Unauthorized users have rcon to my server! What's the fix?

CoD, CoD2, CoD4, and CoD:WaW
Post Reply
User avatar
Edge100x
Founder
Founder
Posts: 12436
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Unauthorized users have rcon to my server! What's the fix?

Post by Edge100x » Thu Jul 01, 2010 10:49 am

Quake-engine servers have a bug that allows for the server.cfg (and any other configuration file) to be sent to any client that asks for it. In doing this, the client can easily learn your rcon password.

The good news is that a workaround is very simple. We can set your server's command line up so that it executes a configuration file like serverADKJAGHYU1213215.cfg -- with random letters and numbers making it into a sort of password of its own, and which clients won't be able to guess and download.

This workaround is made possible by the fact that clients can't get a list of files on the server; they can just request specific files by name. Using an unguessable configuration file name ensures that your file can't readily be snooped.

Post Reply