[cod] COD2 server kick for CD key in use

Andrej Parovel aparovel at gmail.com
Wed Jun 26 04:06:56 EDT 2013


I get the following outputs. It may be a problem of firewall script that 
I am using (protectgame.sh), I have attached the iptables script that I use.

sending getIpAuthorize for 84.255.226.77:28960
sending getIpAuthorize for 84.255.226.77:28960
sending getIpAuthorize for 84.255.226.77:28960
sending getIpAuthorize for 84.255.226.77:28960
sending getIpAuthorize for 84.255.226.77:28960
sending getIpAuthorize for 84.255.226.77:28960
sending getIpAuthorize for 84.255.226.77:28960
sending getIpAuthorize for 84.255.226.77:28960
sending getIpAuthorize for 84.255.226.77:28960
sending getIpAuthorize for 84.255.226.77:28960
PunkBuster Server: Running PB Scheduled Task (slot #22) pb_sv_cvarsrch 
"recoil"
sending getIpAuthorize for 84.255.226.77:28960
sending getIpAuthorize for 84.255.226.77:28960
sending getIpAuthorize for 84.255.226.77:28960
sending getIpAuthorize for 84.255.226.77:28960
sending getIpAuthorize for 84.255.226.77:28960
sending getIpAuthorize for 84.255.226.77:28960
sending getIpAuthorize for 84.255.226.77:28960
sending getIpAuthorize for 84.255.226.77:28960
sending getIpAuthorize for 84.255.226.77:28960
sending getIpAuthorize for 84.255.226.77:28960
PunkBuster Server: Running PB Scheduled Task (slot #24) say ^7This 
server runs ^2GV Checks^1, ^2Generated: ^215 December 2010
sending getIpAuthorize for 84.255.226.77:28960
sending getIpAuthorize for 84.255.226.77:28960
sending getIpAuthorize for 84.255.226.77:28960
sending getIpAuthorize for 84.255.226.77:28960



