Security, Firewalls and Ports

Firewalls

Lets understand Firewalls. They prevent access to a “port” which is like a door in your house allowing traffic in and out. If the door is locked then nobody can enter through that door. What if that is an empty door in your yard that has nothing behind it? It doesn’t actually go anywhere? Is there any point in locking it? That is what happens when you block ports that do not have services running behind them, the door is locked but it doesnt matter because there is nothing inside of it.
So you WANT to restrict access to ports that have services running behind them that can be insecure, which is just a few: SSH, RDP, VNC.
There are some services that are pointless if they are not publicly available like FTP and your Gameserver ports.

With that in mind lets develop a logical security policy

Security Policy

So first lets handle the ports and services that are common issues.

  • SSH
    The most secure method of accessing SSH to your Linux machines is to use a Key pair. I prefer to just use a secure password and change the port from 22 to something else .. not 122, not 222 .. something RANDOM.
    Also in your sshd_config make sure you set
    PermitRootLogin no
    and restart the service. This will prevent the vast majority of ssh issues while still allowing some access to yourself.
  • RDP
    Your Windows machines you need to access with RDP. Same thing applies. You can disable the Administrator account from logging in remotely and only allow your CYGServer account to login. Change the default RDP port.
  • Firewalls
    You need to allow access to all your gameserver ports. So in your Firewall I would allow ports in broad ranges rather than the small, hard to manage ports.
    2300-12000 all the Arma, Dayz, Ark etc
    12679 for the OGP Agent
    25000-32000 Minecraft, GTAV and ALL the Valve games
    21 for FTP
    22 for SSH (but its not REALLY port 22, you changed it)
    3306 MySql

Rsync Install and Use

We did use a rsync server, it worked well. We removed it in favor of using a “fake steam install” method becuase it removes a layer of complexity for an identical end result.

If you dont know, an rsync server keeps files and will ‘sync’ them to another machine. So you would download say Minecraft to the rsync server and on thengame panel the user wouldnuse ‘rsync install’ to copy the files into their gameserver. It is easier to set the game confic xml file to install using steamcmd (even if not supported) and then in the postinstall tag just copy the files with wget. The advantage is no rsync to setup and the user simply presses the install button and doesn’t need to select a rsync server to install from. You could use rsync to make an image of your panel for a backup (or any gameservers) as it only syncs changed files.. but thst is outside this post.

Rsync Install

Agent Install

Install Linux Agent

Upgrade server to latest ubuntu 64bit
There can be issues with libc6 on 16.04 and we need newer versions of Java etc so Ubuntu 18 is best

 
apt-get update  
dpkg --add-architecture i386
apt-get install gcc libxml-parser-perl libpath-class-perl perl-modules screen rsync sudo openjdk-8-jre-headless e2fsprogs unzip subversion libarchive-extract-perl pure-ftpd libarchive-zip-perl libc6 libgcc1 git curl libc6-i386 libgcc1:i386 lib32gcc1 libhttp-daemon-perl php php-cgi python apache2 nano libstdc++6:i386 libcurl3-gnutls:i386 libtinfo5:i386 libncurses5:i386 libc6 lib32gcc1 lib32stdc++6 libc6:i386 libtbb2:i386 python-mysqldb iptables iptables-persistent



If in the panel, you enable REMOTE QUERYItalic Text. then php-cgi MUST be installed on the agent server.(it is above)

Manual install Linux agent to use custom name and locations

wget -N "https://github.com/OpenGamePanel/Easy-Installers/raw/master/Linux/Debian-Ubuntu/ogp-agent- 
   latest.deb" -O "ogp-agent-latest.deb"
   sudo dpkg -i "ogp-agent-latest.deb"


  • Immediately add the new server to the game panel using the ip (ifconfig) and the encoding key
  • adduser “user” , then usermod -aG sudo “user”
  • edit /etc/ssh/sshd_config to deny root login with ssh. service ssh restart

If running IPtables to stop intrustions. Will have to add all the ports for each game. Below has the Source games

*filter

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT

# Allow ping.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT

# Allow SSH connections.
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow the Steam client.
-A INPUT -p udp -m udp --sport 27000:27030 --dport 1025:65355 -j ACCEPT
-A INPUT -p udp -m udp --sport 4380 --dport 1025:65355 -j ACCEPT

# Allow inbound traffic from established connections.
# This includes ICMP error returns.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log what was incoming but denied (optional but useful).
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7

# Reject all other inbound.
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT​




Service

#!/bin/bash
#
### BEGIN INIT INFO
# Provides:          ogp_agent
# Required-Start:    $all
# Required-Stop:     $all
# Should-Start:      $all
# Should-Stop:       $all
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start and stop the OGP Agent
# Description:       Start and stop the OGP Agent
### END INIT INFO
#

agent_dir=/home/gameserver/OGP
agent_user=gameserver

#
# main()
#

if [ "X`whoami`" != "Xroot" ]
then
        exit 1
fi

start() {
        if [ -e "$agent_dir/ogp_agent_run.pid" ]
        then
                pid=$(cat $agent_dir/ogp_agent_run.pid)
                out=$(kill -0 $pid > /dev/null 2>&1)
                if [ $? == 0 ]
                then
                        exit 1
                fi
        fi

