You are not logged in.

[Request] Anti Flood plugin for cod4 server ?

abusalem2099

Beginner

  • "abusalem2099" started this thread

Posts: 7

  • Send private message

1

Sunday, July 25th 2010, 6:35pm

[Request] Anti Flood plugin for cod4 server ?

hi guys
sorry i am not sure where is the suitable section to write down this thread ...

In the cod 4servers, its becoming more frequent that hackers are adding anti-rcon functions(called ddos attack or network attack ). What these functions do is send rcon commands to the server blocking the RCON by flooding the server with these commands so its unresponsive for hours. What im asking for is a plugin that reads the console log of the server to look for bad rcon commands. They are always noted in the console log as

PHP Source code

 
1
2

Bad Rcon from (IP)
(command sent


The IP is of the person who sent it and the command shows what they sent. If someone can make a plugin that counts these and after a certain number of times, then the plugin will issue a kick or ban for this connection . ??

so guys i need your help ...
its very important for me and very very useful plugin ...

This post has been edited 5 times, last edit by "Dennis" (Aug 6th 2010, 6:09am)
Reason: IP-Address removed.

Dennis

ManuAdminMod.de Staff

Posts: 3,502

Location: Augsburg

Occupation: Schüler

Thanks: 13

  • Send private message

2

Sunday, July 25th 2010, 7:13pm

Don't think its useful for many people, never got problems like that.
Anyways, i don't really know how to realize such an plugin ... And i don't think we've got someone here to do that ...

abusalem2099

Beginner

  • "abusalem2099" started this thread

Posts: 7

  • Send private message

3

Monday, July 26th 2010, 6:01am

well , i am an esports head admin for a whole country . and my servers are the only good servers in that area ( many many players play on our servers from 10 different countries ! ) ,
so, every cheater i ban on a certain evidence and pass the ban to PBBans or ggc ,his first act is that flooding !
you maybe dont know this prob . but i face it every 3 days !
more explanation :
we know that cod4 server is a regular server that can send and receive data . so the cheater is flooding the server by sending thousands of bad RCONs in a minute for two reasons :
1- to prevent admins from banning him when he uses a clear known multihack or aimbot .
2- to ruin a match in one of my clan wars servers by flooding the server and resulting a lag sometimes for the server !

so it is a known prob ! (want me to flood your server ? xD )

here what i ask is a simple plugin to prevent and block a certain ip's or connections from sending bad commands.

thank you.

This post has been edited 1 times, last edit by "abusalem2099" (Jul 26th 2010, 6:06am)

Dennis

ManuAdminMod.de Staff

Posts: 3,502

Location: Augsburg

Occupation: Schüler

Thanks: 13

  • Send private message

4

Monday, July 26th 2010, 12:58pm

Well, but i don't think we got any more of so speical peoples with these needings ... maybe you find someone who can code that, but i don't think so.

Anyways:

Quoted

(want me to flood your server ? )

Try it, you get it all back ;P

Frazze

Trainee

Posts: 105

Thanks: 3

  • Send private message

5

Monday, July 26th 2010, 1:46pm

Can confirm this. Happened more than once to my servers too. There are tools written just for this DoS attack.
What I've done was cleaning up the log files so only the bad connection attemps where left, wrote an abuse mail with all the needed information to the guys ISP's and blocked their IP(-range) via IPtables.

After few hours I got replays from their ISP's having started legal actions against the DoS'ers :P


Of course this is not the way to go if you're having this sort of problem every day. Than I would suggest you to let "fail2ban" (google it) monitor your logfiles and let it ban those IP's for you automaticly. Furthermore you can search fo scripts which will automaticly write and send abuse reports to the IP's ISP too (I know there are, seen some on the hetzners forums).

This post has been edited 1 times, last edit by "Frazze" (Jul 26th 2010, 1:46pm)

2 registered users thanked already.

Users that thanked:

Steffen (26.07.2010), RoiDanton (01.08.2010)

Dennis

ManuAdminMod.de Staff

Posts: 3,502

Location: Augsburg

Occupation: Schüler

Thanks: 13

  • Send private message

6

Monday, July 26th 2010, 1:54pm

Fail2Ban is great! Recommend it!

abusalem2099

Beginner

  • "abusalem2099" started this thread

Posts: 7

  • Send private message

7

Wednesday, July 28th 2010, 10:57am

thank you guys 4 the info
and what i need is a script to auto ban these ip's
btw i already have fail2ban but never tested it ... my question : >> is "" B3 "" requested in order to run fail2ban ??

thank you again :)

This post has been edited 1 times, last edit by "abusalem2099" (Jul 28th 2010, 10:58am)

Dennis

ManuAdminMod.de Staff

Posts: 3,502

Location: Augsburg

Occupation: Schüler

Thanks: 13

  • Send private message

8

Thursday, July 29th 2010, 9:21am

If you mean this Bot, i don't know why it should be needed?

dakotaboul123

Beginner

Posts: 43

  • Send private message

9

Thursday, August 5th 2010, 8:58pm

I have found a patch that fixes the hackers ability to hack the rcon and stuff hook me up on xfire to get it daktoaboul123.

