Re: [OT][hlds_linux] rcon hacking w/out being logged into server?
On Fri, Feb 28, 2003 at 09:13:06AM +1300, Jeremy Brooking wrote: On Fri, 2003-02-28 at 08:27, Blaine Kahle wrote: Oh come on. Let's assume you're paranoid and are filtering outbound traffic as well, a somewhat rare practice. I manage to get my software rare? well yes I suppose it is when you install a 'Packetfilter' like zonealarm and call it a 'Firewall' Are you addressing this to me, or to the public in general? I am not Joe Home User; I thought I made that clear already. But every firewall ive ever administered has either used statefull inspection and/or filtered outgoing traffic. Stateful inspection is not outbound filtering. installed on one of your inside machines. It connects to port 80 of a computer I control on the outside. Your firewall allows inside computers to connect to port 80 on remote machines, because preventing your boss from surfing the web doesn't fly well with him. However, I'm not running a web server on port 80, I'm running one end of a simple TCP tunnel program, the inside computer acting as the other end. I now have the ability to execute arbitrary commands/software inside your network. And that's just one of the obvious attack methods. And then we are back to a dmz again. Throw in a cache, problem solved. Again? A DMZ was not mentioned at all, nor was a proxy or a cache. Please stop introducing new elements into the debate. The situation was machine-firewall-world. There are lots of ways to improve this, yes, but I'm not going to iterate through all of them in an attempt to make myself look knoweldgeable. We were discussing why having a range of open ports with no listeners is bad when you have malicious software running behind your firewall. Just because you've got one compromised system doesn't mean the cracker owns everything. Secure in layers and catch them before they get too far. Of course not. I didn't think I needed to explain all the details to the experts. Allowing incoming ports that don't always have listeners is bad practice. I didn't say it was a good thing. I said it was a moot point in the case of malicious software already installed, and I've further explained that. Then we have another issue... An admin that doesnt have his machine tripwired? Tripwire is a specific product, or rather a line of products. How does the trojaning of a file apply to what we're discussing? New code can be introduced without replacing existing files, or are you proposing that an alarm should be thrown up every time a new file is created on a system? Nancy better not save that word document, lest she get a visit from the Friendly Admin! :) A better product to detect the attack I described would be a network IDS. Hopefully, it'd recognize executable code, or match some other malicious signature on the packets passing through. If all the insider program needs is instructions on what attack to perform, then things get tougher, as it's hard for an IDS to detect something like function 01 on the wire as being malicious. This discussion is now rather off-topic for the hlds_linux list, so I encourage anyone wishing to discuss firewall best-practices to email off-list. Oh you mean like 99% of the traffic on this list? Just because others do it, doesn't make it right. With that, I end my participation in this thread, which is rapidly deteriorating into masked flames. -- Blaine Kahle [EMAIL PROTECTED] 0x178AA0E0 ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] rcon hacking w/out being logged into server?
Blaine Kahle said: Oh come on [snip] ...I now have the ability to execute arbitrary commands/software inside your network. Yes, there are many things you can do because you've found a vulnerability on a box on my network. The point I am making is that there is one fewer thing you can do if I haven't allowed unnecessary incoming ports - you cannot put up a listener. Listeners allow you to easily control the box without making use of the exploit each time you want to do something. Most times when you can execute abitrary code with an exploit, it requires an overflow (i.e. crash). While you're trying to figure out how to make your trojan work, somebody is going to notice the server keeps crashing and eventually patch it... hopefully with code that is no longer vulnerable. If you do business on the Internet, you will be hacked. The point is to slow down the attacker as much as possible so as to minimize the damage. Allowing incoming connections to ports that do not have a specific process listening is something that should be avoided. -Mad ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
RE: [hlds_linux] rcon hacking w/out being logged into server?
