Recommendation to server admins

[sicilian 0]

To all OFP server admins:

We recommend setting up strong admin passwords on your ofp servers!

We do not mean the server pw but the admin pw!

Actual events made us apprehensive of possible hacked admin pws on OFP servers.

To setup a strong pw remember following point:

Min. 7 characters including numbers, letters and special signs in up and lowercase! (e.g. Ci]9nK&)

Regards

The ALSR Team

[sicilian 0]

Actually there are some people out who can get your admin pws using brute force methods. So plz take it serious!

[Gadger 0]

It would take several months, to brute force attack even a 6 letter password.

[sicilian 0]

Not if its like "hustler" or any other easy word!

Sure it takes some time, but they've even done it!

[Gadger 0]

Hmm even a dictionary attack on a 6 letter password would take hours upon hours. I think a key logger and/or ftp hack is most likely the culprit if people are stealing admin passwords.

IMO Password crackers are only usefull on 1-4 letter passwords, even a P4 3ghz could cycle 3 combinations a second. When you put this into perspective, a 4 letter password(using only upper and lower case Latin characters) Not even including digits or regional variante characters! Could produce 7,454,980 possible passwords. This would take some 108h:01mand 32secs to crack.

Put this to use on a password with 6 characters and your wasting several months, if not years of your life. I could do the math, but quite frankly I can't be arsed.  

But still, I can't deny that a small threat is there; from brute force/dictionary attacks, but the threat is very small. To be on the safe side include at least one digit and/or "special" character in your password. i.e. 0Fp1sÜberCööl

[benu 1]

Gadger, i can say from experience that bad pws can be cracked in less than a second using dictionary attack. I ran a pw cracker over a pw file with several hundred pws and the bad pws were found in less than a second. On a slow machine. All found PWs had 7 or more characters.

I am not sure if they use dictionary attacks or brute force and you are totally right about the time it takes for brute force attacks, but you are wrong about the times for dictionary attacks. And i think it is better to be safe than sorry.

[benu 1]

On a related note, it might also be a good idea to set up a traffic shaper or similar to limit the number of connections per second to the ofp server. Something like this for linux servers:

<table border="0" align="center" width="95%" cellpadding="0" cellspacing="0"><tr><td>Code Sample </td></tr><tr><td id="CODE">iptables -I INPUT -i eth0 -p udp -d $SRV_ADDRESS --dport 2302 -m state --state NEW -m limit --limit 2/second --limit-burst 4 -j ACCEPT

iptables -I INPUT 2 -i eth0 -p udp -d $SRV_ADDRESS --dport 2302 -m state --state NEW -j DROP

It seems there are tools out there to crash ofp servers by the way of opening many connections at once.

[killswitch 19]

Ah, good tip there, benu. God I love iptables - quick and efficient. No fuss, no muss. Linux - when you need to just get the job done.

[RN Malboeuf 12]

in three years of OFP servers not one time have i seen some one hack an admin PW

we have had simple rotating words with prefixes for years, and i think this whole thread is more paranora then helpful

and a dictionary hack would have to be built for OFP to run while in game, any one who could make that could take over your server never mind your OFP server

and running prefixes is the way to go

cat = hackable

ntcat = unhackable

ntdog = unhackable

[benu 1]

This is not about paranoia but about existing tools. The ofp supercheat exists, the pw cracker for ofp servers exists too. As does the ofp crashing tool.

You never know what pws other admins use, so it's better to inform them. Who knows how many people use "ofp" or something similar as admin pw...

[sicilian 0]

in three years of OFP servers not one time have i seen blablabla

Its always nice reading your post hanging back in OFP's children times... but time goes on and never stops! Get it in your mind! THERE ARE PPL OUT WHO CAN ACTUALLY DO THIS!

Otherwise I wouldn't post such things!

One question. Do you watch black and white TV or don't you believe it could be possible to make it colored?

and as benu said before it takes less time than any theoretical math would think. There is always a difference between therory and practical things! Remember it!

I wouldn't post if I'm not 100% sure of it!

