Cheat Protection Mode ON/Off

[asphyx]

If you want to be a host for the ESL certified as a hoster, it must provides customers with a web interface that supports the aforementioned Protection Mode. so the server will be classified as safe. Each interface is different. It is the responsibility of the web interface developers to build a solution for their special case to make.

 

In the following, I propose a policy for the Protection Mode and a important feature for tcadmin panel

 

Goal:

The server that is specified at the address (IP: Port) is obtained shall eslplugin except the server and tools have loaded zBlock, no other server tools.

 

Attack paths, which may not work:

First Upload into the protected directory:

The user may not be able to load server tools in the directories of the protected server and run from there.

 

Second plugin_load:

Commands are running the server prevents "plugin_load" . It should be noted also that the *. so files on the server can be manipulated so that the command under the sample name "plg1n_load" runs. About the turn out of the command must therefore be ensured that the user change the *. so the server can not.

 

Third Modification of the executable files:

Using an FTP client and editor can make changes to the startup scripts, binaries and running the *. so in the / bin folders of the server are made. Furthermore, one can not make these changes with server tools like SourceMod and Event Script.

These changes have both the protected and unprotected servers either reversed or prevented from the outset.

 

4th (Reverse) shells:

Some shells may provide server tools with which one can start processes from the game server process in isolation. These processes must be completed at the start of the Protected mode for normal users.

 

5th Consequences of point 3 and 4:

A compromised to the point 3 or 4 unprotected server can also build a firewall through a reverse shell. If this at the start of the Protected mode is not recognized, one can show the address of the protected server with an unprotected.

An assignment of the address can also be achieved with infinite loops and cron jobs.

It must therefore all unwanted processes and cron jobs to the user of the unprotected server are completed before the protected server is started. It may not be possible that the address voin another process, is used as the protected.

 

Possible measures:

The following measures need not all be implemented. They are simply a list of things with which one can reach the goal.

 

Strict Chmod

Access restrictions on FTP servers and file filters

Process and port control

Prohibit the command plugin_load

Review of critical server files from each server both start in protected mode as well as in Unprotected Mode

Kill without differentiation, all processes of unprotected users at the start of the Protection Modes

The servers run by different users. It should under no circumstances run a user with root or sudo privileges the processes.

For each game a separate server process chroot

 

 

 

Note to Editors:

There are no effective action against Shell plugin. In extreme cases this could be exploited to be attained through outdated packages or kernel root. It must, therefore, that the server is not vulnerable to known exploits from the inside.

 

 

good when this is possible in the future of tcadmin control panel... a button in the control panel for cheat protection on and off for EPS Server , Halflife 1 and Halflife 2 Servers for examble , CS, CSS, DOD:S etc )

 

sry when i made some misstakes in the technic/gramma from my english !

 

regards asp

Edited January 17, 2012 by asphyx

[icekohl]

I think I would like to see this also, google translate zerowing edition, has me confused though.