Andrej

+386 31 247 707
aparovel at gmail.com

On 25.6.2013 15:39, escapedturkey wrote:
> Please see what information you can gather from the console log file:
> console_mp.log
>
> This should make it generate better:
>
> seta logfile "2" // 0-no logging 1-buffer log 2-flush after each print
> - 1 should be fine in most cases
> // Log filename
> seta g_log games.log
> // enable synchronous output for server log (some stat programs require
> // this) This causes output to be unbuffered (immediately written to the
> // logfile).
> seta g_logSync 1
>
> In rcon try developer 1 or developer 2 and it should provide more
> extensive log output.
>
> If you need to set it from the command line: +set developer 1 or +set
> developer 2
>
>
>
> On Tue, Jun 25, 2013 at 4:07 AM, Andrej Parovel <aparovel at gmail.com> wrote:
>> Hello,
>>
>> Thank you for these tip, these saved our problem, but now we have a new one.
>> We can't connect on the server. Just Awaiting connections 1,2,3....
>> Any suggestion what could be wrong?
>>
>>
>> Andrej
>>
>> +386 31 247 707
>> aparovel at gmail.com
>>
>> On 23.6.2013 19:11, escapedturkey wrote:
>>> Are you using PunkBuster?
>>>
>>> pb_sv_guidRelax [0-7]
>>> Defaults to 0; Controls PunkBuster's kicking behavior related to
>>> GUIDS; A Value of 1 means PB will not kick for UNKN (Unknown) GUIDs; A
>>> Value of 2 means PB will not kick for WRONGIP GUIDs (these are GUIDS
>>> which are valid but not from the IP Address the player is connecting
>>> from); A Value of 4 means PB will not kick for DUPLICATE GUIDs; These
>>> values (1, 2 and 4) can be combined to achieve the desired behavior
>>>
>>> 0 = Will kick for ALL
>>> 1 = Will not kick UNKNown GUIDS
>>> 2 = Will not kick for wrong IP addresses
>>> 3 = Will not kick for UNKNown GUIDS and wrong IP addresses
>>> 4 = Will not kick for DUPlicate GUIDS
>>> 5 = Will not kick for UNKNown GUIDS and DUPlicate GUIDS
>>> 6 = Will not kick for wrong IP addresses and DUPlicate GUIDS
>>> 7 = Will not kick for UNKNown GUIDS, wrong IP addresses, and DUPlicate
>>> GUIDS
>>>
>>> http://cod22.evenbalance.com/publications/cod2-ad/index.htm
>>>
>>> On Sun, Jun 23, 2013 at 10:03 AM, MikeTNT <MikeTNT at gmx.de> wrote:
>>>> Oops, old link..
>>>>
>>>> This thread is newer.
>>>>
>>>>
>>>> http://killtube.org/showthread.php?1438-CoD2-Masterserver/page2&s=8a121acd49c7384f91c39c626acef861
>>>>
>>>>
>>>>
>>>> From: MikeTNT
>>>> Sent: Sunday, June 23, 2013 3:39 PM
>>>> To: Call of Duty server admin list.
>>>> Subject: Re: [cod] COD2 server kick for CD key in use
>>>>
>>>> Is the cod2 master server online at the moment?
>>>>
>>>> Look here:
>>>> https://www.facebook.com/ActivisionAssist/posts/10151239431404311
>>>>
>>>> Some people reported the same problem with COD/CODUO.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> From: Andrej Parovel
>>>> Sent: Sunday, June 23, 2013 11:38 AM
>>>> To: Call of Duty server admin list.
>>>> Subject: Re: [cod] COD2 server kick for CD key in use
>>>>
>>>> Hello,
>>>>
>>>> No the server is original and also the key code is original and we have
>>>> different CD keys, but still the server is kicking.
>>>> It might be some sort of connection-firewall problem?
>>>>
>>>> Andrej
>>>>
>>>> +386 31 247 707
>>>> aparovel at gmail.com
>>>>
>>>> On 22.6.2013 16:36, Geoff Goas wrote:
>>>>
>>>> Sounds like you might be playing with a cracked version and enabling PB
>>>> at
>>>> the same time.
>>>>
>>>> On Jun 22, 2013 10:31 AM, "Steven Hartland" <killing at multiplay.co.uk>
>>>> wrote:
>>>>> Buy the game?
>>>>> ----- Original Message ----- From: "Andrej Parovel" <aparovel at gmail.com>
>>>>> To: "Call of Duty server admin list." <cod at icculus.org>
>>>>> Sent: Saturday, June 22, 2013 12:17 PM
>>>>> Subject: [cod] COD2 server kick for CD key in use
>>>>>
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I need your help about my Call of Duty 2 server. We get kick for CD Key
>>>>>> in Use even we have different and original cd keys.
>>>>>> Is these a known bug? What we can do?
>>>>>>
>>>>>> Thank you
>>>>>>
>>>>>> --
>>>>>> Andrej
>>>>>>
>>>>>> +386 31 247 707
>>>>>> aparovel at gmail.com
>>>>>>
>>>>>> _______________________________________________
>>>>>> cod mailing list
>>>>>> cod at icculus.org
>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>
>>>>> ================================================
>>>>> This e.mail is private and confidential between Multiplay (UK) Ltd. and
>>>>> the person or entity to whom it is addressed. In the event of
>>>>> misdirection,
>>>>> the recipient is prohibited from using, copying, printing or otherwise
>>>>> disseminating it or any information contained in it.
>>>>> In the event of misdirection, illegible or incomplete transmission
>>>>> please
>>>>> telephone +44 845 868 1337
>>>>> or return the E.mail to postmaster at multiplay.co.uk.
>>>>>
>>>>> _______________________________________________
>>>>> cod mailing list
>>>>> cod at icculus.org
>>>>> http://icculus.org/mailman/listinfo/cod
>>>>
>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org
>>>> http://icculus.org/mailman/listinfo/cod
>>>>
>>>>
>>>> ________________________________
>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org
>>>> http://icculus.org/mailman/listinfo/cod
>>>>
>>>> ________________________________
>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org
>>>> http://icculus.org/mailman/listinfo/cod
>>>>
>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org
>>>> http://icculus.org/mailman/listinfo/cod
>>>>
>>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>
>

