Welcome to Open Carnage

A resource for Halo Custom Edition and MCC modding, with unique means of rewarding content creation and support. Have a wander to see why we're worth the time! - EST. 2012

AntiMomentum

Member
  • Content count

    35
  • Joined

  • Last visited

  • Raffle Tickets

    0
  1. I haven't tried this but if your windows machine doesn't have Hyper-V I don't think it can work. If it does have hyper-v you should be able to enable linux in windows Programs and Features (the features). If you have Hyper-V but don't see any Linux features trying updating Windows and checking the features again after you reboot and finish the updates. If you are able to to enable Linux in Features open Powershell and try this command: iptables -L Also if its already a virtual windows machine (like a windows cloud server that isn't "bare metal") then it won't work since you can't do a virtual machine inside another virtual machine.
  2. I have halopc.org linked to my Github, which has a link to my ddos post here, which is probably bringing in both spider/bots and actual people. A frequented domain/website with a link here will do it for both bots and people. Also backend traffic reports will often label "Google" as the referrer when people didn't actually literally use a google search, but an actual person found the site/page in some way, not sure why that is.
  3. No, thank you getting me to fix this. I will be extensively testing my server without Docker now for a while. I've been having issues with server list loading delay after some uptime and without Docker it was immediately fixed. Assuming there are no longer issues with this, and the winewall performs well, this might actually end up being the main solution. And yes, I'd really appreciate reports! On the Analytics tab for the server you'll see a Network graph and CPU graph among other things. For attacks the max public INBOUND traffic, rough duration of the attack(s), and max cpu usage are important for reports. Along with the cpu usage when your server has 16 players. Ipv6 and DISK IO stuff aren't needed. And of course if all the players leave/quit/lag out during an attack, or if player count remains "normal" For attack duration the graph only updates everything in intervals of 5 minutes so a close approximation is fine, and less important than the max inbound/max cpu usage info anyways. Example: Number of cpus: 2 16 player cpu usage was about 20% max cpu was 60% max inbound traffic was 600Mb/s attack lasted about 20 mins player count was normal during the attack (if winewall doesn't effectively stop the attack you'd see incoming/outgoing traffic from players, the incoming attack network traffic, and then little to no OUTGOING traffic at all after the attack knocks them out ) (You can toggle options in the Network graph to only show inbound, outbound, ect) Side tip: cpu usage shown in that graph is just a total number. So a 2 cpu server can have a max 200% cpu usage. (Shared CPUs are virtually capped at 80%, or 160% total for 2)
  4. A lua script behind sapp outputting whatever string to a file when the player count hits 16, and a shell script watching that file for the string and running "docker run" might work. The Lua script would need to remove/replace the string when player count drops below 16 or whatever. Idk how to do the lua part though. Or how to scale it off the top of my head past a 2nd server in the shell script im not advanced with shell or anything. Suppose it would have to get the player count from a container it spawned too or somehow otherwise limit itself.
  5. No problem! Glad you brought it up, it's likely others will run into this issue since it had to do with my firewall rules for a non-docker halo server. So totally my fault! But I have rules that should work, just keep in mind I just wrote them today so they are untested against attacks. It should be fine though since it's mostly what my tested firewall already is. So basically rather than firewall.sh you would use winewall.sh. However you need to make a change first! https://github.com/antimomentum/haloce/blob/master/winewall.sh if you go ahead and look at at winewall you'll see three commented out lines: # ipset add MDNS 50.116.53.5 # ipset add MDNS 66.228.42.5 # ipset add MDNS 50.116.58.5 These are the dns servers that were automatically configured for the Linode (via Linode's Network Helper feature, this can be turned off for static configs tho). The DNS servers your server uses can be found by doing: cat /etc/resolv.conf There you will see some lines like: nameserver 66.228.42.5 nameserver 50.116.58.5 nameserver 50.116.53.5 those IPs are what you want to add into the MDNS table for winewall (take out the comments of course). These nameservers can change every time the system reboots. At some point soon I'll provide instructions to make them static but for now this will have to do. Just keep that in mind anytime you reboot or spin up a new linode server. Also don't forget to add in your SSH lines, they go right above the same lines as before ./tc.sh executed from admin user should work too after the halo server loads Please let me know if it works or not for you! **EDIT** Just realized I didn't have: apt install ipset -y in the winewall/firewall scripts, the github is updated now