On one single server you either allow access to a port or you don't. If you don't then don't have a service running at that port. If you do then the weak point is the application that serves this port and a firewall doesn't help. Getting people to understand that is just...amazingly difficult. I work for a software company that produces server software that must communicate over at two ports at a time, and often through a dynamically assigned range of ports. Yet it amazes me how many people will angrily demand to know why more than one port must be opened on their firewall to that server's IP, since opening a port on the firewall is a security risk. People, it's not the fact that a port is open that opens you up to attack, but the SOFTWARE that RESPONDS on that port. If you already have that software responding on one or two ports, then why kick and scream when you realize you're going to have to open a range of ports TO THE SAME SOFTWARE. Nothing has changed in your security policy. That software can communicate through the firewall. Whether through one port or one hundred ports, it's only that software that'll be responding on those ports. You are not any more or less secure opening port #100 than you were at port #1. It's amazing how people--talented, intelligent, experienced people--can have such a tremendous mental block on this issue. -- Eric (the Deacon remix) ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
RE: [hlds_linux] rcon hacking w/out being logged into server?
Deacon said: Whether through one port or one hundred ports, it's only that software that'll be responding on those ports. You are not any more or less secure opening port #100 than you were at port #1. When it's on one port or on specific ports, then the software generally sits and listens on those ports, holding them open. Usually when software requires a range, it does not hold them all open at once, but instead uses the ports as required. Because the ports are not held open in listen state, a trojan or other piece of malware could take over one of the ports. Your software might go through its range, find that port unavailable, and try the next one without reporting an error. Software shouldn't use port ranges. It should use specific ports. Although I agree with you that several ports are OK, so long as the software has control of them all all the time. -Mad ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] rcon hacking w/out being logged into server?
On Thu, Feb 27, 2003 at 08:34:18AM -0800, Mad Scientist wrote: Deacon said: Whether through one port or one hundred ports, it's only that software that'll be responding on those ports. You are not any more or less secure opening port #100 than you were at port #1. When it's on one port or on specific ports, then the software generally sits and listens on those ports, holding them open. Usually when software requires a range, it does not hold them all open at once, but instead uses the ports as required. Because the ports are not held open in listen state, a trojan or other piece of malware could take over one of the ports. Your software might go through its range, find that port unavailable, and try the next one without reporting an error. Moot argument. If you have malicious software running on your trusted network, you're already toast. Firewall-foo will not save you. -- Blaine Kahle [EMAIL PROTECTED] 0x178AA0E0 ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
RE: [hlds_linux] rcon hacking w/out being logged into server?
Oops, Yes! Disable rcon and use Adminmod for administration. Plus use a firewall. That otta do it. Too bad we don't have srcon. -Original Message- From: Eric (Deacon) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 6:55 PM To: [EMAIL PROTECTED] Subject: RE: [hlds_linux] rcon hacking w/out being logged into server? Let's get serious here why don't we. The person asking the original question is looking for a way to stop peeps from attemting to crack their rcon password. If you have any other way to stop a person from attemting to crack your rcon password we'd all like to hear it. Sounds like maybe you'd rather be using HalfD and Admin_Mod/AMX. -- Eric (the Deacon remix) ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] rcon hacking w/out being logged into server?
Not even if your running in extra secure mode? Moot argument. If you have malicious software running on your trusted network, you're already toast. Firewall-foo will not save you. -- Blaine Kahle [EMAIL PROTECTED] 0x178AA0E0 ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux -- Matt http://www.playway.net ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] rcon hacking w/out being logged into server?
Blaine Kahle said: Moot argument. If you have malicious software running on your trusted network, you're already toast. Firewall-foo will not save you. If you are already compromised, but there are no available ports for the cracker to make use of, this limits what can be done with your system. e.g. If you have ports that the malicious user can make use of, they can install an FTP or HTTP server on a non-default port and distribute illegal software over your bandwidth. You might not even notice until your ISP gave you the bandwidth bill. If all your ports are accounted for, the malicious user would have to kill one of your processes to get to a port that will go through the firewall. This will certainly alert you to the problem sooner. Just because you've got one compromised system doesn't mean the cracker owns everything. Secure in layers and catch them before they get too far. Allowing incoming ports that don't always have listeners is bad practice. -Mad ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
RE: [hlds_linux] rcon hacking w/out being logged into server?
