Server Security
For Linux Users
Never run your server as root because this can make your whole system vulnerable!
- CS2D crashes (or stops processing net requests) when it receives empty UDP packets. Use this IP-Tables rule to block empty packages:
iptables -A INPUT -p udp -m length --length 0:28 -j DROP--length 0:28 selects packets with a length of 0 to 28 bytes. 28 bytes is the UDP header size. Packets with a size of 28 bytes consist of header only and have no payload. CS2D does not use empty UDP packets but other apps might do so. In such a case you should limit the rule to the port(s) you are using for CS2D servers.
Important Settings
The most important settings for server security:
- sv_usgnonly: Let only U.S.G.N. users join your server (1) or everyone (0, default). Use this if you have problems with cheaters and use banusgn to ban these guys.
- sv_password: The password of your server. You should choose a long password with letters and numbers if you don't want random people to join. Otherwise keep it empty.
- sv_rcon: RCon stands for remote control. Remote control can be a security risk and you should only use it if necessary. Choose a long password with letters and numbers if you want to use RCon. Also consider to use sv_rconusers to restrict RCon access to certain U.S.G.N. users (much safer and highly recommended!). Another important RCon related command is mp_maxrconfails. It tells the game how often people are allowed to fail while logging in. Further attempts will be ignored. The default is 5 attempts which should be okay for most servers.
- mp_kickpercent: Controls how many votes are required to votekick players. Default is 0.66 = 66% of all players in the same team.
- mp_maxclientsip: How many players with the same IP are allowed on your server? Default is 5. You have to increase this value if many people from within the same network want to join. Set it to 1 if you have problems with join-flooders and fake players that have the same IP.
- mp_floodprot: This is a primitive attack protection against DoS (denial of service) attacks from one single source. Your server will cease to respond to UDP packet flooders automatically when this setting is enabled. Make sure that it is set to 1 (activated). You normally never have to disable this protection!
- mp_reservations: A list of U.S.G.N. IDs of users that are always allowed to join. The server will automatically kick players if there is no free player slot for joining. Consider to add your admins to this list, especially if you are using RCon and sv_rconusers!
- sv_checkusgnlogin: You should set this setting to 1 (default) if you are using sv_usgnonly or sv_rconusers or mp_reservations or Lua scripts that use the U.S.G.N. ID. It will make sure that the U.S.G.N. ID of players is correct before it allows them to join.
- There is more: Full list of all security related CS2D settings
External Remote Control (RCon)
External RCon is allowed as soon as you set an RCon password. It allows to control your server without joining it. This can be done over a serverlist context menu or 3rd party tools. External RCon can be a risk because it sends your RCon password unencrypted. It is recommended to always use sv_rconusers which restricts RCon access and automatically disables external RCon as well.
Check your Logs
Strange things happen on your server? Check the log files! You can find all your log files in sys/logs/ in your CS2D folder.