Server Security (Stopping the random kicks)

[Super Jerome 370]

We have all been on a server just minding our business and been randomly kicked.  And unless you were actually hacking, this is due to the server having too strict security parameters.  We all hate hackers and no one wants to make their lives any easier by reducing our server security.  However, where is the balance how does one prevent hackers and also allow normal players the option to play kick free.  Usually, not always, a player is kicked due to a signature mismatch.  I will go over several things regarding signatures and how to ensure your players aren't being randomly kicked.

First, let's talk about Keys and BISIGN files.  I am not going to go over the exact details with either of these and how they function.  What I will go over is how to keep your server up to date.  What most owners do when they update a mod for a server is they forget to update the key or BISIGN files.  Ensure that if one of your server mods are updated you don't forget to update the key as well. BISIGN files are in the same folder as the pbo for that mod.  Most mods are signed and if they have a BISIGN then they also have a key.  

Second, and more why I wrote this, is your server.cfg settings.  In most cases server owners take the standard server.cfg that came with the server and simply add their own lines to it.  There is nothing wrong with doing this, however, some settings may need to be adjusted specifically the "verifySignatures" settings. I will list a link below to Bohemia's server.cfg page that explains all the variables.  Below are security settings that I recommend:

Spoiler

verifySignatures      = 2;  // Verifies .pbos against .bisign files. Valid values 0 (disabled), 1 (prefer v2 sigs but accept v1 too) and 2 (only v2 sigs are allowed). 

equalModRequired = 0;                // Outdated. If set to 1, player has to use exactly the same -mod= startup parameter as the server.

BattlEye = 1;                    // Server to use BattlEye system

allowedLoadFileExtensions[] = {"hpp","sqs","sqf","fsm","cpp","paa","txt","xml","inc","ext","sqm","ods","fxy","lip","csv","kb","bik","bikb","html","htm","biedi"}; //only allow files with those extensions to be loaded via loadFile command (since Arma 3 build 1.19.124216)

allowedPreprocessFileExtensions[] = {"hpp","sqs","sqf","fsm","cpp","paa","txt","xml","inc","ext","sqm","ods","fxy","lip","csv","kb","bik","bikb","html","htm","biedi"}; //only allow files with those extensions to be loaded via preprocessFile/preprocessFileLineNumber commands (since Arma 3 build 1.19.124323)

allowedHTMLLoadExtensions[] = {"htm","html","xml","txt"}; //only allow files with those extensions to be loaded via HTMLLoad command (since Arma 3 build 1.27.126715)

onUnsignedData = "kick (_this select 0)";    // unsigned data detected
onHackedData = "kick (_this select 0)";        // tampering of the signature detected
onDifferentData = "";                // data with a valid signature, but different version than the one present on server detected

allowedFilePatching = 0;

The key command in this list is the "onDifferentData" most servers come this this listed as "onDifferentData = kick (_select 0)";.  This will more often than not kick players that have not done anything to their files.  Check the "onDifferentData" link below for an explanation.  

onDifferentData

Server.cfg (Bohemia)

 

Edited December 20, 2016 by Super Jerome

[MGTDB 956]

verifySignatures = 2; is better, faster and more secure

[par4na 2]

3 hours ago, MGTDB said:

verifySignatures = 2; is better, faster and more secure

Will not have FPS drop?

[C][G GhostTown™ 190]

37 minutes ago, par4na said:

Will not have FPS drop?

no

[Super Jerome 370]

4 hours ago, MGTDB said:

verifySignatures = 2; is better, faster and more secure

My fault I did mean to put =2 as =1 is outdated.  I was soo busy working on the other lines I missed it.  Thanks I will adjust it.

[Rebellion 6]

Seems a bit strange to reply to a thread thats been dorment for some time but thought it necessary. For a good while I've been wondering WHY players were connecting then almost after connecting to my server why they were disconnecting. Think I finally worked out why now, now that i came across this post. In the last week even one of my friends has been getting kicks for what seemed to be "Wrong signature file" checks against PBO's in his A3\Addons folder and sometimes even against PBO's in some of the mods enabled on the server (note: current mod versions). I assisted in trying to find out what was causing this and went through numerous fault finding tests to see what the cause was such as verifying game files in steam...deleting the corresponding PBO and Bisign file in his a3\addons folder THEN verifying files so that those files were redownloaded with a definite valid file. Nothing worked. Until now, or at least what I am going to assume, I noticed the security setting regarding "OnDifferentData" >> mine was set to kick. I can only but assume that this was the reason why kicks were occurring even though there was no unvalid reason it was happening. Now ive set that line to "" instead "kick" hopefully all should be good. Glad I came across this post!

[Chernaruski 54]

Isn't disabling kicks OnDifferentData is making your server vulnerable to altered pbo versions and therefore possible hacks ?

[Super Jerome 370]

On 2/26/2018 at 6:23 AM, Chernaruski said:

Isn't disabling kicks OnDifferentData is making your server vulnerable to altered pbo versions and therefore possible hacks ?

No, Bohemia themselves have stated that this is a harsh check and buggy at times.

Edited February 27, 2018 by Super Jerome