Dwarden 1125 Posted June 28, 2011 (edited) This is thread intended for advices, tips, security questions and answers related to servers ... irrelevant posters receive infraction, so don't post unless You on subject 0. it's now fully recomended to use BattlEye even on closed community / passworded servers (due to additional layers of protection) 1. ATTENTION! Warning to All Admins! Emergency Responder to Event OMFGBBQFAIL#65535: http://dev-heaven.net/issues/20994 Immediately rename Your server -config= files to unique filenames! http://community.bistudio.com/wiki/Arma2:_Startup_Parameters#Server_Options http://community.bistudio.com/wiki/server.cfg do NOT share these filenames with anyone who is not trustable! (ideally only Yourself) Start using custom -BEpath= immediately http://community.bistudio.com/wiki/BattlEye#The_-BEpath_location More countermeasures for beserver.cfg soon! beserver.cfg is now automatically renamed to beserver_active_[randomtext].cfg while the server is running to prevent this exploit. Summary: move Your -profiles= , -config= and -BEpath= outside Your game/server directory and use unique filenames (yet rename of file not possible for beserver.cfg) 2. use verifySignatures=2; and v2 signatures on your server v2 signatures are supported also in ARMA 2 version 1.10+ and ARMA 2:OA 1.59+! http://community.bistudio.com/wiki/ArmA:_Addon_Signatures#Controlling_addon_signature_verification_on_the_server 3. Use RCON from BattlEye and it's BEGUID to ban players, forget about in-game UID (they spoofable easily and deprecated) 4. remove regularCheck line from your config (or comment it out by ; infront of it), incorrect value negates the defaut setting now 255. if all fails then password the server up remove reportIP from gamespy master line in config and play only with Your trustable friends but that sort of prevents the public reach it ... note: this is WIP topic, so any text is subject for change w/o warning :D Edited August 2, 2011 by Dwarden Share this post Link to post Share on other sites
.kju 3245 Posted June 28, 2011 A few notes: 1) -profile= => -profiles= 2) Add the link to the server.cfg for verifySignatures 3) Example of a parameter configuration: Arma server location: c:\arma2server Profiles location: c:\arma2profiles "-config=c:\arma2profiles\serverOA.cfg" "-cfg=c:\arma2profiles\basicOA.cfg" -name=OA "-profiles=c:\arma2profiles" "-BEpath=c:\arma2profiles" (use as one line definition - multiline only for easier viewing) Share this post Link to post Share on other sites
GeeBee 0 Posted June 28, 2011 Summary: move Your -profiles= , -config= and -BEpath= outside Your game/server directory and use unique filenames (yet rename of file not possible for beserver.cfg) Very alarmed by this BTW! I have a problem with this solution as I rent a dedicated box (GSP) and do not have access to the C drive only the game directory. If I understand the fix you saying we need to place the above files out of the root and place else ware. Not too clear for a noob! Share this post Link to post Share on other sites
.kju 3245 Posted June 28, 2011 You can also move it into a custom subfolder with custom names like Arma server location: c:\arma2server Profiles location: c:\arma2server\arma2profiles4711 BE location: c:\arma2server\BEpath4711 server4711.cfg basic4711.cfg Share this post Link to post Share on other sites
GeeBee 0 Posted June 28, 2011 (edited) Problem with GSP’s is you can’t override the Services Command Line but you do have a command line builder in CP with the options below. So the original command line is set to battleye default which would have to be done in the services menu within CP (which I don’t have access to). Only options that I have are these -mod "Specify a mod" -config "enter server.cfg if default is needed" -world "Changes Default Starting World" -netlog "enable logging" -name "sets profile name" The above use a tick box system and then you fill in the parameters like @xxxx;@yyyy or serverAAAA.cfg etc I have managed to alter the server.cfg by changing its name and then running that in the command line changer but that’s all so far. Hope this makes some sort of sense as I am no expert in this field. Edited June 28, 2011 by GeeBee Share this post Link to post Share on other sites
focher 15 Posted June 28, 2011 The bug on Dev Heaven is flagged as affecting the Linux server. Can you confirm it actually affects both Linux and Windows? The code shown in the bug doesn't have any apparent OS specific aspect, so just think it's good to confirm. Share this post Link to post Share on other sites
xeno 234 Posted June 28, 2011 It does affect both, Linux and Windows. Xeno Share this post Link to post Share on other sites
hellfire257 3 Posted June 28, 2011 Thanks for this Dwarden. Will forward... Share this post Link to post Share on other sites
Xjiks 10 Posted June 28, 2011 Immediately rename Your server -config= files to unique filenames! what about windows "read-only" option for the file instead of renaming ? Share this post Link to post Share on other sites
Dwarden 1125 Posted June 28, 2011 It does affect both, Linux and Windows.Xeno just remember the script command can read files only inside the game dir, so please avoid placing game ROOT into ROOT of your system drive ! (i hope noone is dumb enough to actually do that ever) ---------- Post added at 18:16 ---------- Previous post was at 18:14 ---------- what about windows "read-only" option for the file instead of renaming ? i don't get how this would do anything how will flagging file as read-only prevent engine to read the file? :) did you read the original issue explained ? the problem is in-engine script command capable of reading any file within game own directory and subdirectories ... so the simple way out of it is 1. rename the files from default/usual names 2. move them outside the game dir ---------- Post added at 18:34 ---------- Previous post was at 18:16 ---------- Summary:move Your -profiles= , -config= and -BEpath= outside Your game/server directory and use unique filenames (yet rename of file not possible for beserver.cfg) Very alarmed by this BTW! I have a problem with this solution as I rent a dedicated box (GSP) and do not have access to the C drive only the game directory. If I understand the fix you saying we need to place the above files out of the root and place else ware. Not too clear for a noob! if you can't place files outside the game dir, then as do i said in the workaround use unique filename no-one can figure out ... i'm fully aware not everyone can move files outside the game dir, hence why i mentioned both approaches yet i suggest use custom -bepath= to move the EB to uniquely named directory inside the game directory i suggest to talk to Your host to add support for all newly introduced command-line options into the control panel Share this post Link to post Share on other sites
bearbison 10 Posted June 29, 2011 2.use verifySignatures=2; and v2 signatures on your server v2 signatures are supported also in ARMA 2 version 1.10+ and ARMA 2:OA 1.59+! http://community.bistudio.com/wiki/ArmA:_Addon_Signatures#Controlling_addon_signature_verification_on_the_server Not much good if your dedi doesn't have BAF or PMC installed as only those that don't have them can play as if players have them they get kicked. Anyone have a fix for this without buying a copy specifically for the server to allow those that have them the ability to join? Share this post Link to post Share on other sites
xeno 234 Posted June 30, 2011 ? BAF and PMC have version 2 signatures too. bi2 signatures. And that's the key you should have on your server if you've updated it correctly. Xeno Share this post Link to post Share on other sites
Dwarden 1125 Posted June 30, 2011 You never install BAF or PMC data on dedicated server! for that exist Lite content ... Share this post Link to post Share on other sites
bearbison 10 Posted June 30, 2011 The server doesn't have BAF or PMC installed as it's never needed them and it has the v2 bikey but as soon as we run v2 signature checks anyone that has BAF and/or PMC installed gets kicked for wrong signatures. If we remove BAF/PMC from our local installs we can connect and play properly, therefore unless I am missing something it looks like that since the server can't check the full BAF/PMC files against anything it kicks the players. Some examples of the log (never kicks for the same file for the same person): 20:22:59 Player [RIP]joina412: Wrong signature for file baf\addons\tracked_w_baf.pbo 20:25:12 Player [RIP]Tyson: Wrong signature for file baf\addons\shapur_baf.pbo 20:29:15 Player [RIP]welshterrorist: Wrong signature for file baf\addons\wheeled_w_baf.pbo 20:44:31 Player [RIP]BearBison: Wrong signature for file baf\addons\sounds_baf.pbo 20:45:43 Player [RIP]Tyson: Wrong signature for file ca\characters_d_baf\baf_soldier_2_baf.p3d 20:48:02 Player [RIP]welshterrorist: Wrong signature for file pmc\addons\missions_pmc.pbo 20:49:14 Player [RIP]AacAac: Wrong signature for file pmc\addons\modules_pmc.pbo 20:50:42 Player [RIP]joina412: Wrong signature for file ca\characters_d_baf\baf_soldier_2_baf.p3d 20:51:56 Player [RIP] BabylonCome: Wrong signature for file ca\characters_d_baf\baf_soldier_2_baf.p3d The server files have been checked against my local files and are a complete match (less the BAF and PMC folders as not on server) so how do we fix? Share this post Link to post Share on other sites
.kju 3245 Posted June 30, 2011 tell these players to update their DLC to 1.02 BAF Share this post Link to post Share on other sites
focher 15 Posted July 1, 2011 (edited) I have exactly the same problem as BearBison. I get kicked off my dedicated server with v2 enabled for various wrong signatures on BAF/PMC files. I'm using Steam, so pretty sure I have the latest version of both BAF and PMC. Just to be sure, I completely deleted the BAF and PMC folders in the OA root directory. This forced the reinstallation of both when I launched OA. Still get the kick/ban for a wrong signature. It's a different file each time. Edited July 3, 2011 by Focher Share this post Link to post Share on other sites
bearbison 10 Posted July 1, 2011 tell these players to update their DLC to 1.02 BAF All players are fully updated, one is a clean install who even tried using the separate patch for the DLC's after the v1.59 patch just in case there was an issue with the combined patch. Share this post Link to post Share on other sites
Dwarden 1125 Posted July 1, 2011 do you have \Keys\ (this one should not be needed but depends where you have actual profile root) and \Expansion\Keys\ with latest bi2.bikey bi.bikey files? Share this post Link to post Share on other sites
focher 15 Posted July 1, 2011 My profile root is the default. I don't use the -profiles command line when starting the server. I checked the MD5 hashes across all 3 computers for both bi.sgn and bi2.sgn located under the OA root "keys" folder and the "expansion/keys". It's the same for all of them. bi.bikey - f40916be05b3bfd8bdb860275ce922e3 bi2.bikey - 5b5c9a1e7033150e8ffe7307ce385b25 On both the server and the client, I have both Arma 2 and OA installed through Steam. Have done a Verify Cache multiple times to ensure everything is fine. I then issued the following commands for both client and server to make OA into a CO configuration. Client is launching from Steam. mklink /j ".\Addons" "..\ARMA 2\Addons" mklink /j ".\Dta" "..\ARMA 2\Dta" mklink /j ".\Keys" "..\ARMA 2\Keys" mklink /j ".\userconfig" "..\ARMA 2\userconfig" Server Start Command File cd "d:\Steam\steamapps\common\arma 2 operation arrowhead\" arma2oaserver -config=d:\Server-Cfg\server.cfg -cfg=d:\Server-Cfg\serverbasic.cfg -BEpath=d:\Server-Cfg\BE -netlog server.cfg hostname="Server Name"; password=""; passwordAdmin="XXXXXXXXXXXXXXXXXXXXX"; reportingIP="arma2oapc.master.gamespy.com"; logFile="server_console.log"; motd[]= { "Welcome", }; motdInterval=2; checkfiles[]={}; maxPlayers=64; kickDuplicate=1; verifySignatures=2; equalModRequired=0; voteThreshold = 5; voteMissionPlayers=5; disableVoN=0; vonCodecQuality=10; persistent=1; onUserConnected=""; onUserDisconnected=""; doubleIdDetected=""; onUnsignedData="kick (_this select 0)"; onHackedData="ban (_this select 0)"; onDifferentData="Vanilla Only!"; BattlEye=1; class Missions { class Domination_AI { template="co30_Domination_2_60c_West_OA.Takistan"; difficulty="Expert"; }; }; Windowed=0; serverbasic.cfg MaxMsgSend=2048; MaxSizeGuaranteed=1024; MaxSizeNonguaranteed=64; MinBandwidth=20480000; MaxBandwidth=40960000; MinErrorToSend=0.0099999998; MaxCustomFileSize=131720; adapter=-1; 3D_Performance=1; Resolution_W=0; Resolution_H=0; Resolution_Bpp=32; Windowed=0; If I switch back to version 1 signatures, I don't get the error / kick / ban. Share this post Link to post Share on other sites
Dwarden 1125 Posted July 2, 2011 so i have no idea what's wrong, can You get me list of all files these players have \PMC \BAF same goes i need list of the server files (ideally MD5 hashes included) also what's your server IP ? Share this post Link to post Share on other sites
focher 15 Posted July 3, 2011 so i have no idea what's wrong, can You get me list of all files these players have\PMC \BAF same goes i need list of the server files (ideally MD5 hashes included) also what's your server IP ? Hi, I kind of feel like I hijacked this thread so I'll put that information in the other thread I created at Wrong Signature - v1 / v2. Share this post Link to post Share on other sites
$able 2 Posted July 6, 2011 ATTENTION! Warning to All Admins!Emergency Responder to Event OMFGBBQFAIL#65535: http://dev-heaven.net/issues/20994 [...] More countermeasures for beserver.cfg soon! beserver.cfg is now automatically renamed to beserver_active_[randomtext].cfg while the server is running to prevent this exploit. Share this post Link to post Share on other sites
nomad_man 10 Posted July 7, 2011 (edited) Sable, we have an issue with our linux box. The server reports only 500MB ram usage. Which is normal for us. However, it is actually eating up all 4Gigs of RAM. Furthermore, BE fails to start with -bepath full or relative. And the beserver.so gets automatically deleted. And question #2 if we run multiple servers off the same config, will that "autorename" interfere with each other? FYI: the file get's renamed to beserver_ac<random>.cfg and not the format you posted. Edited July 7, 2011 by nomad_man Share this post Link to post Share on other sites
eddieck 10 Posted July 7, 2011 Yeah, we're having the same issue. RCon stops working randomly (when the file gets renamed) and beserver.so gets removed. Share this post Link to post Share on other sites
nomad_man 10 Posted July 7, 2011 do you get increased ram usage too? Share this post Link to post Share on other sites