Official Soldat Forums
Server Talk => Server Help => Topic started by: elMorvano on April 01, 2014, 08:35:35 am
-
Hey guys, few times a very bad guy is trying to crash our server:
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
After server takes 98% of processor and its impossible to join.
Do you know this IP?
Do you know a way of protecting against this? Something another than iptables?
-
Its seems like random IP, looking at google I see that this ip show up few times as forum spam bot.
I had in my database only: 93.114.43.141 with nicks: Major, x-Aro-x, Jeben and few other majors.
Its "hole" in soldat security... For past few years I tried loots of things to block it... nothing.
-
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
Since it says "Admin disconnected" this guy obviously has your admin login or port.
It would say Admin failed to connect else if im right. (?)
Change your adminlog or port and see if it is getting better. He is located in Romania.
install that to your machine:
fail2ban
-
http://nixcraft.com/showthread.php/1427-Iptables-block-ip-address
-
Since it says "Admin disconnected" this guy obviously has your admin login or port.
It would say Admin failed to connect else if im right. (?)
Change your adminlog or port and see if it is getting better. He is located in Romania.
Not it dont have logins.
There is app called [dont even think that I give you name] that... crash soldat servers, Its pain in the A$$ that almost everyone can use it. Its so simple that you need to just write [something] to crash it...
-
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
Since it says "Admin disconnected" this guy obviously has your admin login or port.
It would say Admin failed to connect else if im right. (?)
Change your adminlog or port and see if it is getting better. He is located in Romania.
install that to your machine:
fail2ban
15:57:06) Admin failed to connect (x.x.x.x).
(15:57:07) Admin disconnected (x.x.x.x).
When I tried to connect with bad PW
-
bug?
-
isnt it called a DDoS?
-
DDoS (Distributed Denial of Service) attacks are sent by two or more persons, or bots.
-
(19:43:52) Admin failed to connect (79.141.166.25).
(19:43:52) Admin failed to connect (79.141.166.25).
(19:43:52) Admin failed to connect (79.141.166.25).
Someone tried to login and i checked processor : 98%. After i turned off server and turned on again. It shows:
14-04-01 13:59:12 Admin disconnected (79.141.166.25).
14-04-01 13:59:12 Admin disconnected (79.141.166.25).
14-04-01 13:59:12 Admin disconnected (79.141.166.25).
14-04-01 13:59:12 Admin disconnected (79.141.166.25).
I changed my adminlog to 'very hard' version. Very strange... I also changed pw to my VPS.
-
changing pass doesn't help here, this app that crash servers use just ip of you server, its dont need anything else, thats why its so damn hard to block it, especially if attacker can change ip.
-
Yeah but it shows like he knows my password :o btw what about change AdminPassword='' - without password nobody can join as admin?
btw. Probably this attacker read this topic, because I didn't block previous IP and he changed this anyway. He attacked before always with same IP.
-
its not that he trying to log as an admin, this app is for crashing server using security bug in soldat, that send more than 10 fake admin login request to server. such massive amount of logins to one port create huge lags that crash your server
I had this few time, I even have this app, trying to find solution for this and nothing. only blocking IP can help, but only for one IP... if attacker can change his address... you can only wait until he get bored...
-
4th IP attacked us :D Hosting: Kaia and voxility
-
I didn't see that kind of flood attack yet though, thanks for sharing!
I hope we will find time to improve the flooding protection after 1.6.7.
-
I didn't see that kind of flood attack yet though, thanks for sharing!
I hope we will find time to improve the flooding protection after 1.6.7.
Yeah...
http://bugs.soldat.pl/view.php?id=487 (reported in december 2013...)
-
I do not know Did I I'm doing that I write this unto you but you can yes block servers using two programs known to me:
- *****
- *****
------
Delete post
-
If you want to have to change yourself's security port or ip and the best name to a hacker he could not find it so quickly.
-
Yeah... great solution :D Maybe let secure server by turning it off ? ;)
-
Just direct all your troubles to your host, he should be able to sort it out in no time.
-
@Bonecrusher - but we are now talking about people who hosts Soldat Servers by themselves. What shoud they do?
-
I suppose there is a firewall in almost every modern router, may take a while to block all the different ip's but it's possible.
example: http://www.dslreports.com/forum/r19798124-Creating-router-firewall-rules-to-block-IP-addresses
-
OK, you can. But we are trying to find some universal (semi-)automatic solution for that problem.
Btw, can someone confirm that admin port (by TCP) is NOT used while normal gaming? I mean - if you play, you use only UDP communcation?
-
You can block TCP and you will not be able to connect via admin programs. You will be able to join the server and play though.
-
OK. Thanks for info :)
-
Not sure if it will prevent flooding attacks, you will have to test it.
-
Afaik those attack are via TCP. So blocking TCP port should prevent them.
-
Hey guys, few times a very bad guy is trying to crash our server:
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
14-04-01 09:27:00 Admin disconnected (93.114.43.179).
After server takes 98% of processor and its impossible to join.
Do you know this IP?
Do you know a way of protecting against this? Something another than iptables?
The Linux tool fail2ban can be configured to watch the soldat logfiles in realtime and automatically block IPs that do weird things like what you pasted. It adds a new chain to iptables which it manages by itself and adds IPs to (and optionally removes them after)
You can block TCP and you will not be able to connect via admin programs. You will be able to join the server and play though.
You also won't be able to download custom maps/sceneries.
-
1. But fail2ban has a delay with checking the log (interval checking)
2. Soldat has also an interval of logs updating (next delay)
3. There are some cases when Soldat is not producing/updating logs while being attacked
4. Due to those delays Soldat server will crash minimum once
5. Am I wrong or the maps are maintained on the other port (admin port + 123 if I remember correctly) ?
-
5. TCP is join port + 10.
-
1. But fail2ban has a delay with checking the log (interval checking)
2. Soldat has also an interval of logs updating (next delay)
3. There are some cases when Soldat is not producing/updating logs while being attacked
4. Due to those delays Soldat server will crash minimum once
You can use the functionality provided by CSF (a front end to iptables) that automatically blocks IPs which open too many connections during a set interval on a specific TCP port. That may help this.
Have you tried keeping a 'tcpdump dst port 23083' open that logs the mallicous traffic you're getting? Have you looked in dmesg to see if you're getting packet flooding that sets off messages in the kernel log?
-
Hmm developers should give the option to choose ports for clients (administrators) when connecting.
-
Okay... Soldat killed me now totally. I know an EASY way to kill the server. I'll write only with devs about this. PRIV.
Probably without any protecion all servers will just go mad.
-
I didn't read the whole topic, but i had once a problem like this. Solution was to add some pre-soldat authentication system that would open the admin port for given IP address. In my case i've used port knocking
-
@FalconPL: very good idea :)
-
Temporary solution against my way (ofc. I won't tell you which way, this can even kill your machine) is: run your soldatserver by soldatserver_legacy. Thanks.
And now my scripts don't work - GG. I'm really tired of Soldat's bugs T_T