Server vs Client and Security

[SpaydCBR 11]

I was just wondering, is it any "safer" (from hackers) to run code on server rather than on clients? Like is it any less exploitable to create a vehicle on the server rather than on the client even though its effects are global and would work either way? Maybe that's a bad example but I think you get the idea of what I'm trying to ask. I have absolutely no idea how hackers manage to inject their own code into a game.

[dr death jm 117]

i think steps are to compile code but don't recompile.

and I've seen scripts with black listed or white listed vehicles/weapons and what not.

I can't say server side is or not safer but make sure your server.cfg is correct,

I'm not using anything other than BE and server.cfg and have over 300 bans within a few months.

So something is working "if it's set up correctly". 

 

hope this helps, 

[Guest]

They can't exec shit on the server if you use a properly configured cfgRemoteExec.

Anyway, nowadays having only Battleye enabled takes cares of 99% scripts kiddies and all the bullshit since you need to write a complex cheat to bypass battleye (driver based)

[MrCopyright 107]

It is definitely more secure to have the server execute code. It is far less likely to be injected into or interfered with when compared to client-side code. However, if the code is not optimised, the server's performance can decrease significantly. This ultimately leads to vast amounts of desync and slower response times. As harmdhast mentioned, correctly configuring CfgRemoteExec in addition to the BE filters will render cheating almost null. It is impossible to completely stop cheating, but you can make it extremely difficult.

[SpaydCBR 11]

Thanks for the info guys. So basically I want to make sure any commands a client sends to the server is properly configured in CfgRemoteExec?

 

What about something like MP event handlers, are they safe to use, as opposed to managing regular event handlers? Like "Killed" vs "MPKilled" to run code upon someone's death. Or is BE really just good enough that I don't have to worry too much about this?

[MrCopyright 107]

A cheater could set a global event handler with their own code inside it. To avoid this, you can simply block the use of the command with BE filters. 

[fn_Quiksilver 1633]

BE filters apply to compiled/executed client code.

 

By handling most things on server machine, you can more easily filter out noise in your BE filters.

 

For instance, if all land/ship/air vehicles are created on server, you know that if you're seeing land/air/ship vehicles created in your createvehicle.log are either admins or malicious injections.

 

same with the other BE files.

 

rremoteexec.log are good for detections, as is publicvariable.log. most hackers I've caught via BE has been in publicvariable.log and scripts.log.

 

these days most of the hackers left can get around battleye with memory editors, you'll have to detect issues with those further downstream.