Author Topic: Rcon Password attempted stolen.  (Read 4161 times)

0 Members and 2 Guests are viewing this topic.

Offline Noey

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
  • Co-owner of Paradox TTT with Ulx
Rcon Password attempted stolen.
« on: February 20, 2017, 03:08:09 PM »
2 days ago on a ttt server that I co-own, 2 guys came on with the same name as players. This was weird for me because they did not have the (1) before their names. I later found out it was a cheat. Both of them Mass RDMed and i banned them. A few minutes later they came back as the same name demanding to mass rdm and they would leave. Me being staff i declined and banned them again. Yet again they come back so i ip banned them. They came back and I was like ok they must have maybe like 1 or two vpns with a few different accounts. I got their ips off the cac anti cheat and when they came back a random time i saw under their names in the cac anti cheat "retrieving rcon password" i banned them both as fast as i could. When they kept re-joining they said, "we have over 100k different accounts and over 100k different ips" and they had a 3rd party program to switch accounts fast. They kept joining like every minute. I had no other choice but to stop the server. (still down right now) I had my discord link in my steam bio and they joined my discord. I talked with them for a few minutes where i learned about their 3rd party programs and all their accounts.

Ive never dealt with anything like this before in my two years of staffing/ using ulx. Can anyone help? Is there anything I can do to the server files to prevent this?
-Noey

Offline Bytewave

  • Respected Community Member
  • Hero Member
  • *****
  • Posts: 718
  • Karma: 116
  • :)
    • My Homepage
Re: Rcon Password attempted stolen.
« Reply #1 on: February 20, 2017, 03:36:56 PM »
I'm going to assume no one in the right mind would pay something odd of $50-150k USD, so the chances are they just have a few accounts with family sharing between them. Your best bet would be to find a family sharing gatekeeping addon (something like this might work, but it's a little on the old side).

Also:
  • Store RCON passwords in your startup command line, not server.cfg or similar.
  • Disable sv_allowupload and sv_allowdownload (note: this breaks sprays, so you'll have to use something like SprayMesh to restore spray functionality).
  • Disable sv_allowcslua if it's on for whatever reason.
  • Check your addons for any backdoors (good candidates would be sketchy Workshop addons or any leaks *cough*).

Other than that, just make sure CAC is up to date and hardened to your liking, and you should be fine. If they manage to continue returning, they've more than likely sicked a group on you, or for some reason have a combined total of $150k USD in games across a ton of Steam accounts.
bw81@ulysses-forums ~ % whoami
Homepage

Offline Noey

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
  • Co-owner of Paradox TTT with Ulx
Re: Rcon Password attempted stolen.
« Reply #2 on: February 20, 2017, 04:13:01 PM »
Thank you for your help <3 they were family sharing accounts btw. Ill remove the rcon password from the server cfg
-Noey

Offline Bytewave

  • Respected Community Member
  • Hero Member
  • *****
  • Posts: 718
  • Karma: 116
  • :)
    • My Homepage
Re: Rcon Password attempted stolen.
« Reply #3 on: February 20, 2017, 04:15:05 PM »
Thank you for your help <3 they were family sharing accounts btw. Ill remove the rcon password from the server cfg
If you were storing it there, I would advise you change it immediately. There's a chance they do have it - CAC may not have caught them in time.
bw81@ulysses-forums ~ % whoami
Homepage

Offline captain1342

  • Full Member
  • ***
  • Posts: 104
  • Karma: 6
  • Quality is our standard
    • Aperture Development - Quality is our standard
Re: Rcon Password attempted stolen.
« Reply #4 on: February 22, 2017, 05:50:00 AM »
For hackers or Multi ACC users I have something else for you: Mostly they don't use VPN they just switch their routers IP with a Restart of it. To prevent something like this you need to range ban them like ban every IP that begins with 89.189 also you should use something like GBan cause you can set it up that acc who got bans on other servers ( like got banned from more then 3 different Servers ) that they are getting automaticly banned from your Server... That could Prevent them from usiing ACC they used on other Servers. Also if you don't use an RCON Access and you access the server console from a web panel you can disable RCON by setting it to "" . Btw i am not sure but i think there was an VPN IP Blacklist which tells you the most common IP's of VPN servers users use to access.

btw a Website where you can Report Steam Accounts as Hacked or Secondary accounts would be nice so you can Perm Ban them all 4ever and to protect that list from stupid hackers they need to use OAuth and must have Played GMod for at least 10 hours
Aperture Development
Quality is our standard

Website - GitHub  - Forum  - Steam  - Discord

Offline Bytewave

  • Respected Community Member
  • Hero Member
  • *****
  • Posts: 718
  • Karma: 116
  • :)
    • My Homepage
Re: Rcon Password attempted stolen.
« Reply #5 on: February 22, 2017, 09:11:16 AM »
-SNIP-
Carpet-banning an entire range of IPs probably isn't a good idea. You end up banning an ISP, or potentially an entire country.

A global banlist/blacklist can also be abused, but I can understand its use.

Disabling RCON, while more secure, limits your ability to remotely control the server; you would need SSH access or similar and a screen or tmux session you could control and detach from at will.

Some people have a legitimate reason to use VPNs. Again, perhaps not the best idea.
bw81@ulysses-forums ~ % whoami
Homepage

Offline MrPresident

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 2728
  • Karma: 430
    • |G4P| Gman4President
Re: Rcon Password attempted stolen.
« Reply #6 on: February 22, 2017, 09:27:02 AM »
Tips for avoiding issues:

1. Harden your server.
     a. Never store your rcon password in your server.cfg
     b. If you don't use RCON, don't have an RCON password at all.
     c. Don't hand out admin to people you don't trust. (Too many servers sell admin for a quick buck)
     d. Make sure your RCON password is hard/impossible to guess or brute force. (An example of an old RCON password I used: r0v493BK0A*jrw7d5fVK
     e. Disable sv_allowupload. There have been known exploits with this.
     f. Make sure sv_cheats and sv_allowcslua are both off.

2. Don't use the workshop.
     a. Workshop addons are automatically updated and any malicious coder can add backdoors whenever they want.
     b. If you want to use something from the workshop, extract the .gma file and install it as a legacy addon. This is easy to do.. google it.

3: Check any addons you download.
     a. Learn what to look for in addons for backdoors and vet any addons you download before installing them.

4. Really, don't use ANY addons that were made by someone else.
     a. I realize this isn't possible for some people, but in a best case scenario, you or someone you trust would make all of your addons.

5. NEVER give access to your admin panel or remote desktop to ANYONE.
     a. Learn enough about how to install addons and stuff yourself so you don't have to give access to other people.
     b. If you have a VPS or Dedicated server, you can grant screensharing with someone using something like Team Viewer so that you can see what they're doing.


This is just what I could think of on the spot. I'm sure there are more.

The point I am trying to make is, I've had gmod servers of all kinds (Dedicated, Shared, Personal, etc) for 10 years now, and I have never once had any issues with getting 'hacked' or anything like that. You just have to be smart.

Last case: If someone is DDoSing you or griefing you and they won't give up, sometimes the best thing to do is just shut down the server for a day or so. They are only doing it to get a reaction from you. If you take that away from them, they will get bored and move on to someone else. This actually has happened to me a few times in the last few years, and sometimes it's what has to be done.
« Last Edit: February 22, 2017, 09:30:12 AM by MrPresident »