Follow us on Steam Follow us on FB Follow us on Twitter Subscribe on Youtube

Announcement

Collapse
No announcement yet.

HTM|Sanctuary Server Issue Found (I think)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • HTM|Sanctuary Server Issue Found (I think)

    I spent the majority of last night monitoring the server box (colo4) and found whet I believe is the issue with the box.

    While watching the CPU usage I noticed (as before) multiple CSRSS.exe and Winlogin.exe processes running. As these processes increased the CPU usage would rise and at one point the box had 8 CSRSS.exe and associated Winlogon.exe processes running using at times 100% of the CPU.

    I opened Terminal Services Manager and found what appeared to be an attack on the RDP-tcp connection (Remote Desktop Connection). While monitoring the terminal for about 10 minutes there were over 2000 hits on the port.

    As a temporary solution I have enabled the windows firewall with only colo admin's current IP addresses to have access. This has brought CPU usage down to a flat 2-4% usage. I know this is not a long term fix so I'm asking all you network junkies out there to help me with a long term solution. I have heard that a common method to combat this is to run Remote Desktop Connection on the server through a VPN, but I'm unsure how this will affect the other connections on the server.

    Right now Teamspeak works fine as well as the game server and redirection. I am having an issue however on allowing FTP connections to the servers through the current firewall. No FTP connectivity is avialable until this is resolved.

    If you have any ideas (It's Windows Server 2003) please let me know.

    I'd also like if you guys could pile in the server sometime in the near future and test out if the issue is resolved.
  • #2

    Cool,will check it out.When I talk to Khan,I'll ask him if he has any ideas.
    In Memory of Anna Dixon
    Aug. 31,1964 - Dec. 6,2012

    Life is just an illusion,so,enjoy the ride while you can.

    Depression sux.......but the drugs are good.

    Comment

    • #3

      That sucks Minion, sadly they probably find your IP because the UT2004 server is being advertised then they try to attack the common ports.

      Windows Firewall will allow you to allow an entire network so if you're on an ISP that changes your IP constantly you can allow the range by typing your current IP and subnet MASK into a subnet calculator.

      Windows Server 2008 will take CIDR notation and 2003 Firewall takes an IP Range.

      This is my fav http://www.subnet-calculator.com/

      Then find out the IP block your HOST/COLO provider uses and calculate that one too. I work at a hosting company and we have to deal with this crap all the time.

      Comment

      • #4

        Almost missed the FTP part. The most common problem is that Microsoft IIS FTP Server uses port 20 and port 21 but may respond to the client on a random "ephimeral" port during the hand shake. So that's a bitch to secure as well.

        I assume you're using FTP for the maps but aren't their free mirrors for the popular maps out there?

        Comment

        • #5

          Attacks such as this are not unheard of, but generally cease after a very short period of time. Did you check the logs? Is it always from the same IP? If it is always from the same IP they can be blocked easily. Most probes such as this are from multiple IP's, rather than one. I'll look in my little book of tricks, if I can find it...

          Comment

          • #6

            Originally posted by HTM|Assraker
            Attacks such as this are not unheard of, but generally cease after a very short period of time. Did you check the logs? Is it always from the same IP? If it is always from the same IP they can be blocked easily. Most probes such as this are from multiple IP's, rather than one. I'll look in my little book of tricks, if I can find it...
            Yeah they were from multiple IPs. I was going through the logs and blocking them, but the list was becoming quite long.

            As a side note Sanctuary was running at 4-6% CPU all night with as many as 10 players on it so I think this is definitely part if not all of the issue.

            Comment

            • #7

              Well, as u know tonight we had a number of players...

              Not a full box, but I didn't see the normal hang ups at all. So imo I think your definitely on to something here.
              B.O.L.O.G.N.A.

              Comment

              • #8

                Originally posted by HTM|Minion
                Yeah they were from multiple IPs. I was going through the logs and blocking them, but the list was becoming quite long.

                As a side note Sanctuary was running at 4-6% CPU all night with as many as 10 players on it so I think this is definitely part if not all of the issue.
                If the subnets are from a specific area, we can range block them if we have too.

                Comment

                • #9

                  My ping is back in the 30's and no more skippy.
                  sigpic

                  Comment

                  Working...
                  X