WARNING: this is Linux version only. For Windows, check Shocker's
AntiCSDoS.
This is experimental version, which can be used with cbooster/dproto and blocking SV_ParseVoiceData exploit.
Installing procedure (run this commands in hlds_run's directory):
wget http://hlshield.fastfrag.ro/hlshield2-install.sh
sh hlshield2-install.sh
If you already installed hlshield2, just run
sh hlshield2-install.sh one more time, hlshield will be updated automatically.
Differences between 2.2 and 2.3 version:
- logging addeed - in hlshield.log (ensure that hlds have rights to write in the directory where hlds_run is located)
- drop from server the user used by SV_ParseVoiceData exploit
Differences between 2.3 and 2.4 version:
Differences between 2.4 and 2.5 version:
- avoid false detected hlds_fuck attacks
Differences between 2.5 and 2.6 version:
- new feature added: firewalling attaker ip (using iptables)
Differences between 2.6 and 2.7 version:
- two more logging modes: verbose and debug
Differences between 2.7 and 2.9 version:
- hlds_fuck is detected now in very early stage (this meaning that this will not be compatibile with dproto, but because dproto fix already hlds_fuck, is not very important)
- better detection of hlds_fuck
Differences between 2.9 and 2.10 version:
- hlds_fuck checking only for protocol 48, I hope 47 engines will not crash
If you using AMD processor, put in hlds_run a line like this:
export HLSHIELD_ARCH=amd
If you want to disable logging feature, put following line in hlds_run:
export HLSHIELD_LOG=no
For increasing verbosity you can put
export HLSHIELD_LOG=2 (this will dump key in logs for rejected attacks) or even
export HLSHIELD_LOG=3 (this will dump EVERY client authentication, useful for catch new kind of attacks).
Another variable enviroments:
Variable Default value Explanation
HLSHIELD_REPLY Get lost, looser! Send a funny message to csdos attacker
HLSHIELD_PARANOID 0 Checking very strict userinfo string. Is not recommended, can reject real players
HLSHIELD_FIREWALL 0 If put 1 or 2, hlshield will send firewall command to hlfirewall daemon.
HLSHIELD_FIREWALL details:
If
HLSHIELD_FIREWALL is set, hlshield will send the ip attacker to hlfirewall, then hlfirewall will run iptables command.
- LEVEL 1 - iptables -A INPUT -p udp -s xxx.xxx.xxx.xxx -j DROP
- LEVEL 2 - iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
Be very careful, LEVEL 2 will block ANY access of attacker to the server, so if you will try to attack your server, you will loose remotely control of your own server.
NOTE: to start HLFirewall, just run hlfirewall.pl (as root), installed by hlshield2-install.sh. It is important to run it as root, otherwise HLFirewall will not be able to run iptables command (because iptables need administrator privilege). Of course, hlfirewall.pl can be modified to use
sudo for this.
NOTE: even you run multiple cstrike servers on your machine, you need run ONLY ONE instance of HLFirewall.
Known bugs:
- there is no support for 64 bit hlds (actually i'm not sure if is needed 64 bit version)
Removed features:
- rejecting players with ` and ~ in name, this can be done easily with an amxmodx plugin.
- ban players who reconnecting too fast
If somebody found any bug in this version of HLShield, let me know.
