As people mentioned, steam won't work because of remote rcon (like HLSW, web consoles, etc). An IP whitelist could be better, but it's more complicated to implement and people use HLSW from multiple locations.
Still, what I'm looking for is the simplest, least impactful change to improve security. Rcon behavior is surely over a decade old by now and people use it in different ways-- the idea is to minimally impact the day-to-day for admins while preventing their servers from being taken over when they're not around because of some Source or plugin exploit. Is this sacrifice too big to prevent newbie and experienced admins some of the current grief they have from getting banned from their own servers, etc? That's really the question I'm asking here. Thanks for all the great feedback so far, guys! -Mattie On Thu, Oct 16, 2008 at 1:55 AM, kama <[EMAIL PROTECTED]> wrote: > > > On Wed, 15 Oct 2008, Mattie wrote: > > > Hey guys, > > > > I wanted to run this by the community. Your feedback is very much > > appreciated. > > > > How much would it annoy you if it was impossible to change rcon_password > > once any map had been loaded? In other words, the only way to change > > rcon_password would be in autoexec.cfg or server.cfg (and then the server > > would need to restart for it to take effect). > > > > Would this be incredibly painful? > > > > This single, simple change could dramatically decrease the amount of > > server-control exploits in the wild. The majority of these exploits > require > > changing the password to something you don't know. > > > > I was thinking about this recently and I was debating either: > > (a) Working with you guys to ask Valve to make rcon_password unchangeable > > while the server is running, and/or > > (b) Making the EventScripts plugin enforce this by default (with an > option > > to disable it if you're adventurous). > > > > What cases can you think of where it was important to be able to change > > rcon_password without taking the server down? > > > > The biggest argument I've heard so far is that if someone learns your > > rcon_password, you can't change it easily to prevent them. Unfortunately, > > though, most hackers change the rcon_password immediately so you're > locked > > out of your own console. As such, this doesn't really work, anyway. > > > > Thoughts? Opinions? Thanks in advance, > > Wouldnt it be better to be able to switch on so only some STEAMID's could > use rcon? Something similar to banid, removid and writeid? > > Something like: > rcon_user_add "STEAM_0:0:0" > rcon_user_add "STEAM_1:2:3" > rcon_user_del "STEAM_0:1:2" > rcon_user_write > > At least one thing this solve is the password sniffing on LANs. > > /Bjorn > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
