It is an issue of security. Improper coding practices and implementations lead to security issues, they are directly related.
--Chris -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cc2iscooL Sent: Thursday, October 16, 2008 9:23 AM To: Half-Life dedicated Linux server mailing list Subject: Re: [hlds_linux] Proposal: Change rcon_password so it cannot be changed while server is running That may be, but that's an issue of improper coding or malicious coding, not an issue of server security. Mattie wrote: > I wish it were that easy! > > Over the years, griefers have discovered all sorts of little holes in > Source, plugins, and scripts that allow them to change rcon_password without > knowing it beforehand. These get fixed on an ongoing basis, but this > suggestion is to get at the root of protecting your servers from people > taking them over. > > You definitely should keep your rcon_password a secret, but that doesn't > keep your server safe. > -Mattie > > On Thu, Oct 16, 2008 at 7:54 AM, Cc2iscooL <[EMAIL PROTECTED]> wrote: > > >> If you never give out your rcon password (or don't make it a really easy >> one) you'll never have to worry about this anyway. >> >> Mattie wrote: >> >>> Hey guys, >>> >>> I wanted to run this by the community. Your feedback is very much >>> appreciated. >>> >>> How much would it annoy you if it was impossible to change rcon_password >>> once any map had been loaded? In other words, the only way to change >>> rcon_password would be in autoexec.cfg or server.cfg (and then the server >>> would need to restart for it to take effect). >>> >>> Would this be incredibly painful? >>> >>> This single, simple change could dramatically decrease the amount of >>> server-control exploits in the wild. The majority of these exploits >>> >> require >> >>> changing the password to something you don't know. >>> >>> I was thinking about this recently and I was debating either: >>> (a) Working with you guys to ask Valve to make rcon_password unchangeable >>> while the server is running, and/or >>> (b) Making the EventScripts plugin enforce this by default (with an >>> >> option >> >>> to disable it if you're adventurous). >>> >>> What cases can you think of where it was important to be able to change >>> rcon_password without taking the server down? >>> >>> The biggest argument I've heard so far is that if someone learns your >>> rcon_password, you can't change it easily to prevent them. Unfortunately, >>> though, most hackers change the rcon_password immediately so you're >>> >> locked >> >>> out of your own console. As such, this doesn't really work, anyway. >>> >>> Thoughts? Opinions? Thanks in advance, >>> -Mattie >>> _______________________________________________ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> >> please visit: >> >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >>> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> >> > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