--Original Message- -From: [EMAIL PROTECTED] -[mailto:[EMAIL PROTECTED] Behalf Of Florian -Zschocke -Sent: Wednesday, February 26, 2003 2:43 AM -To: [EMAIL PROTECTED] -Subject: Re: [hlds_linux] rcon hacking w/out being logged into server? - - -Bryan R. Yablonski wrote: - I suggest always having a firewall in front of your server. Even simple - software firewalls are enough to thwart the actions of fools that try to - hack! - -Ah, right, the one-saves-all firewall answer. Brilliant idea. -Block the hlds port and nobody will be able to hack your rcon. -Not that it would matter anymore since nobody is able to connect -to your server anymore, either. - - Trust me if a real hacker set their sights on your server you - will certainly loose! - -Mhm, and a firewall helps sooo much, especially when it is a -simple software firewall set up by someone knowing jack about -firewalls. - -Florian. I was going to leave that one alone, but florian is absolutely correct. The only way a firewall would help in this situation, is if rcon was on a different port than the actual server, and then you used the firewall to limit access to that port to only certain IPs. And even that will only get you a limited amount of extra security. alas, rcon is not on a different port. Like florian said, a firewall isnt a one saves all solution. kev ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
RE: [hlds_linux] rcon hacking w/out being logged into server?
On Tue, 25 Feb 2003, Eric (Deacon) wrote: So this is normal? Wow. I'm glad I have rcon disabled. You...have rcon disabled?? if the rcon_password is empty you cant utilize rcon commands from clients or using any other udp connection... if i recall correctly One other way is to use a password generator.. and generate like a 32 or 64 chars password... /Bjorn If there's no such thing as a stupid question, what is this? ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] rcon hacking w/out being logged into server?
Bryan R. Yablonski wrote: Damn, its actually over but I'll reply nevertheless. Let's get serious here why don't we. I wasn't joking. The person asking the original question is looking for a way to stop peeps from attemting to crack their rcon password. If you have any other way to stop a person from attemting to crack your rcon password we'd all like to hear it. As has been mentioned, such protection is already build into HLDS. From your statements I take it you are suggesting no firewall. Yup. No firewall is like building a house without a front door. If you really want to carry on with this discussion I'd like to know what FW background you have, because this statement makes me think yo, I installed ZoneAlarm, that was real easy. When you notice a fool attempting to crack your rcon password you can simply block their IP address. Yes, you can. You can use a firewall to block access to the HLDS port from this specific IP. You then risk that more than this one person cannot access your HLDS since it might be a dynamic IP. That also means that the attacker might simply change IPs and carry on merrily. And last, when will you notice a fools attempting to crack your rcon password? Do you sit in front of your server watching the console 24 hours? The HLDS rcon protection will detect such an attempt immediately. You will probably detect it when it is already too late. In response to your scepticism, nobody in their right mind is going to block their halflife UDP port to prevent rcon access and a pro is going to get the password by sniffing traffic to your server. Correct. Nobody in their right mind would. I suppose what you are talking about is blocking access from a specific IP because blocking access in general would render your HLDS inaccessible and thus useless. I have stated above why blocking one specific IP isn't as safe as you might think. That's why a firewall isn't the correct solution IMHO. Lastly, the only way the person is going to learn about firewalls is to get one, read the manual and try it out. It's not freaking rocket science. It may not be rocket science, but it's not as easy as clickety click some .exe and think that all your problems are solved now. In general, a firewall by itself on one computer is completely useless. From a professional point of view, any firewall by itself is useless. It has to be part of a whole security concept with a well-defined security *policy*. Firewalls are used to protect *networks*, not computers. On one single server you either allow access to a port or you don't. If you don't then don't have a service running at that port. If you do then the weak point is the application that serves this port and a firewall doesn't help. Don't get mw wrong, I am not saying that firewalls in general are useless. But their protection is overrated, nowadays the answer to all network security problems seems to be a firewall, thus creating a dangerous false sense of security. I have a firewall on my router at home. It protects the network behind the router because I have services running between the machines I dont want to accessed from the Inet. I have a firewall running at work, protecting a network of servers and workstations that need to run services between each other that should not be accessed from the outside or only from trusted hosts. You may well use a FW to block access to a port from a specific IP, no objection. Just don't think that this will give you a lasting security. The attacker may simply use a different IP or spoof his IP and you are back to step one. The usual thing to do would be to allow access from a specific IP which you control, not block it. Florian. -- Want to produce professional emails and Usenet postings? http://www.netmeister.org/news/learn2quote.html ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
[hlds_linux] rcon hacking w/out being logged into server?
