[SintaksTR]

Hello i find a video. He Made a program. It finds the rcon password. I translated from Turkish Language ; he says Windows servers have a bug and this program is using bug.


Watch here

You_Tube link

https://www.youtube.com/watch?v=2-7mzBQKG5M

[Kane]

It's fake.

[SintaksTR]

Quote:

Originally Posted by Arthur Kane It's fake.

May be not fake. The video owner is hates the this server. I know.

[Variable™]

Brute force can. Just use a strong password and ban ips of those who fail to login as rcon for 3 times or more.

This is the only solution that worked for me personally.

[cuber]

Quote:

Originally Posted by Variable™ Brute force can. Just use a strong password and ban ips of those who fail to login as rcon for 3 times or more. This is the only solution that worked for me personally.

I used to ban the player even if he used the right password kek.

[HeLiOn_PrImE]

People have dynamic ips nowadays, so banning them isn't effective, unless, you do it temporary.

You can have this type of mechanism in place:
Use multiple passwords. Each passwords with its own hint.
before you attempt a login, you check the hint, so you know what password to use.
Every time a login attempt is made, the password is changed, even if the login is successful.
Password should change by itself every 15 seconds (without any login attempts).
If there are multiple failed attempts within a second by the same IP, you ban that IP for 15 - 30 min.

With this system, if you have at least 15 passwords, no one should be able to break into your server.

[NaS]

The main problem is that most people only protect their RCON login from ingame players.

Eg. If there's a login attempt they use a loop to find the playerid with that IP.

But that already leaves a security hole. The RCON remote console. You can attempt to login through that as often as you like if the server doesn't temp. ban the IP (temporary range ban would be the best).
If that isn't done it can be brute forced from outside.

Changing the RCON PW after a successful attempt is also useless as I'd already be logged in at that point (which allows me to change it myself, ban everyone on the server or crash it).

[HeLiOn_PrImE]

Quote:

Originally Posted by NaS But that already leaves a security hole. The RCON remote console. You can attempt to login through that as often as you like if the server doesn't temp. ban the IP (temporary range ban would be the best). If that isn't done it can be brute forced from outside.

The server should detect login attempts, even from the remote console. That's why I did mention banning in case of a brute force.

Quote:

Originally Posted by NaS Changing the RCON PW after a successful attempt is also useless as I'd already be logged in at that point (which allows me to change it myself, ban everyone on the server or crash it).

True, it's a really thin layer of security. Useful for situations when people get to have a look at what your password is (maybe a look over the shoulder or a keylogger).
That still leaves the rest of the measures, which if scripted properly, can render a brute force attack useless.

[Variable™]

Disable rcon and use any command processor to use rcon commands without the need of being logged in as rcon.

In the worst situation you wouldn't need rcon access so disable it.