Unauthorized users have rcon to my server! What's the fix?
Posted: Thu Jul 01, 2010 10:49 am
Quake-engine servers have a bug that allows for the server.cfg (and any other configuration file) to be sent to any client that asks for it. In doing this, the client can easily learn your rcon password.
The good news is that a workaround is very simple. We can set your server's command line up so that it executes a configuration file like serverADKJAGHYU1213215.cfg -- with random letters and numbers making it into a sort of password of its own, and which clients won't be able to guess and download.
This workaround is made possible by the fact that clients can't get a list of files on the server; they can just request specific files by name. Using an unguessable configuration file name ensures that your file can't readily be snooped.
The good news is that a workaround is very simple. We can set your server's command line up so that it executes a configuration file like serverADKJAGHYU1213215.cfg -- with random letters and numbers making it into a sort of password of its own, and which clients won't be able to guess and download.
This workaround is made possible by the fact that clients can't get a list of files on the server; they can just request specific files by name. Using an unguessable configuration file name ensures that your file can't readily be snooped.