Yes!Originally Posted by EuclideanCoffee
Spilled the Beans
Yes!
Dark-Roasted but Half-Baked
Strictly speaking, you don't. But you can add defense in depth. As I said, that's what I would do.
Please read The Forum Rules and The Forum Posting Guidelines
A thing discovered and kept to oneself must be discovered time and again by others. A thing discovered and shared with others need be discovered only the once.
This universe is crazy. I'm going back to my own.
<--- Run xman to see that window.
They attack is always happening if you allow the source IPs from anywhere in the world. Only allow source IPs from places you specifically know to be friends. Right now, that is your house/work subnets and nowhere else.
If you allow 22/tcp to the entire world, then the entire world will attack that. Secure ssh first by not running on the default port. Moving it to something else ... pretty much anything else ... will probably stop those attempts. My blog has a "secure ssh connections" article that DOES have commands and settings.
And you still haven't said what a "game server" is. If you don't provide specifics, nobody can provide specific answers.
Spilled the Beans
ok i'll get that port changed over,
the game server is a facepunch RUST game server. I'm using LGSM to manage it, i did mention it previously you must of missed it
<--- Run xman to see that window.
I caught the "rust" part, but that's like saying i'm running a C++ program. Very generic.
Regardless, I’ve never heard of that game or the management software. Often, the failure is with the management stuff, so don't open that to any ip except yours - better would be to only allow localhost connections to the management interface. Use an ssh-tunnel for that. This is admin 101.
Spilled the Beans
LGSM only runs in terminal i dont believe there is any outward looking interface, it just seems to be alot of bash scripts
https://linuxgsm.com/lgsm/rustserver/
the PC survival game "rust" by facepunch, not rust the programing language
Last edited by youmustnot; June 16th, 2020 at 12:57 AM.
<--- Run xman to see that window.
Ah - thanks for the education.
Many years ago i ran a TF server on the internet for friends. Only brought it up when we all played. it was off otherwise. On weekends, they'd come over and we'd play on the LAN. We got tired and switched to a LAN-only game before we all got married and headed off to different parts of the world for other jobs.
Seems there is an entire group of people who prefer to hack game servers. There's a twitter tag just for announcing who is doing what and their steamids. Guess that helps ban them more places?
Tea Glorious Tea!
Sorry, I was away.
Did things improve since installing ufw and changing your port?
The next thing I would do is block all ports besides the game ports except incoming for port 22 (or whatever is ssh) from a trusted server.
You can create your trusted server from anything, but have in mind a "plan b" in case your trusted server is compromised.
Let me know if you need illustrations, and I'll provide them. From the general tone of your posts, it sounds like you're doing better.
Concerning a web server, you won't need one. Fail2ban does a good job protecting web servers in my experience, but when you want to adapt it for a special service like a video game server, you'd need to tweak it. Since users are connecting without a browser, you'd need to be sure you have some sort of fail2ban configuration setup after the initial attack waves have died down.
What is likely happening is that the banned user purchased a DDOS service. You can read more about this sort of thing from Krebs on Security's blog. He talks in depth about Minecraft DDOSing as it is more common and easy to explain.
Last edited by EuclideanCoffee; June 16th, 2020 at 01:32 PM.
Spilled the Beans
the dos'ing is continuing, it stopped for a short while when i installed the firewall, but i think that was coincidence as its just as strong now.
how do i see these IP's hitting the server? i dont see all that much in auth.log the odd failed login attempt from africa.
I've enabled the 'robot' firewall within hertzner, and the spamming has stopped again.
with the remaining ports that are open i can rate limit them:
iptables -A INPUT -p udp -m udp --dport 27015 -m state --state NEW -m recent --set --name DEFAULT --rsource
iptables -A INPUT -p udp -m udp --dport 27015 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --name DEFAULT --rsource -j DROP
Posting Permissions
Adv Reply
Bookmarks