Banned from my own server?

[linuxkrn 0]

Ok,

So I had my server running for two days. Then today some asshat decieds to hack me.

8:20:31 Player [MFB] Viper connecting.

8:20:35 Player [MFB] Viper connected (id=20242693).

8:20:56 Admin [MFB] Viper logged in.

8:21:16 Game restarted

I have a password set but he somehow bypassed it and banned me from my own server. How the heck do I protect against this. And furthermore, how do I ban this prick?

I don't see a IP or log for him.

[Rogueci5 0]

Easy fast fix, Password your server and only give out Password to forum requests etc.

HOLD up on that just seen this

Anti Cheat Thread

[linuxkrn 0]

verifySignatures=1; // check signatures

onHackedData = "ban (_this select 0)"; //auto ban hacked addons

onDifferentData = "kick (_this select 0)"; //auto kick modified files

Shouldn't that fix things like hacks? I don't think he had an addon, but who knows. All I know is he logged in as admin and reset it, then later when I login I found out I was banned. Had to remove my ID from ban.txt.

[jasono 0]

The only way he can hack the game to get your password, is to confuse the server somehow by modifying the ArmA exe.. and even then I think everything is done serverside.

I'm afraid to say this but the only way he done this is by finding out your password by finding your server.cfg or a friend of a friend of a friend..

[deady 0]

Well if it was only you and him on the server and you were not logged in as admin, he only needs to type #vote admin Viper and if votethreshold is set at 0.5 or below he becomes admin.

He shouldn't be able to ban you as voted admin since 1.05 though.

[linuxkrn 0]

Well, I've noticed more and more people getting banned. But I also see a lot of these logs:

23:12:18 Player xxxxx: Signature check timed out

After that, they get banned. Not sure what the heck he did, but maybe the server is incorrectly banning people?

Again, using:

verifySignatures=1; // check signatures

onHackedData = "ban (_this select 0)"; //auto ban hacked addons

onDifferentData = "kick (_this select 0)"; //auto kick modified files

Is there a way to disable #vote admin? I don't want anyone to change the level/etc.

[maddogx 13]

Is there a way to disable #vote admin? I don't want anyone to change the level/etc.

Yes. I'm not sure of the exact name of the entry, but it's something like voteThreshold. Set it to something above 1.

[Junker 0]

Voted admin can ban people

I thought they could only KICK if there only voted admins.

Anyway thnx for the ID i will keep an eye for this guy.

[deady 0]

Only way to disable voted admin is to disable voting completely (by setting votethreshold to 1.1).

Signature check timeout happens to everyone, you can't enable signature checking until a new patch comes out.  If you keep it enabled people will keep getting kicked when they dont deserve it.

And if voted admins can still ban, its a serious bug that was meant to be fixed in 1.05.

[Nutty_101 0]

There is a program that someone seems to have where they use brute force to get the server admin password. I have seen this happen in the past and when it did the network traffic went thru the roof with inbound. If anything it is just a program that uses the game and sends keys to it repeatedly until it gets a ok packet from the server or something. Wouldn't be hard I suspect.

[Tommo 0]

I remember this in OFP, I think I tried it on a server I temporarily setup on my home network at some stage. Basically you can have a program that'll auto type /#login and then start from a and work its way through the alphabet, upper and lower case and also numbers, etc until it gets a match and the user is logged in. This could be how the password was found.

[whisper 0]

This could be easily countered.

I added TT 2700 to BTS for suggestion.

[deady 0]

Brute force password cracking can take a rather long time.

An 8 character password has billions of possible character combinations, which would take days of constant brute force from a desktop computer.

Of course, thats presuming you have a good password that isn't a word. If you picked a simple word for your password like "Dog", then a dictionary attack (brute forcing using every word in the dictionary) will crack your password much more quickly (minutes instead of days).

Are Arma admin passwords case sensitive? I've never checked.

[smellyjelly 0]

Wow, that's just going to far. These losers will do anything just to make other people mad to compensate for their pathetic lives.

[Nutty_101 0]

Brute force password cracking can take a rather long time.

An 8 character password has billions of possible character combinations, which would take days of constant brute force from a desktop computer.

Of course, thats presuming you have a good password that isn't a word. If you picked a simple word for your password like "Dog", then a dictionary attack (brute forcing using every word in the dictionary) will crack your password much more quickly (minutes instead of days).

Are Arma admin passwords case sensitive? I've never checked.

They are case sensitive. I use >10 alpha numeric passwords on my servers. Heh, still would suck to have them sitting there eating up server resources. They do on my ftp site all day long. Stupid failed login logs are 80+ meg each day.

[=jps=sgtrock 4]

Seriously? If so, there's a bug report/enhancement request to file. No server side program should allow unlimited attempts to log in. It should time out after 3-5 attempts and not allow another attempt for, say 10-30 minutes. (Possibly settable by the admin?)

