Jump to content
Sign in to follow this  
SpaydCBR

Server vs Client and Security

Recommended Posts

I was just wondering, is it any "safer" (from hackers) to run code on server rather than on clients? Like is it any less exploitable to create a vehicle on the server rather than on the client even though its effects are global and would work either way? Maybe that's a bad example but I think you get the idea of what I'm trying to ask. I have absolutely no idea how hackers manage to inject their own code into a game.

Share this post


Link to post
Share on other sites

i think steps are to compile code but don't recompile.

and I've seen scripts with black listed or white listed vehicles/weapons and what not.

I can't say server side is or not safer but make sure your server.cfg is correct,

I'm not using anything other than BE and server.cfg and have over 300 bans within a few months.

So something is working "if it's set up correctly". 

 

hope this helps, 

Share this post


Link to post
Share on other sites
Guest

They can't exec shit on the server if you use a properly configured cfgRemoteExec.

Anyway, nowadays having only Battleye enabled takes cares of 99% scripts kiddies and all the bullshit since you need to write a complex cheat to bypass battleye (driver based)

Share this post


Link to post
Share on other sites

It is definitely more secure to have the server execute code. It is far less likely to be injected into or interfered with when compared to client-side code. However, if the code is not optimised, the server's performance can decrease significantly. This ultimately leads to vast amounts of desync and slower response times. As harmdhast mentioned, correctly configuring CfgRemoteExec in addition to the BE filters will render cheating almost null. It is impossible to completely stop cheating, but you can make it extremely difficult.

Share this post


Link to post
Share on other sites

Thanks for the info guys. So basically I want to make sure any commands a client sends to the server is properly configured in CfgRemoteExec?

 

What about something like MP event handlers, are they safe to use, as opposed to managing regular event handlers? Like "Killed" vs "MPKilled" to run code upon someone's death. Or is BE really just good enough that I don't have to worry too much about this?

Share this post


Link to post
Share on other sites

A cheater could set a global event handler with their own code inside it. To avoid this, you can simply block the use of the command with BE filters. 

Share this post


Link to post
Share on other sites

BE filters apply to compiled/executed client code.

 

By handling most things on server machine, you can more easily filter out noise in your BE filters.

 

For instance, if all land/ship/air vehicles are created on server, you know that if you're seeing land/air/ship vehicles created in your createvehicle.log are either admins or malicious injections.

 

same with the other BE files.

 

rremoteexec.log are good for detections, as is publicvariable.log. most hackers I've caught via BE has been in publicvariable.log and scripts.log.

 

these days most of the hackers left can get around battleye with memory editors, you'll have to detect issues with those further downstream.

  • Like 2

Share this post


Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×