-------------- next part --------------
#!/bin/bash

# This shell script takes an IP address and a port in the form of:
#
# sudo ./protectgame.sh IP PORT
#
# to create a custom set of Q3-protocol iptables rules to mitigate the effects
# of a game server packet UDP flood attack.  Please note that the goal here
# is to allow the game to still be playable without noticable lag, even
# under very heavy attacks.  In testing these rules have been so effective
# that DOSers have had to resort to renting a botnet in order to generate
# enough traffic to effectively take out the data center's upstream
# switch for a short period of time.
#
# Please also note that by limiting the number of players that can connect
# per second, and limiting the number of requests of game server information
# per second, the following effects are evident:
#
# 1) During a random IP 'getstatus' or 'getinfo' UDP flood attack, the game
#    server will most likely not show up in the in-game master list, but
#    the players currently in game should experience clean gameplay.
#
# 2) During a random IP 'getchallenge' UDP flood attack, while the players
#    currently in game should experience clean gameplay, it will be harder
#    for a new player to join the server.
#
# If not using these rules and you are under a flood attack of the above
# packets, it will be harder to join the server and harder to see the
# server in the master list anyway, as the server can't keep up with
# responding to the flood of packets.  At least by rate limiting the
# flood at the kernel level, we prevent the game server from having to
# deal with the vast majority of the attack, keeping the server responsive
# for the players currently in game.
#
# When no attack is ongoing, then the server will operate normally, as if
# no rules were in place at all, as no packets will be pitched due to
# normal rates of packet ingestion.
#
# 3/20/2012
# Fixed the $hexip variable when the IP address is 128.x.x.x and above.
#
# 3/21/2012
# Added some additional logic on "connect" packets, using the recent module
# to keep the IP address and timestamp of each player IP that has connected,
# and then to pre-check all other packets against that list, even before rate
# limiting the packets to 100/sec.  This means that someone pushing reflection
# packets off another server to flood you will have all of those reflection
# packets ignored, as there was never an initial player connect packet
# from those addresses.
#
# This new development on the rules creates a "dynamic whitelist" mode of
# protection, all done with iptables!
#
# The current recent module has a default limit of 100 IP addresses that
# it will store.  Since most Q3-protocol servers only allow 32 players, this
# is plenty.  If desired however, it can be changed to 500 by making the
# following file writable and then echoing a new value to it.
#
# sudo chmod a+w /sys/module/xt_recent/parameters/ip_list_tot
# sudo echo 500 > /sys/module/xt_recent/parameters/ip_list_tot
#
# The file in the /proc/net/xt_recent directory contains the IPs of all
# players who have connected to the game server.  Once a player disconnects
# from the game server he will live in this list only an additional 10 minutes.
# If nobody is currently playing, then the list will contain the players who
# were playing last.
#
# 3/22/2012
# Added a rule to allow external rcon from any address.
#
# 4/10/2012
# Added a new "getvalid" packet type that can be used to force a whitelist
# on the player address.  Since this type of packet is not part of the Q3
# protocol, the packet is just used to add to the whitelist and then the
# packet is dropped.  This new feature allows a player to break into a server
# that is under a massive "getchallenge" attack.
#
# 4/11/2012
# Added an exception for "getstatus<LF>" and "getinfo<LF>" commands, which
# are typical of qstat requests. Other types of "getstatus" and "getinfo"
# packets are still rate limited.
#
# 4/25/2012
# Added a few lines for COD 1.3 servers that do IP validation with a
# validation server before allowing a client to connect.  The lines are
# currently commented out, but may be included if desired.  Be sure that
# the IP's in these rules match the IP validation addresses in your COD
# server config file.  If any other "exception" IP addresses are needed,
# just copy one of the lines and change the address.
#
# Also added the dropping of packets not in the range of 32-800 bytes,
# to prevent large or small packet flooding.  All Q3 protocol packets
# to the game server should be inside this range.  This is performed
# before the whitelist rate limiting rules, just in case a DOSer finds
# the IP of someone currently playing and trys to flood the server
# with small or large packets with that address.
#
# 5/2/2012
# Added a custom "getstatus xXx" and "getinfo xXx" command that is always
# passed through to the server.  Use these commands for querying the
# server from any web site PHP page instead of the standard ones.  This
# allows a server even under these attacks to be responsive to a web
# server request that knows about these custom commands.
#
# 5/5/2012
# Modified the original generic Q3-protocol protection script to take into
# account communication with the COD4 master server at
# cod4master.activision.com (63.146.124.21) and the COD2 master server at
# cod2master.activision.com (63.146.124.40) by allowing communication with
# all 63.146.124.x addresses.
#
# Added a new section (currently commented out) for any other IP addresses
# that should be allowed 2-way communication with the server.
#
# 5/16/2012
# Added some IP addresses for common COD, COD2 and COD4 servers, as well
# as punkbuster IPs.

