Make the RCON password empty in your server.cfg file. You could have googled this easily by the way.

had alot of conflicting issues with people from facepunch related to the topic, lot of arguing and bickering about it. the srcds is for garrys mod

You could also block tcp traffic for the port your server is running on as RCON uses tcp whereas the game traffic is using udp.

Sepp eredeti hozzászólása:

You could also block tcp traffic for the port your server is running on as RCON uses tcp whereas the game traffic is using udp.

This is better..
Theres a lot of exploits usable on rcon protocol, its better to just block it all, or only allow to certain ip..

does anybody know how to setup an iptable rule for that? currently I have it set to blank atm but better security and control over network activity always sounds good to me. I am on ubuntu 16.04 atm.

Usually its something like this to completely block
iptables -A INPUT -p tcp --destination-port {PORT-NUMBER-HERE} -j DROP

You will need further research to allow some ip.

iptables -A INPUT -p tcp --destination-port 27125,27225,27325 -j DROP

so if I have 3 instances of srcds_linux open with thier own ports specifically for them this is how I'd block rcon completly correct?

(btw a slight bit of background is important here) I've done some stuff with iptables already just getting things exactly right isn't always my strong suit. I'm currently running 3 servers on gmod aswell as a teamspeak3 server. These are all running on the same machine btw with their resources devided out as they need them so they don't interfere with each other. will I run into any sort of issues with this sort of setup in the iptables? I want to ensure all 4 are fully up and running while also being secure aswell. as for rcon I won't need to worry about whitelisting an ip or anything. I have a seperate admin module currently in testing which removes the need for a rcon. and even if I need rcon I can easily log into my vps and do things to the server console from there. makes things pretty secure and easy aswell.

a side follow up question that I hadn't thought about. is there a way to target specifically which processes have access and such for ports/connections?

like for example srcds_A can have connections for players only thought port 27125, and srcds_B is using 27225? so if anybody tries to for example send data in through a port which normally accepts connections to srcds but is non-player info it drops that (I noticed that there is also 27005 for some reason but not sure what that port is used for)

if anybody has any other security tips btw for ports/iptables its greatly appreciated. alot of new things keep getting brought to my attention with network stuff and its alot for 1 guy to figure out all of it and ensure the best possible enviornment for players.

I've more or less an identical setup and my approach to iptables is that I only allow what I need and drop any other traffic. The rulebase is built like this:

- Allow ssh to the server (only for a limited amount of networks my provider is using)
- Allow udp to the ports the srcds servers are running on (from any ip)
- Allow udp 9987 to the teamspeak3 server (from any ip)
- Drop any other traffic

An anonymized example:

seems kinda similar to what I already have setup(I think)

what are these 2 lines however? I'm not familiar with what they do. the others are pretty straight forward.
iptables -I INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Rapadant NetworksVaasKahnGrim eredeti hozzászólása:

seems kinda similar to what I already have setup(I think)

what are these 2 lines however? I'm not familiar with what they do. the others are pretty straight forward.
iptables -I INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

The first one is loopback, just like windows 127.0.0.1
No ideia what the second one is..

Since we are talking about, its good ideia to put some protection on it..
my iptables rules:

#!/bin/bash --
LANG=C; LC_ALL=C; export LANG LC_ALL
iptables -F; iptables -X

# List policies first
iptables -P INPUT DROP; iptables -P FORWARD DROP; iptables -P OUTPUT ACCEPT

# Always allow loopback
iptables -A INPUT -i lo -j ACCEPT

# Performance-wise let this back in early:
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

# Allow public services (SSH & game server, needs more ports if you require Sour ce TV). If you require a range do something like --dport 27015:27100.
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 25594 -j ACCEPT

# L4D2 anti DoS attack (Block incorrect length UDP packages which are never used for the game).

iptables -I INPUT -p udp --dport 25594 -m length --length 0:32 -j DROP
iptables -I INPUT -p udp --dport 25594 -m length --length 2521:65535 -j DROP
iptables -A INPUT -p udp -j DROP

# No traffic should reach this line (And log every traffic that's not allowed in the rules above).
iptables -A INPUT -j LOG --log-prefix "IN_LEFTOVERS "
iptables -A OUTPUT -j ACCEPT

exit 0

I took it from the srcds forums or alliedmodders forums, modified by my needs.
My gameport is 25994.

Rapadant NetworksVaasKahnGrim eredeti hozzászólása:

seems kinda similar to what I already have setup(I think)

what are these 2 lines however? I'm not familiar with what they do. the others are pretty straight forward.
iptables -I INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

The first one was already explained by Blaquicat.
The second one is to allow answer packets for sessions which your server has initiated (for example OS updates, srcds updates, etc.)