| View previous topic :: View next topic |
| Author |
Message |
farmorg
Tux's lil' helper
Joined: 14 Jun 2003
Posts: 76
Location: Leicester (UK)
|
 Posted: Sat Jun 05, 2004 9:16 pm Post subject: Quake 3 server - Hardened? |
 |
|
Hi all
I want to set up a dedicated quake 3 server that will be accesable to all from the internet. The server will be behind my firewall in my DMZ however, my question is - should I do an install of hardened Gentoo? Is this nesesary or am I being paranoid?
farmorg
_________________
Master farmorg
May the source be with you |
|
| Back to top |
|
 |
ygreen
n00b
Joined: 30 Apr 2004
Posts: 20
Location: Pacifica, CA
|
| Posted: Sun Jun 06, 2004 6:07 am Post subject: Its not the OS, its your service... |
|
|
Its not the OS you should worry about, its how secure your service is. Quake1 was filled with stack overflow bugs that could let a determined intruder get access to your box. You can have the most expensive Cisco firewall and have the tightest most secure kernel but if just one service running on an open port allows someone to push a command onto the execution stack everything else is useless.
I'd go check out some boards where others post about running and maintaining Q3 servers. Chances are the community will already know if there are any serious holes in the game code that will allow someone to compromise the server thats running it. |
|
| Back to top |
|
|
R-Type
n00b
Joined: 22 Sep 2002
Posts: 62
|
| Posted: Sun Jun 06, 2004 7:02 am Post subject: |
|
|
this is what I do
useradd quake3
mkdir /opt/quake3
chown quake3:root /opt/quake3
copy/install your quake3 tree to this dir
chown quake3:root /opt/quake3/* -R
(obviously make sure rwx permissions are sane after doing this)
to start the server, I use a script like this:
${mod}=${1}
screen -A -m -d -S q3${mod} su - quake3 -c "/opt/quake3/q3ded +set fs_basepath "/opt/quake3" +set fs_homepath"/opt/quake3/${mod}-homedir" +set net_port 27960 +set fs_game ${mod} +set othervars"
usage: startded <moddir>
root@outworld quake3#./startded cpma
This would start a cpma server running under the quake3 user rather than root. The screen command runs the server in a floating terminal session you can connect and disconnect from at will, keeping all of your VTs available. This is of course entirely optional. The critical part is the 'su - quake3 -c "q3ded cmdline"
screen -ls will list running screen sessions. CTRL A-D will detatch, and screen -r <q3${mod}> will bring you back again.
The fs_homepath and basepath dirs tell quake3 to NOT try and use the standard homedir layouts for saving configs and logs (/home/quake3/.q3a/root/.q3a).
I know gentoo has an /etc/init.d server setup for some of the available mods, but a few are broken and run under different/conflicting users/groups, so I don't use them.
Unfortunately, su will refuse to function unless a valid shell is listed for user quake3 in /etc/passwd :\. However, as long as there's no password defined, it should be impossible to get a remote shell via the standard login, If quake3 itself is cracked, the attacker only gets a shell under 'quake3' which is all but useless. You cannot really chroot quake3 as some of the dll mods have system library dependencies. You could try creating a minimalist environment inside /opt/quake3 by copying the req'd system libs and /bins over. I have not tried this. |
|
| Back to top |
|
|
Tharkun
Tux's lil' helper
Joined: 02 May 2002
Posts: 106
|
| Posted: Sun Jun 06, 2004 1:15 pm Post subject: |
|
|
| Quote: | | If quake3 itself is cracked, the attacker only gets a shell under 'quake3' which is all but useless. |
Wrong! Unless your system has _no_ local vulnerabilities there is still a chance to get root. Most people don't bother to patch local vulnerabilities. That said, running a gameserver as root is really not a good idea and a separate user is at least an obstacle.
Also you don't need to have a shell defined in /etc/passwd to make a process spawn a shell :) |
|
| Back to top |
|
|
R-Type
n00b
Joined: 22 Sep 2002
Posts: 62
|
| Posted: Wed Jun 09, 2004 6:06 pm Post subject: |
|
|
| Tharkun wrote: | | Quote: | | If quake3 itself is cracked, the attacker only gets a shell under 'quake3' which is all but useless. |
Wrong! Unless your system has _no_ local vulnerabilities there is still a chance to get root. Most people don't bother to patch local vulnerabilities. That said, running a gameserver as root is really not a good idea and a separate user is at least an obstacle.
Also you don't need to have a shell defined in /etc/passwd to make a process spawn a shell :) |
Yes that is true, especially possible with quake due to its long history of overflow exploits. I guess I should have made this clear as well. To answer farmorg's question: Yes, I think a hardened system is overkill for a game server in most instances. However, if your server is popular with the gamer-script-kiddie crowd, maybe it would be a good idea :). |
|
| Back to top |
|
|
wolf31o2
Retired Dev
Joined: 31 Jan 2003
Posts: 628
Location: Mountain View, CA
|
| Posted: Thu Jun 10, 2004 12:54 pm Post subject: |
|
|
The problems that you would run into using Hardened would far outweigh the benefits. For one, you might not be able to execute Quake *at all* from a hardened box without loosening many of the same controls which make the box secure. All in all, you end up having to disable enough that it is hardly worth it.
If you designed the box properly, you could use gentoo-sources (or grsec-sources) and a *sane* set of grsecurity options, along with a chrooted environment for your Quake server. This would greatly reduce the impact of any possible exploits, while still allowing for Quake to run properly. I would also suggest turning on the sysctl interface for grsecurity, so you can enable the options while running, to figure out a set of options that provides the most security while still not interfering with the game's functionality. At tha time, I would hard code those options as "on" in the kernel configuration, turn off the sysctl interface for grsecurity, and recompile your kernel to reduce the possibility of anyone turning off your nice security features.
_________________
Ex-Gentoo Developer
Catalyst/Genkernel Development Lead
http://wolf31o2.org |
|
| Back to top |
|
|
farmorg
Tux's lil' helper
Joined: 14 Jun 2003
Posts: 76
Location: Leicester (UK)
|
| Posted: Sat Jun 12, 2004 11:58 am Post subject: |
|
|
R-Type - Which kernel sources are you using on your server?
I'm new to the game server/security world so i'll have a go with your instructions for a start. I'm quite interested in kernel stuff, I had to patch 2.6.3 & 2.6.5 with a driver for my it8212 raid controller so that I can run Gentoo on a raid 0 array which taught me a few things so game server security might be a good natural progression.
farmorg
_________________
Master farmorg
May the source be with you |
|
| Back to top |
|
|
|
Gamers & Players