// EDIT by Staff:
Use it on your own risk!

This post has been edited 2 times, last edit by "Dennis" (Aug 6th 2010, 6:10am)
Reason: Warning added.

Frazze

Trainee

Posts: 105

Thanks: 3

  • Send private message

10

Sunday, August 8th 2010, 8:37pm

This is no fake!
Rcon stealer was released few days ago....

http://www.securityfocus.com/archive/1/a…/100/0/threaded

There are tools to do the stuff for you....
I would love to see the fix please... found one for windows and one for linux, but the linux one is little bit ehm..

What will help:
- If you dont need the sv_allowdownload set it to 0, this will make the server secure.
- If you need it to be enbaled, rename your server.cfg to something really strange, as the exploit needs a modified cod4 executbale which will allow you to use ingame commands as "/download FILE"

This is no joke.... I've got a feeling that this will be getting very popular in a few days... -.- And I hope this fucking diversory traversal exploit is limited somehow to the cod4 directory... even if inside the PoC there is an example to other server files -.-

Dennis

ManuAdminMod.de Staff

Posts: 3,502

Location: Augsburg

Occupation: Schüler

Thanks: 13

  • Send private message

11

Monday, August 9th 2010, 10:22am

Wrong Link? May 2008 and nothing about Call of Duty? oO

This post has been edited 1 times, last edit by "Dennis" (Aug 9th 2010, 10:23am)

Frazze

Trainee

Posts: 105

Thanks: 3

  • Send private message

12

Monday, August 9th 2010, 1:10pm

nope.... the first of the two exploits was released in 2008, the second one can still be abused, but most people didn't know off. now a PoC tool has been released, making exploitation very easy

This post has been edited 1 times, last edit by "Frazze" (Aug 9th 2010, 1:11pm)

Dennis

ManuAdminMod.de Staff

Posts: 3,502

Location: Augsburg

Occupation: Schüler

Thanks: 13

  • Send private message

13

Monday, August 9th 2010, 8:29pm

Well, Call of Duty wasn't mentioned directly. Only other games based on that engine, you are sure there is a security problem? You could open a new thread that i can sticky, cause that would be important. You could write on in the english an another one in the german forums. Just explaining the Problem, how to fix, etc.

Luk

Professional

Posts: 580

Location: Essen

Thanks: 4

  • Send private message

14

Friday, September 3rd 2010, 6:24pm

Two seconds ago, my server has been getting flooded, too. I've successfully banned the IP by looking into the console_mp.log. Does someone have a link to the fail2ban plugin? That would be great :)

Dennis

ManuAdminMod.de Staff

Posts: 3,502

Location: Augsburg

Occupation: Schüler

Thanks: 13

  • Send private message

15

Friday, September 3rd 2010, 8:22pm

Luk

Professional

Posts: 580

Location: Essen

Thanks: 4

  • Send private message

16

Friday, September 3rd 2010, 9:46pm

Well, I already have fail2ban running, but someone talked about parsing the console_mp.log or something similar to find rcon-spammers and the tutorial does not say how to block them.... :(

Frazze

Trainee

Posts: 105

Thanks: 3

  • Send private message

17

Saturday, September 4th 2010, 1:01am

tell f2b the path to the games_mp.log file and write a matching regex for the "bad rcon" error message (which you than tell f2b so it can parse the logfile ofc).
regex should look somehow like "Bad Rcon from \(<IP>\)". have a look at this site to write a correct regex: http://www.regenechsen.de/phpwcms/index.php?regex_allg

This post has been edited 1 times, last edit by "Frazze" (Sep 4th 2010, 1:03am)

Luk

Professional

Posts: 580

Location: Essen

Thanks: 4

  • Send private message

18

Saturday, September 4th 2010, 5:23pm

So I guess you didn't finish it for fail2ban, huh? Oh man.......reading so much for such a "little" thing.....

EDIT: This is really schwere Kost. Doesn't anybody have an example for searching through the console_mp.log? :(

This post has been edited 1 times, last edit by "Luk" (Sep 4th 2010, 5:29pm)

Steffen

Trainee

Posts: 67

  • Send private message

19

Saturday, September 4th 2010, 5:54pm

Ich glaub so sieht das aus.

  Spoiler Spoiler

Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password
Bad rcon from 88.153.89.123:-3874:
g_password
Bad rcon from 78.55.56.41:-11790:
g_password

:clickme:

Frazze

Trainee

Posts: 105

Thanks: 3

  • Send private message

20

Saturday, September 4th 2010, 6:47pm

the only "schwere kost" will be the regex, the rest is editing the f2b config files. and the regex really should be "Bad rcon from <IP>". check f2b how it handles IP's, if I remeber right it dectects them and you simply can use the <IP> tag...

Similar threads