Indeed, if you know the IPs you're going to be rconning from, it's easier to just use whitelisting and not hashlimits at all. You can also raise the hashlimit-burst setting from 1 to like 5, which which make rcon a lot more responsive from non-whitelisted ips.
On Tue, Apr 29, 2008 at 1:41 PM, Andrew DeMerse <[EMAIL PROTECTED]> wrote: > As a note, the iptables "fix" seems to be screwing with anyone running > HLStatsx that runs on a machine that isn't local. Run the following command > to whitelist your hlstatsx server. Of course, replace 123.456.789.0 with your > hlstatsx IP. > > sudo iptables -I INPUT 1 -p tcp --dport 27015 --source 123.456.789.0 -j > ACCEPT > > You can also use the same command to whitelist your own IP (in case HLSW or > other RCON tools seem slow or unresponsive). > > > > Date: Tue, 29 Apr 2008 13:18:05 -0700 > > From: [EMAIL PROTECTED] > > > To: [email protected] > > Subject: Re: [hlds] Nuke Exploit Info and Prevention > > > > > > Only RCON uses TCP, it looks like it chews too much CPU throwing away > > the garbage data, we are fixing that up. > > > > - Alfred > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:hlds- > > > [EMAIL PROTECTED] On Behalf Of Nephyrin Zey > > > Sent: Monday, April 28, 2008 10:26 PM > > > To: Half-Life dedicated Win32 server mailing list; Half-Life dedicated > > > Linux server mailing list > > > Subject: [hlds] Nuke Exploit Info and Prevention > > > > > > The nuke exploit works as follows: > > > > > > Connect to a server via TCP (rcon, does anything else use TCP? I have > > > no idea.) on its port. > > > Send a million garbage packets > > > ??? > > > Profit > > > > > > The server goes insane handling them. > > > Solution: > > > Limit incoming TCP packets to ~1/second from any given IP on that > > port, > > > *OR* > > > Block TCP access to the server's port except from trusted people. > > > > > > Linux IPtables rules: > > > iptables -A INPUT -p tcp --dport 27015 -m hashlimit --hashlimit-mode > > > srcip,dstip,dstport --hashlimit 1/sec --hashlimit-burst 1 > > > --hashlimit-name TF_PACKET_LIMIT -j ACCEPT > > > iptables -A INPUT -p tcp --dport 27015 -j DROP > > > > > > /etc/init.d/iptables save > > > /etc/init.d/iptables start > > > > > > (Note: you probably shouldn't enable iptables blindly if you don't > > > know what you're doing) > > > > > > Windows: > > > Block TCP to 27015 except for trusted people. Or something. Someone > > > who admins window servers will need to guide you! > > > > > > - Neph > > > (sv_benchmark_force_start fix coming in a few minutes) > > > > > > _______________________________________________ > > > To unsubscribe, edit your list preferences, or view the list archives, > > > please visit: > > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds > > _________________________________________________________________ > Make i'm yours. Create a custom banner to support your cause. > > http://im.live.com/Messenger/IM/Contribute/Default.aspx?source=TXT_TAGHM_MSN_Make_IM_Yours > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