[RN Malboeuf 12]

The ofp supercheat exists, the pw cracker for ofp servers exists too. As does the ofp crashing tool.

yea yea, and cows fly

[RN Malboeuf 12]

THERE ARE PPL OUT WHO CAN ACTUALLY DO THIS!

yes, we know, and none of them have heard of OFP and if any one can bring down a winOS OFP server its me

no one is going to waste thier time on a game, it has not been done in three years and wont be done tommorow or next week so stop ringing the fking bell

[-IT-Q- 0]

well Malboeuf its up to you what are u doing to protect your server, but stop making false comments.

these things are sadly fact. ignoring it doesnt change anything and telling ppl that u do know things best, is even worse for the common good.

just that u dont know about the things, doesnt make them being not used already!

[RN Malboeuf 12]

there are no false comments other then you guys crying wolf and the shit i hear here is bordering on witch hunts

and no one is ignoring it, its just not in any way and issue in OFP, it's been three years and it's never happened, and it wont happen any time soon

im just tired of hearing shit that has about a 1% change of happing and has never happened and you guys go and make this post

there is a wolf, but he sure not spending his time on hacking OFP servers

sheesh what is? the CS forums?

[RN Malboeuf 12]

@ Aug. 15 2004' date='08:11)']well Malboeuf its up to you what are u doing to protect your server

and to clue you in about security you need 1 of three static IPs to rdp to any our servers

So unless i loose control of my system no one will touch our servers

[benu 1]

THERE ARE PPL OUT WHO CAN ACTUALLY DO THIS!

yes, we know, and none of them have heard of OFP and if any one can bring down a winOS OFP server its me

It's not about crashing the os, it's about crashing the ofp service. I guess i assumed to much when i thought you actually READ posts before making your bullshit replies.

Quote[/b] ]no one is going to waste thier time on a game, it has not been done in three years and wont be done tommorow or next week so stop ringing the fking bell

Yeah, a totally good argument. "It's never been done before so it will never be done in the future". LOL. so nothing could ever be done for the first time, and nothing ever has, following your "logic".

Man, we waste our time in these cheater forums to create countermeasures quickly, and those hacks are really new, it's no surprise that YOU never encountered them before. Check for when the supercheat came out and compare it to the increasing posts about cheaters in this forum. Now the admin pw cracker and the server crasher are out. Let's wait and see.

in three years of OFP servers not one time have i seen some one hack an admin PW

Blablabla, in all my life i have not seen japan, so it can not exist. And the rest of the world also.

And if canada gets "static" dhcp ip ranges, then all of the world do too. This is true by malboeuf decree, and it does not matter if people from other parts of the world say that it isn't so, cause malboeuf is the only one to judge about truth and reality. And everything that is too big for his little brain simply does not exist, can not exist.

there is a wolf, but he sure not spending his time on hacking OFP servers

Actually, there are at least two sites with the declared purpose of destroying ofp and those are the same sites that distribute those tools and all other ofp cheats. But, oh, i forgot, you've never seen those sites, so they don't exist.

[RN Malboeuf 12]

Quote[/b] ]It's not about crashing the os, it's about crashing the ofp service.

no shit sherlock so like why has my server never been shut down? like why has any of the 10 servers i managed been HALTED lol

Quote[/b] ]Yeah, a totally good argument. "It's never been done before so it will never be done in the future". LOL. so nothing could ever be done for the first time, and nothing ever has, following your "logic".

just as the fact that it has not been done but yet it's a "BIG DANGER" now theres Logic - This is OFP dude, not Web Porn, no one wants in here

Quote[/b] ]Actually, there are at least two sites with the declared purpose of destroying ofp and those are the same sites that distribute

yea yea, bla bla bla, and they have personally attacked our site with ZERO results because I gave all their information to Suma and Placebo (very interested on how they knew it was us heh) and to date with all thier threats to RN they have yet to shut us down (web or game server) or any other squad or servers we maintain or help with

you are loosing on the information front and resorting to flames - how lame

you have bubcus

[Placebo 29]

People if you're going to discuss a topic then discuss it in a calm, rational, mature manner. Please drop the aggressive posturing and flaming/flame baiting. It would be extremely sad if people got WL+ and/or PR's by allowing good intentions to be ruined by bad behaviour.