On another topic in this thread: Admin voting should absolutely be a separate instance to disable/enable. If the only way to disallow admin voting is to disable voting, no server that I own or manage will have voting. Another bug report/enhancement request to be filed. Man, BI does have a bit to learn about security, eh?

Unfortunately, I'm not running a server at the moment, so I don't have the logs to attach to a bug report. I'm still waiting for the Linux server to come out. Sigh. Could someone else who does have a server up please file the necessary bug report(s)?

TIA

[smellyjelly 0]

Setting a time limit will do nothing except prolong the time it takes for the program to uncover your password. I believe that flat out banning the IP from attempting to log in would be much more effective. As a bonus, the real admin should have the option to ban the IP from playing on that server all together.

[walker 0]

Hi all

If some one is brute force hacking your server then your hosts need to be informed they in turn will inform CERT who will bring in the relevant Police forces in the US it is the FBI.

Brute force hack by its very nature is also a DNS so the criminal case is open and shut.

Like I say inform your server host provider they will want to catch them as they are using bandwidth; also it is common for such people to hack servers to turn them into cracker bots or to sell on for kudos or money as sites to store the very extreme end of porno, pedos and the like.

Their IPs will be in your hosts logs even if they are not in yours.

If you are hosting it your self your suposed to know to inform CERT anyway.

In the meantime use a proper password for your server at least 10 characters a mix of alpha numeric and other ASCII characters dont use a word dictionary crackers will spot it in as little as minutes.

Kind Regards walker

[Espectro (DayZ) 0]

Hi all

If some one is brute force hacking your server then your hosts need to be informed they in turn will inform CERT who will bring in the relevant Police forces in the US it is the FBI.

Brute force hack by its very nature is also a DNS so the criminal case is open and shut.

Like I say inform your server host provider they will want to catch them as they are using bandwidth; also it is common for such people to hack servers to turn them into cracker bots or to sell on for kudos or money as sites to store the very extreme end of porno, pedos and the like.

Their IPs will be in your hosts logs even if they are not in yours.

If you are hosting it your self your suposed to know to inform CERT anyway.

In the meantime use a proper password for your server at least 10 characters a mix of alpha numeric and other ASCII characters dont use a word dictionary crackers will spot it in as little as minutes.

Kind Regards walker

lol

You really think they'll send in the feds to a game-server hosting company?

[=jps=sgtrock 4]

Setting a time limit will do nothing except prolong the time it takes for the program to uncover your password. I believe that flat out banning the IP from attempting to log in would be much more effective. As a bonus, the real admin should have the option to ban the IP from playing on that server all together.

Sigh. Look, this is going to sound like a personal attack and I apologize in advance for that. It's most definitely not how I mean it. However, I realize from your statements that you've never had to manage a server in a mission critical environment. What I suggested is just Network Security 101. It's what nearly every application with a network login interface uses for a username/password authentication scheme. It's certainly what every network app uses if it's been around for any length of time.

Let me tackle your suggestions in reverse order and start with IP banning. I must admit that the thought of banning an IP address does have some appeal. However, banning login attempts permanently from a single IP suffers from a problem: Many ISPs do not offer static IP addresses to customers any more. Those who do offer static IPs still use dynamically assigned IP addresses by default. Customers have to ask for a static address and frequently pay an extra charge for it.

Heck, a lot of the bigger ISPs go beyond just dynamic assignment and force a periodic change to customers' IP addresses. For example, someone I know once figured out that their IP address was being changed once a day by Comcast. ISPs do that so their customers can't run servers at home effectively.

Therefore, at best if you permanently ban an IP address you only create a temporary solution. Your attacker will be back as soon as he can get another IP address assigned by his ISP. In the worst case, you may end up preventing someone else from accessing your server. IMO any ban based upon IP address should not exceed a week at the most. 24 hours is probably sufficient.

Now back to your first comment about my suggestion not being effective because it just prolongs the time necessary to successfully break in. You're not thinking it through far enough. Limited login doesn't just prolong the time required to uncover a password. What it does is help prolong the time to the point that a brute force login attempt is no longer feasible.

What you may not know is that there are entire automated toolkits available for crackers. It's gotten so bad that security weenies have coined a name for those characters who just download the tools and use them with no understanding of how they work. They call them script kiddies. The toolkits make it easy for the script kiddies to do all sorts of things automatically. Naturally, brute force login was one of the first things to be automated.

If you assume that a server is set up so login attempts are not limited and further that an attacker is using one of those toolkits, we can easily see that it is trivial for a cracker to easily generate tens of login attempts per minute. Several hundred login attempts per minute wouldn't be out of the question on a fast server with a fat pipe.

You may be thinking, "Ah ha! There's no way that any script kiddy will be able to generate hundreds of requests per minute because no single PC would be able to generate that many!" Unfortunately, many of the toolkits that I mentioned above also allow a script kiddy to attack other client workstations, upload his toolkit to them, and build up his very own army of bots to do his bidding. This makes getting lots of clients aimed at a single target a relatively trivial exercise for these jerks. (That's another reason why perma-banning IP addresses is a mistaken technique, btw. You won't necessarily be banning where the brute force attack is actually originating from.)

