3:39 am Post subject: |
|
|
| If you run grsecurity and put strict acls on the game servers then even if someone does exploit the game servers they cannot do much! |
|
| Back to top |
|
|
|
Networking & Security
