Best way to protect Rcon but still use it?

[paradox7]

I posted a support ticket on this and they suggested I post the question here. I have many GMod servers with NFO and I absolutely must have rcon access to manage them all. I can get 200 players on at a time. My issue is, though I had sv_allowcslua and sv_allowupload both set to 0, and a random 16 digit rcon pw with characters and symbols, 2 of my servers were still hacked. I did check all the lua files to determine if a backdoor was included in any of my addons and could find nothing. I tried turning off rcon for a couple days (as I know this is safest), but I simply cant effectively administrate all my servers with it off. The folks at NFO tried putting +rcon_password in the startup line but every time the server restarted, rcon_password reset to "".

Can you offer any suggestions other than just getting rid of half my servers?

[soja]

If you use a VDS or a managed dedi, you can use the firewall tab to whitelist your IP, and block all others from rcon.

Make these rules(in order):
1.) Accept all incoming packets from ips:
In the list of ips, put your home ip, as well as any other administration tools(sourcebans, etc).

2.) Block TCP packets from any IP on any port, to your server ip on port 27015


If you did this properly, you should be able to access RCON, and everyone else's packets will be blocked at the firewall(before they even reach the game server). In theory, even with your rcon password, people won't be able to issue rcon commands on your server.