        # Lets the agent user to use sudo to enable FTP accounts and use renice and taskset.
        if [ "$( groups $agent_user | grep "\bsudo\b" )" == "" ]
        then
                if [ "$( egrep -i "^sudo" /etc/group )" == "" ]
                then
                        groupadd sudo >/dev/null 2>&1
                fi
                usermod -aG sudo $agent_user >/dev/null 2>&1
        fi

        user_id=$(id -u $agent_user)
        group_id=$(id -g $agent_user)
        out=$(chown -Rf $user_id:$group_id $agent_dir >/dev/null 2>&1)

        # Lets the agent user to attach screens.
        if [ "$(groups $agent_user|grep -o "\stty\s")" == "" ]
        then
                usermod -aG tty $agent_user >/dev/null 2>&1
        fi

        out=$(chmod g+rw /dev/pts/* >/dev/null 2>&1)
        out=$(chmod g+rw /dev/tty* >/dev/null 2>&1)

        # Check the FTP status
        if [ -f "/etc/init.d/pure-ftpd" ] && [ -d "/etc/pure-ftpd/conf" ]
        then
                echo no > /etc/pure-ftpd/conf/PAMAuthentication
                echo no > /etc/pure-ftpd/conf/UnixAuthentication
                echo yes > /etc/pure-ftpd/conf/CreateHomeDir

                if [ ! -f /etc/pure-ftpd/pureftpd.passwd ]
                then
                        touch /etc/pure-ftpd/pureftpd.passwd
                fi

                if [ ! -f /etc/pureftpd.passwd ]
                then
                        ln -s /etc/pure-ftpd/pureftpd.passwd /etc/pureftpd.passwd
                fi

                if [ ! -f /etc/pure-ftpd/auth/50pure ]
                then
                        ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/50pure
                fi

                if [ ! -f /etc/pureftpd.pdb ]
                then
                        ln -s /etc/pure-ftpd/pureftpd.pdb /etc/pureftpd.pdb
                fi
                out=$(pure-pw mkdb >/dev/null 2>&1)
                out=$(service pure-ftpd force-reload >/dev/null 2>&1)
        fi

        cd $agent_dir
        out=$(su -c "screen -d -m -t ogp_agent -c ogp_screenrc -S ogp_agent ./ogp_agent_run -pidfile ogp_agent_run.pid" $agent_user >/dev/null 2>&1)
        exit 0
}

stop() {
        if [ -e "$agent_dir/ogp_agent_run.pid" ]
        then
                pid=$(cat $agent_dir/ogp_agent_run.pid)
                kill -0 $pid > /dev/null 2>&1
                if [ $? == 0 ]
                then
                        kill $pid >/dev/null 2>&1
                        exit $?
                fi
        else
                exit 1
        fi
        exit 0
}

case "${1:-''}" in
        'start')
        start
        ;;
        'stop')
        stop
        ;;
        'restart')
        stop
        sleep 1
        start
        ;;
        *)
        echo "Usage: service ogp_agent start|stop|restart"
        exit 1
        ;;
esac




Install Windows Agent

Filezilla issues:
Rightclick on the Filezilla Server service, and choose “Properties”, find the section called “Logon” , after that change the password for that password you use to login with cygwin.
When installing the Agent select same custom options as Linux

Remove the Agent

First stop the agent via: sudo service ogp_agent stop (or sudo /etc/init.d/ogp_agent stop) You’ll need to remove the ‘lock’ on protected files: sudo chattr -iR /home/ogp_agent/OGP_User_Files/* Next you can delete the OGP user: sudo userdel -rf ogp_agent (which will also remove all the game-server files)

As for the agent files: sudo rm -rf /usr/share/ogp_agent

You’ll need to remove the start up scripts also.

sudo update-rc.d -f ogp_agent remove sudo rm /etc/init.d/ogp_agent

After that, you can try ‘sudo locate ogp_’ (after sudo updatedb, and if the locate package is installed) to see if everything is removed. Some helpful pages on installing game servers. https://www.linode.com/docs/game-servers/

OGP Panel

sudo apt-get install apache2 curl subversion php5 php5-gd php5-xmlrpc php5-curl php5-mysql php-pear phpmyadmin mysql-server libapache2-mod-php5 git libncurses.so.5 libtinfo5:i386 libncurses5:i386 libcurl3-gnutls:i386


Billing Module

Our Billing Module is NOT compatible with Diefems simple-billing. We started with simple-billing but it has been extended to the point where they are not interchangable. We have used ‘billing’ as the name for our module and they can be installed side-by-side.

There are many small differences and we have edited other modules (mainly gamemonitor and dashboard) to integrate with our billing module. The benefits of using our module:

  • Select from multiple locations to install a gameserver
  • Coupons are implemented including a page to create/edit coupons.
  • New paypal IPN. We had issues and rebuilt the IPN from scratch.
  • Notification of invoice displayed on dashboard.
  • Time remaining until expiration displayed on game monitor.

To install, download and place the billing folder into your modules folder. Go to the Administration->Modules menu and install. You should also paste our gamemanager and dashboard modules into your existing modules.