if [ -z $1 ]
then
   echo "Please pass an IP address and port to protect!"
   echo "For example:"
   echo "sudo ./protectcod.sh 10.1.2.3 28960"
   echo ""
else
  if [ -z $2 ]
  then
    echo "Please pass the port as well as the IP address to protect!"
    echo "For example:"
    echo "sudo ./protectcod.sh 10.1.2.3 28960"
    echo ""
  else
    rulelines=`/sbin/iptables -L PLRS-$1-$2 -v -n 2> /dev/null | wc -l`
    if [ $rulelines -gt 0 ]
    then
      echo "The iptables rules for $1 on $2 were already added"
    else
      echo -n "Now adding COD iptables rules for $1 on port $2...";

      # We must make a unique name for the hashlimit file in both directories
      # /proc/net/ipt_hashlimit and /proc/net/xt_recent.
      # This is an 8-digit hex representation of the IP address followed by
      # a 5-digit decimal port number.
      hexip=`echo "$1" | awk -F '.' '{printf "%02x%02x%02x%02x\n", $1, $2, $3, $4}'`$2

      # First do the getstatus protect chain ----------------------------------
      # Notice we allow anyone already whitelisted to get the server status
      # before we apply the rate limiter.
      # Also allow "getstatus0x0a" for typical qstat requests, and "getstatus xXx"
      # for custom requests from PHP pages that know about the exception.
      # (If you are ever DoSed with these special commands, comment out the
      # appropriate line for them to prevent the server from lagging)
      /sbin/iptables -N STAT-$1-$2
      /sbin/iptables -A STAT-$1-$2 -p udp -m recent --name $hexip --rcheck -j ACCEPT
      /sbin/iptables -A STAT-$1-$2 -p udp -m string --string "getstatus xXx" --algo bm --from 30 --to 36 -j ACCEPT
      # /sbin/iptables -A STAT-$1-$2 -p udp -m string --hex-string "|67 65 74 73 74 61 74 75 73 0a|" --algo bm --from 30 --to 36 -j ACCEPT
      /sbin/iptables -A STAT-$1-$2 -p udp -m limit --limit 10/sec --limit-burst 10 -j ACCEPT
      /sbin/iptables -A STAT-$1-$2 -p udp -j DROP

      # Next do the getinfo protect chain -------------------------------------
      # Notice we allow anyone already whitelisted to get the server info
      # before we apply the rate limiter.
      # Also allow "getinfo0x0a" for typical qstat requests, and "getinfo xXx"
      # for custom requests from PHP pages that know about the exception.
      # (If you are ever DoSed with these special commands, comment out the
      # appropriate line for them to prevent the server from lagging)
      /sbin/iptables -N INFO-$1-$2
      /sbin/iptables -A INFO-$1-$2 -p udp -m recent --name $hexip --rcheck -j ACCEPT
      /sbin/iptables -A INFO-$1-$2 -p udp -m string --string "getinfo xXx" --algo bm --from 30 --to 36 -j ACCEPT
      # /sbin/iptables -A INFO-$1-$2 -p udp -m string --hex-string "|67 65 74 69 6e 66 6f 0a|" --algo bm --from 30 --to 36 -j ACCEPT
      /sbin/iptables -A INFO-$1-$2 -p udp -m limit --limit 10/sec --limit-burst 10 -j ACCEPT
      /sbin/iptables -A INFO-$1-$2 -p udp -j DROP

