Windows DS server compromised. Need help with security.

[jakeplissken 77]

I need help with securing my server configuration. I had a public server configured on a Windows DS and running ZGM Master Altis. I logged on today and I played for a bit and then I was banned from my own server. I then found two bans in the bans.txt. But I had a strong password on the admin and voting was disabled. I am including my server configuration below, and I need someone to look this over and give me some help with securing my DS. I have stopped and restarted the server, but I have made it private from now on. I guess I need to learn from this experience.

//
// server.cfg
//
// STEAM
steamport=2440;
steamqueryport=2441;

// GLOBAL SETTINGS
hostname = "Tactical gaming Arma 3 server. | Wombat Servers";			// The name of the server that shall be displayed in the public server list
password = ""; 						// Password for joining, eg connecting to the server
passwordAdmin = "*************"; 					// Password to become server admin. When you're in Arma MP and connected to the server, type '#login xyz'
//reportingIP = "armedass.master.gamespy.com"; 		// For ArmA1 publicly list your server on GameSpy. Leave empty for private servers
//reportingIP = "arma2pc.master.gamespy.com"; 		// For ArmA2 publicly list your server on GameSpy. Leave empty for private servers
//reportingIP = "arma2oapc.master.gamespy.com"; 		// For Arma2: Operation Arrowhead
reportingIP = "arma3pc.master.gamespy.com";
logFile = "server_console.log";				// Tells ArmA-server where the logfile should go and what it should be called

// WELCOME MESSAGE ("message of the day")
// It can be several lines, separated by comma
// Empty messages "" will not be displayed at all but are only for increasing the interval
motd[] = {
	"", "",  
	"ARMA 3 by Wombat Servers",
	"", "",  
	"Like us on Facebook",
	"http://www.facebook.com/WombatServers",
	""
};
motdInterval = 5;					// Time interval (in seconds) between each message


// JOINING RULES
checkfiles[] = {};					// Outdated.
maxPlayers = 8;					// Maximum amount of players. Civilians and watchers, beholder, bystanders and so on also count as player.
kickDuplicate = 1;					// Each ArmA version has its own ID. If kickDuplicate is set to 1, a player will be kicked when he joins a server where another player with the same ID is playing.
verifySignatures = 2;					// Verifies .pbos against .bisign files. Valid values 0 (disabled), 1 (prefer v2 sigs but accept v1 too) and 2 (only v2 sigs are allowed). 
equalModRequired = 0;					// Outdated. If set to 1, player has to use exactly the same -mod= startup parameter as the server.
//requiredBuild = 12345					// Require clients joining to have at least build 12345 of game, preventing obsolete clients to connect


// VOTING
voteMissionPlayers = 1;					// Tells the server how many people must connect so that it displays the mission selection screen.
voteThreshold = 2;					// 33% or more players need to vote for something, for example an admin or a new map, to become effective


// INGAME SETTINGS
disableVoN = 0;						// If set to 1, Voice over Net will not be available
vonCodecQuality = 0;					// since 1.62.95417 supports range 1-20 //since 1.63.x will supports range 1-30 //8kHz is 0-10, 16kHz is 11-20, 32kHz is 21-30
persistent = 1;						// If 1, missions still run on even after the last player disconnected.
timeStampFormat = "short";				// Set the timestamp format used on each report line in server-side RPT file. Possible values are "none" (default),"short","full".
BattlEye = 1;                                           // Server to use BattlEye system


// SCRIPTING ISSUES
onUserConnected = "";					//
onUserDisconnected = "";				//
doubleIdDetected = "";					//
//regularCheck = "{}";                                  //  Server checks files from time to time by hashing them and comparing the hash to the hash values of the clients. Causes heavy I/O, uncomment to disable feature - READ WARNING ABOVE - makes cheating possible!


// SIGNATURE VERIFICATION
onUnsignedData = "kick (_this select 0)";		// unsigned data detected
onHackedData = "ban (_this select 0)";			// tampering of the signature detected
onDifferentData = "";					// data with a valid signature, but different version than the one present on server detected

class Missions {};

Thank you. I hope someone more experienced with public servers can help me out.

[terox 316]

Bans text is the Battleye banning system. This can only be added by either

Battleye via your filters (If you have any)

or

Someone with an RCON connection

 

You either

1) Violated your own BE filters

2) Banned yourself by accident

2) You don't have an RCon password set in your BE Server.cfg and someone connected to the server (Not even sure if this can be done even without a password being set, you can test this yourself)

example  

RConPassword ABC123XYZ

I very much doubt you've been "hacked"

The "Hackers" would have to specifically know your BE ID and want to target you. 

Most likely you banned yourself

 

There are a few minor issues with your config file.

1) You dont need these anymore, they are defined automatically based on the game port:

steamport=2440;
steamqueryport=2441;

The reporting IP is also redundant, steam deals with this now and it shouldn't be defined

reportingIP = "arma3pc.master.gamespy.com";

You should also define the following

 

serverCommandPassword = "ABC123XYZ";
allowedLoadFileExtensions[] = {"h","hpp","sqs","sqf",etc etc etc etc};
allowedPreprocessFileExtensions[] = {"h","hpp","sqs","sqf",etc etc etc etc};
allowedHTMLLoadExtensions[] = {"htm","html","xml","txt" etc etc etc etc};

[jakeplissken 77]

Thanks. I will implement these changes right away. I was not playing on the server when this happened, I went to bed and the next day I loaded up the server and my Zeus mission was deleted and there was just a single OPFIA unit on the map. So someone was playing on my server when I was absent and this happened. I did not add the bans.txt myself, and I could find anything in logs that indicated what happened. Anyway, this is a learning experience and I will implement greater security before putting my server public again.

 

Thanks for your help. Could somene have used bis_fnc_MP to attack the server?

[mrgwilliam 10]

Thanks for your help. Could somene have used bis_fnc_MP to attack the server?

 

bis_fnc_MP does not have the ability to issue a BattlEye Ban, this ban was most likely caused by the following code in your cfg

onHackedData = "ban (_this select 0)";			// tampering of the signature detected

I have had this happen to me on multiple occasions, its an odd occurrence but once I modified this value to kick, it only kicks instead of issuing a server side BattlEye ban.

 

So TLDR; No one hacked into your server, BattlEye most flagged your game client as using hacked data (odd but does happen) issuing a BattlEye Ban.