  6. Try it without ./tc.sh, see if it shows in the list, and if it does then do ./tc.sh If that doesn't work let me know and I'll recreate the issue to work it out
  7. First thing I do is: service ssh stop or outright disable Plus given there is a CLI for Linode,DO,AWS and others respectively to spin up servers in your account's name it's better to have 2FA enabled, rather than not, anyways (not to mention regular web ui login). It's not a cli specific to just a server either, but your entire account. It's a cli for automation purposes but most cloud services tend to have some form of this. cloud services like aws and google cloud tend to require some ssh configuration though if you're trying to get it working behind a firewall, and ssh keys are certainly better than passwords no doubt
  8. No problem! Also, just in case you weren't aware, on Linode and DigitalOcean you don't actually need ssh enabled to access your server: https://cloud.linode.com/linodes To the right of "Reboot" click on the three dots and click "Launch LISH Console" This will actually give you 2 separate terminal screens, WebLish and Glish Also if you need more terminals, the screen command works in the Glish window/terminal quite well. Not so much in the Lish terminal but you only need one for screen anyways Also the "Imagize" option will let you save the whole server as long as it's under 6144MB in space Just make sure it's powered down before you image it If you're security concerned about that Lish/Glish web UI you can enable 2 factor authentication on your account as well But yeah I usually launch firewall.sh + my halo server from the WebLish screen and then click on Glish to do everything else like ./tc.sh (and the screen command if needed) Oh and some good news is Linode has a Firewall beta in the works that will be in the Atlanta region in about a month, I've tested it at the Toronto region and with my firewall I was *easily* filtering attacks using just 1 cheap shared cpu (Their firewall is also really easy to use unlike mine, still in beta tho so you have to sign up for it) Also for whatever reason the New Jersey region seems to just get less traffic from attacks, I have no idea why. But it might already be possible to filter the DDoS attacks using only 1 shared cpu in that region with my firewall. And one last tip for now, when you go to create a server the Linode Marketplace has "Docker" which uses Debian 9 as the OS anyways. But regular Debian 9 is just fine too
  9. Hey, thanks for the report! This line drops ssh iptables -t raw -A PREROUTING ! -p udp -j DROP and this does as well iptables -A INPUT -j DROP So put a line above each of those to allow yourself, example: iptables -t raw -A PREROUTING -s 192.168.254.254 - j ACCEPT iptables -t raw -A PREROUTING ! -p udp -j DROP and iptables -A INPUT -s 192.168.254.254 -j ACCEPT iptables -A INPUT -j DROP With 192.168.254.254 replaced with your IP you want to SSH from. If it does or doesn't work please let me know! Also I apologize I did delete the sshfirewall on my github recently (I was clearing up clutter and it wasn't up to date anyways). I'll have an ssh version soon, but that's pretty much what it'll be anyways unless it doesn't work *EDIT* Also yea, the commands you have aren't up to date. Check the top of my original post to see current firewall install instructions! For example these are no longer used: sudo apt install iptables-persistent netfilter-persistent sudo modprobe ip_conntrack Running with sudo should be fine though, more secure anyways. So for the firewall from the top: apt install ipset apt install git <---if needed git clone https://github.com/antimomentum/haloce.git cd haloce chmod +x firewall.sh chmod +x tc.sh Edit the firewall.sh to allow your SSH IP: nano firewall.sh Then execute it: ./firewall.sh start the halo server, once it's running execute: ./tc.sh That will install the firewall, and it can still be flushed with a reboot
  10. Latest sapp no upx should let you use this to disable sightjacker: sj_level 5 Can confirm it works: In Ubuntu 18.04 using winehq-stable In Debian 9 using Wine 5.0.3
  11. xD This is why I have rcon disabled lmao
  12. Yeah, a timeout on login attempts, and rcon pass + ip combo would help lock it down. Do you of any lua scripts that might increase the rcon character limit for sapp?