[benu 1]

Quote[/b] ]Yeah, a totally good argument. "It's never been done before so it will never be done in the future". LOL. so nothing could ever be done for the first time, and nothing ever has, following your "logic".

just as the fact that it has not been done but yet it's a "BIG DANGER" now theres Logic - This is OFP dude, not Web Porn, no one wants in here

It has already been done. On several servers last week. Not on your server though. Not on mine either ;)

So your "nobody is doing this" rants are really counterproductive, as the tools are out, the people doing this exist and the danger exists. It is not really a high percentage of danger as most of those "script kiddies" do not seem to want to go as far as crashing servers all the time, but it can be done and it already has been done.

People waste their time trying to inform themselves about cheaters and their tools and trying to counter it. And when those people post warnings here you could just be civil and ignore them if you think they don't apply to your server. But don't post stuff that discredits them as liars or idiots.

[sicilian 0]

Plz close this topic!

It is a recommendation as you can read and no place to discuss!

You can think over it and do something or nothing so plz close!

Can't see it anymore!

[RN Malboeuf 12]

as the tools are out, the people doing this exist and the danger exists. It is not really a high percentage of danger as most of those "script kiddies" do not seem to want to go as far as crashing servers all the time, but it can be done and it already has been done.

People waste their time trying to inform themselves about cheaters and their tools and trying to counter it. And when those people post warnings here you could just be civil and ignore them if you think they don't apply to your server. But don't post stuff that discredits them as liars or idiots.

not a single main stream server was taken down, unless it was from an outcast admin that all ready had the passwords (devgru's three way spilt last week)

post like this should be deleating because of the falseness of their whole meaning

A post like this suggest that this in a on going problem when it has never BEEN a problem

no where has any one even once posted "HELP MY OFP SERVER HAS BEEN HACKED"

you're going off of 3rd part and 2nd hand accounts where meanings of subjects have been altered due to GOSIP

[shrike 0]

Malboeuf I wont enter the discussion as it's totally pointless to discuss with you. Us weak mortals will never even grasp the magnitude and splendor of your thoughts. Plus you and your servers are so sexy that it hurts. Can I kiss your feet?

Anyhow: You have no idea what is going on. There are groups that are dedicated to bring down OFP public gaming believe it or not. I'm not saying they're gonna succeed. I'm not saying it's a widespread problem...yet.

But ffs if you're not concerned why do you keep commenting? Reading your big headed bragging is starting to make me sick.

If your server is untouchable, fine. Good for you.

But please bugger off and let people discuss in peace.

Another option would be to participate in a polite tone and with hard facts but I'm not seeing this happen anytime soon....

[RN Malboeuf 12]

I keep commenting becuase regardless of what three ppl think there is no eveidense to suport these claims

NONE

just because some 12 year pissed you off and you guys kicked him because he said he will shut down your server or take control of your OFP server does not means it's a threat to the community

regardless of such this is nothing but a witch hunt with a shit load of cry of wolf

like please the guys that created have the cheats have threated RN for giving Info to BIS Our servers run fine

Our Web Sites run fine

Our main servers run fine

so if those guys cant brake a PW on a server or shut us down that means this whole post is full of shit

and you guys scaring the shit of of the community is pointless and counter productive to the OFP Experience

No one at any point has had thier server stolen in three years and then this post claims falsely that it has

I also know you guys did read a post a few weeks back about a hacked server

Mabey you should find it and see what had really happened, there was no hack attemp, and I was 100% involved

I love gossip, you guys are great lol

[Placebo 29]

Whether the app to crack passwords is effective or not, the simple fact is that there is zero harm in the message being broadcast for admins to make sure they use decent alphanumeric passwords. I learned that lesson some time ago when my 6 digit ICQ number was "hijacked" because I used an English 4 letter word as the password, got it back and switched to an alphanumeric password and no problems since