Let's be conservative and assume that a cracker can only generate one login attempt per second. That's still 86,400 login attempts per day on a server with unlimited logins allowed. Now assume that we use some sensible limits for a public server: Say, 3 login attempts before there's a 15 minute lockout. Now our attacker is limited to only 288 attempts per day, which means that on average it'll take him 300 times as long to crack a password.

(Note: Keep in mind that generally speaking, effective security models for server software are very tweakable. They allow for lock out of a either single user account, a client IP address, or both. They also allow for setting all kinds of default parameters ahead of time; password strength, number of login attempts allowed before lock out, lock out timer, whether or not it's limited to a single user account, IP address, etc.)

Now add in the technique of using hard to guess passwords. Password generators are easily available, after all. For example, I use a FOSS (Free or Open Source Software) password generator called apg (Automated Password Generator) to generate mine. apg lets me use all kinds of options before generating passwords; number of passwords to be generated, password length, whether or not characters can be duplicated and by how much, whether or not the password should be alphabetic only, alphanumeric, or alphanumeric plus punctuation, whether or not the passwords should be case sensitive, etc. Getting a tough to guess password generated using tools like apg is easy.

Combine the two defenses and the time necessary to crack one password becomes so long that brute force login attempts simply aren't a feasible means of breaking in. It would literally take thousands of years to find an alphanumeric, randomly generated six or eight character password. A cracker will be forced to find another avenue of attack.

There's another benefit to using such a basic tactic as limited login attempts that Nutty_101 highlighted when he mentioned that login attempts alone are generating 80 MB of logs a day on his server. It's an issue that I regard as critical to BI's longterm, overall success if they stay in the MP market. Unlimited login attempts steals CPU cycles, network bandwidth, and RAM from the people actually playing on a server. If a cracker can generate enough attempts in quick succession the server can bog down. If it gets bad enough, the legitimate players will suffer and eventually quit playing. (Side note: I wonder if that might the root cause of some of the reported problems with laggy servers?)

If the problem gets widespread it won't just be a handful of targeted servers. If that happens and BI doesn't address it, legitimate players would have to give up playing ArmA online.

As I've shown, the tools to generate that much traffic and burn those CPU cycles are easily available to crackers. IMO, the possibility that the problem could get that widespread has to be considered as significant enough that BI should be worried about it right this second. It's definitely in BI's best interest to implement limited logins by default ASAP so their customer base can continue to enjoy their product.

So, let me repeat my appeal to server owners: Will someone who has the logs necessary to show just how bad the problem is already, please open the two bug reports/enhancement requests that I suggested? If you think it would help demonstrate the urgency and scope of the problem, please feel free to either link my posts or copy the text from them into your reports.

TIA

[walker 0]

lol

You really think they'll send in the feds to a game-server hosting company?

Hi Espectro

Err yes

First hit from a 10 second Google search

Quote[/b] ]...According to reports, two people were arrested earlier this year amid claims that they had hacked into an online game server and awarded themselves huge amounts of cybercurrency, which they had then managed to exchange for 1.5 billion South Korean won (almost £800,000).

follow link for the full story

http://news.zdnet.co.uk/security/0,1000000189,39115585,00.htm

And of course the real crime is attempting to gain control of someone else's computer. Even if it is the computer on their desktop. It is good job the ambulance personnel in London outside Tiger Tiger did not have your attitude. Makes no difference to the police crime is crime. A crime once reported to the police must be investigated by them but if no one reports it; no nothing will happen.

Most server hosts take it very seriously as it means their server security is breached and the computer next to the one that is hacked, with peoples credit card on it, is also vulnerable. Their business would be dead if it became known they did not report such crimes. In the UK it comes under the Data Protection Act. Every other country in Europe has a similar set of laws as does America.

Your server host is going to tell you that you should be doing what =JpS=SgtRock says and frankly you should be but if your server has any personal data from anyone else on it, such as forum, under the Data Protection Act it is your duty to protect that data. If you are not doing so you are breaking the law and I am sure all the persons, whose emails you keep on the server, are going to be a bit pissed at the increase in spam they suffer, as a result of your failing to look after their data.

Kind Regards walker

[=jps=sgtrock 4]

walker;

Unfortunately, the FBI has had a standing policy for years that they will not involve themselves in any cybercrime where there is no documentation that (a) the crime committed crossed state lines and (b) caused damages that exceeded $50,000US.

The stipulation for (a) arises because the FBI is limited to crimes that fall under Federal (but not international) statutes. However, they will get involved if a crime crosses national boundaries as long as the national police force in any other involved countries are willing to collaborate and laws in the other involved countries were broken.

The stipulation for (b) arises because the FBI has no interest in involving itself in petty crimes. Those kinds of crimes just aren't part of what they see as their official charter. Translation: It doesn't get a field agent props or a promotion.

The case that you cite shows that actual damages above $50,000US were demonstrated, so the FBI could get involved. Make sense?