[SOLVED] [Q] Restrict RCON sessions to local host only

Afternoon everyone,

I should like to have the Xonotic server on port 26000 reject all rcon connections from all IP addresses except 127.0.0.1. This way rcon commands could only be sent from the localhost.

Why?
This stops cracking attempts on server.
This restricts access to locally logged in users (which shall send commands via ssh scripts ).
Makes me feel safer (Subjective as ever)

Alternatively, is there an implementation of rcon/xenotic that uses SSL+client certificates?

Regards.

PS. Is there an rcon command to change the server game from e.g ctf to kh ?

The command for game types is gametype.

And no, there is no way to restrict rcon to localhost without inspecting the packets I think. You'll need to mod the engine to check the source IP for that.

If you can manage to hide the rcon password from the shell script users (by having the scripts be SUID xonotic and read the pw somewhere hidden?), just set it to something very complex...

There is AES crypto but I don't think it's used for rcon auth.

Thank-you.

---

I have only enabled the restictive rcon command, but did add gametype to the list and restarted the service.

However the command was rejected.:
server denied rcon access to 127.0.0.1:33362

I passed these as values to rcon:
gametype=kh
gametype kh

For those who read this thread eons later, then the actual format is :

'gametype kh'

E.g full command is:

Code:

rcon_address=127.0.0.1:26000 rcon_password=XXXXXXXXXXXX /usr/local/xonotic/server/rcon.pl 'gametype kh'

There is currently no certificate-based rcon, but the password is still not sent in plain by rcon protocol.

Limiting rcon to a specific source IP range sounds like a good idea, but is currently not possible yet.

Hi divVerent,

Thanks for the information.

Cheers.