Hello, this is my first post to the list. I noticed something strange on my server a few minutes ago. Someone was trying to guess my rcon password and execute commands on my dedicated server. They were using passwords like leet and baby while trying to change SV_GRAVITY to 800. When I typed users there was no one logged in! There were no client drop messages or anything to suggest that someone was playing the game. I have the persons IP address as reported by rcon when the command failed. Any ideas on what's happening? I find it unsettling that rcon may be useable by anyone on the Internet. BTW I've had rcon disabled from the beginning but this is still disconcerting. Thanks for your help! -Dave ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
RE: [hlds_linux] rcon hacking w/out being logged into server?
rcon_address would allow them to try rcon commands without being logged into the server. -Original Message- From: David Rosner [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 2:01 PM To: [EMAIL PROTECTED] Subject: [hlds_linux] rcon hacking w/out being logged into server? Hello, this is my first post to the list. I noticed something strange on my server a few minutes ago. Someone was trying to guess my rcon password and execute commands on my dedicated server. They were using passwords like leet and baby while trying to change SV_GRAVITY to 800. When I typed users there was no one logged in! There were no client drop messages or anything to suggest that someone was playing the game. I have the persons IP address as reported by rcon when the command failed. Any ideas on what's happening? I find it unsettling that rcon may be useable by anyone on the Internet. BTW I've had rcon disabled from the beginning but this is still disconcerting. Thanks for your help! -Dave ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.458 / Virus Database: 257 - Release Date: 2/24/2003 ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
RE: [hlds_linux] rcon hacking w/out being logged into server?
yeah, any program such as hlsw can send rcon commands from outside a client, hence from anywhere on the internet. They still need to authenticate though. kev --Original Message- -From: [EMAIL PROTECTED] -[mailto:[EMAIL PROTECTED] Behalf Of David -Rosner -Sent: Tuesday, February 25, 2003 10:01 PM -To: [EMAIL PROTECTED] -Subject: [hlds_linux] rcon hacking w/out being logged into server? - - -Hello, this is my first post to the list. - -I noticed something strange on my server a few minutes ago. Someone was -trying to guess my rcon password and execute commands on my dedicated -server. They were using passwords like leet and baby while trying to -change SV_GRAVITY to 800. When I typed users there was no one logged in! -There were no client drop messages or anything to suggest that someone was -playing the game. - -I have the persons IP address as reported by rcon when the command failed. -Any ideas on what's happening? I find it unsettling that rcon may be -useable by anyone on the Internet. BTW I've had rcon disabled from the -beginning but this is still disconcerting. - -Thanks for your help! --Dave - - -___ -To unsubscribe, edit your list preferences, or view the list -archives, please visit: -http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
RE: [hlds_linux] rcon hacking w/out being logged into server?
I suggest always having a firewall in front of your server. Even simple software firewalls are enough to thwart the actions of fools that try to hack! Trust me if a real hacker set their sights on your server you will certainly loose! -Original Message- From: Brian A. Stumm [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 7:55 PM To: [EMAIL PROTECTED] Subject: RE: [hlds_linux] rcon hacking w/out being logged into server? On Tue, 25 Feb 2003, Eric (Deacon) wrote: So this is normal? Wow. I'm glad I have rcon disabled. You...have rcon disabled?? I hear its the latest teen angst thing to do. Wild crazy stuff, aint it... ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
RE: [hlds_linux] rcon hacking w/out being logged into server?
If you knew what a 'hacker' was you wouldnt be saying the above. Linus is a hacker... Ah, the always evolving concept of language...isn't it lovely? :) -- Eric (the Deacon remix) ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] rcon hacking w/out being logged into server?
Bryan R. Yablonski wrote: I suggest always having a firewall in front of your server. Even simple software firewalls are enough to thwart the actions of fools that try to hack! Ah, right, the one-saves-all firewall answer. Brilliant idea. Block the hlds port and nobody will be able to hack your rcon. Not that it would matter anymore since nobody is able to connect to your server anymore, either. Trust me if a real hacker set their sights on your server you will certainly loose! Mhm, and a firewall helps sooo much, especially when it is a simple software firewall set up by someone knowing jack about firewalls. Florian. -- Want to produce professional emails and Usenet postings? http://www.netmeister.org/news/learn2quote.html ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux