Tweet
Touch�.
-
-
why not just upgrade to freebsd and forget the worries?Originally posted by Avalanche View PostThis has been a good experience I suppose, as it finally got me to take the time to do what I should have done a long time ago. This took me a few days; the server is now Fort Knox. I only regret that it took so much time away from my other obligations this week.
These are the steps that I've taken:
- The server now has a firewall.
- All traffic is denied except for what I explicitly enable.
- All ICMP and other traffic is dropped except for a very select few, limited, secret IP ranges, thus allowing both myself and the datacenter to continue to do remote server monitoring. (Revealing what the ranges are, would in itself, open up the server to spoofed-packet DDoS attacks.)
- A rule was created that tells the firewall to drop all traffic to any service that suddenly experiences abnormally high traffic, thus allowing the server and all other services to continue to function normally.
- The datacenter has what is approaching 1 Tbps of total bandwidth. (FYI, 1 Tbps is approaching the bandwidth that entire continents are connected at.) If a DDoS attack does occur, traffic is further blocked at the datacenter's core distribution layer before it even gets close to the server's 1 Gbps connection.
- I've had constant problems with Microsoft RDP and RPC vulnerabilities, which is how I suspect that this one may have occurred, but haven't yet verified it. This isn't the first. I've learned my lesson about laziness now. Because of this, access to the machine must now be done through a the server's backend network, using PPTP VPN tunneling, and encrypted using a VeriSign SSL authentication certificate.
- I updated the server with all the related above critical security patches.
- Furthermore, since I'm now able to access the server perfectly fine from the private backend, I can still login and make any necessary rule changes, were a DDoS attack to occur.
- The Quake servers now run in their own self-contained virtual machine "bubble"--any code that might be run by a malicious moder will now be limited, at best. This is an overt security hole that I've been well aware of for a long time (since day one). I obviously wasn't going to advertise this and point it out until I fixed it. I relied only on my trust in the community, given that I'm providing these services for free. I still do place this trust in everyone. But I'm taking reasonable precautions now. Writing a backdoor into Quake1, given that it is open source, is about as easy and straightforward as it gets to any moderately experienced programmer. Exploiting these types of things rarely require any skill or detailed knowledge, but rather only one to be an asshole and the inability to look at one's self in the mirror with any degree of self-respect/worth/esteem. (See above: Publicly known RDP/RPC vulnerabilities.)
- Even if this were to still be done, the Quake servers are now on an auto-scheduled backup to a location outside of the "bubble" on a completely different server, thus making any attempts of this nature somewhat pointless.
So how do you like that?
With that said, the Quake servers are now back up! Enjoy! Take care everyone.
Cheers,
JonathanComment
-
i cant cinnect to the ctf svererCbuf_AddText (va("say ZeroQuake GL version 1.10\n"));Comment
-
Vis I and others cannot connect to any port on the hdz box? I see the connection accepted but then it just hangs. Reset the server? also could u pm me my ftp info i had to reinstall and lost my ftp settings
Oops just read ava's message, i'll just refresh my connection maybe it will accept.Comment
Comment