[FilterScript] SafeCon - Protect your RCON against unwanted access
#1

I made this filterscript today, as I noticed quite a lot of RCON attacks in the last time.
SafeCon will protect your server from unwanted RCON access. Hackers wont have a chance to get your rcon password, if you use it right.

SafeCon basically has one main feature so far: a frequently changing RCON password. It chooses a random password from your list once in a specified interval. Doesnt sound special, but it is very effective. Beside this, it offers a name- and IP-whitelist. Only people on one of these lists can login as RCON admin ingame.
For security reasons all those lists are compiled with the code. This means you have to recompile it everytime you want to change it, but this makes it a lot more safe. Incase someone can read your server directory (e.g. your hoster) he could read the RCON password from the server.cfg or any password list file, but this way he even cant do that. He would have to decompile the code (which is of course AntiDeAMX protected).

Setup
The setup is quite easy. Copy the pastebin code and paste it to an empty file. Just take a look at the top of the script, everything should be explained in the comments. And of course dont upload the pwn source to your server, just the compiled amx.
When you set all the defines and arrays the way you like, compile the code. Add the filterscript to your server.cfg or put this somewhere in your OnGameModeInit():
pawn Code:
SendRconCommand("loadfs SafeCon");   // or however you named the file
How to use
When using the hardcoded password list, use /rconpw ingame to get the index of the currently active password. Index 0 is the first password in the array. Anyone can use this command. Then check the password list for that index to see whats the current password.
So you should think at least twice who should get the password list. Only people you can trust 111% should get it, and tell them not to give it to anyone else (just like you should handle your normal RCON password). I recommend using a safe connection for sending the list, services like https://privnote.com/ should do fine.

The name/IP-whitelist can be used if you experience RCON hacks anyways. When using a safe register/login system the name-list will do it, otherwise use the ip-list (which has to be updated more often because of dynamic IPs of course)


What else
Thats it, your RCON password should now be 99,9% safe (without any warranty of course )
If you got any suggestions, feel free to tell me.

Download: Pastebin
Reply
#2

wow man it will really help many people thnx for it i m gonna use it
Reply
#3

Nice job man
Reply
#4

Very good!
Reply
#5

nice (:
Reply
#6

nice!!
Reply
#7

really nice!
Reply
#8

Epic Release , Thanks Mauzen
Reply
#9

nice
Reply
#10

Pretty much nice - but for the white list, I don't think it's recommended for anyone who has a dynamic IP address.
Reply
#11

There\'s already like 3 scripts that do this.
Reply
#12

Quote:
Originally Posted by __
View Post
There\'s already like 3 scripts that do this.
/care? But this is the most professional one and securest one.
Reply
#13

Quote:
Originally Posted by ••• ĤБĶБM •••
View Post
/care? But this is the most professional one and securest one.
Hehe thanks. There might be others, but whenever i get an idea for a script, I just create it, and dont search if it already exists
Reply
#14

Very nice Good job
Reply
#15

Quote:
Originally Posted by ••• ĤБĶБM •••
View Post
/care? But this is the most professional one and securest one.
If you don\'t care, then don\'t post. You clearly care, because you posted.

Quote:
Originally Posted by Mauzen
View Post
Hehe thanks. There might be others, but whenever i get an idea for a script, I just create it, and dont search if it already exists
The whitelist idea was okay though, congratulations on that.
Reply
#16

Quote:
Originally Posted by ••• ĤБĶБM •••
View Post
Pretty much nice - but for the white list, I don\'t think it\'s recommended for anyone who has a dynamic IP address.
Quote:
pawn Code:
#define USE_IP_WHITELIST            (false) // Only people with a listed IP can login to the RCON
So, you can disable that. No, it\'s standard disabled (It\'s set to FALSE)
Reply
#17

Really nice, but I\'d suggest you to add a wildcard to the ip,
so that all LAN PCs can access the RCON(for example 192.168.*.*)
Reply
#18

Quote:
Originally Posted by leong124
View Post
Really nice, but I\'d suggest you to add a wildcard to the ip,

so that all LAN PCs can access the RCON(for example 192.168.*.*)
Nice idea, thanks. I should do that, should just be some strfind and strcmp I think.
Reply
#19

Even better, don\'t use wildcards :\')
Just let people add \'192.168\' (instead of \'192.168.*.*\') and use strfind, or use strcmp and stop searching at *end of string*. Or something similar. Maybe I\'m wrong, but I have a headache and I haven\'t sleep good for 3 weeks, but I guess it could work :P
Reply
#20

Never seen a protection system like this!! With this system you could protect a bank!!!
Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)