      # Next do the getchallenge protect chain --------------------------------
      # Notice we allow anyone already whitelisted to issue the "getchallenge"
      # before we apply the rate limiter.
      /sbin/iptables -N CHLG-$1-$2
      /sbin/iptables -A CHLG-$1-$2 -p udp -m recent --name $hexip --rcheck -j ACCEPT
      /sbin/iptables -A CHLG-$1-$2 -p udp -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
      /sbin/iptables -A CHLG-$1-$2 -p udp -j DROP

      # Next do the connect protect chain -------------------------------------
      # Notice a "connect" packet will set the players address in the recent
      # list, effectively whitelisting the player.
      /sbin/iptables -N CONN-$1-$2
      /sbin/iptables -A CONN-$1-$2 -p udp -m recent --name $hexip --set
      /sbin/iptables -A CONN-$1-$2 -p udp -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
      /sbin/iptables -A CONN-$1-$2 -p udp -j DROP

      # Now we add the chain that handles player packets ----------------------
      /sbin/iptables -N PLRS-$1-$2

      # These are some addresses needed for punkbuster and a few others as well.
      # If after a long period of time you don't see any accepted packets from one of
      # these rules, you can safely drop the appropriate line.
      /sbin/iptables -A PLRS-$1-$2 -p udp -s 89.163.171.218 -d $1 --dport $2 -j ACCEPT
      /sbin/iptables -A PLRS-$1-$2 -p udp -s 89.163.171.219 -d $1 --dport $2 -j ACCEPT
      /sbin/iptables -A PLRS-$1-$2 -p udp -s 89.163.171.220 -d $1 --dport $2 -j ACCEPT
      /sbin/iptables -A PLRS-$1-$2 -p udp -s 69.10.30.248 -d $1 --dport $2 -j ACCEPT
      /sbin/iptables -A PLRS-$1-$2 -p udp -s 72.51.47.18 -d $1 --dport $2 -j ACCEPT
      /sbin/iptables -A PLRS-$1-$2 -p udp -s 66.36.231.175 -d $1 --dport $2 -j ACCEPT
      /sbin/iptables -A PLRS-$1-$2 -p udp -s 204.15.228.214 -d $1 --dport $2 -j ACCEPT
      /sbin/iptables -A PLRS-$1-$2 -p udp -s 216.240.146.139 -d $1 --dport $2 -j ACCEPT
      /sbin/iptables -A PLRS-$1-$2 -p udp -s 66.180.170.20 -d $1 --dport $2 -j ACCEPT
      /sbin/iptables -A PLRS-$1-$2 -p udp -s 69.10.30.248 -d $1 --dport $2 -j ACCEPT

      # Allow communication to cod2master.activision.com, as well as ----------
      # cod4master.activision.com and any other 64.146.124.x address.
      /sbin/iptables -A PLRS-$1-$2 -p udp -s 63.146.124.0/24 -d $1 --dport $2 -j ACCEPT

      # If you have any other server that does IP validation, make sure to copy the
      # commented line below, change the "#.#.#.#" to the ip, and uncomment it.
      # /sbin/iptables -A PLRS-$1-$2 -p udp -s #.#.#.# -d $1 --dport $2 -j ACCEPT

      # Now for the rules that send the various common flood packets to the limit chains.
      # Here you can see the new "getvalid" packet that adds to the whitelisted players,
      # and then the packet is dropped since it is not a valid Q3-protocol packet.
      # Note that even though "getservers" is for master list requests, we drop it too.
      /sbin/iptables -A PLRS-$1-$2 -p udp -m string --string "getvalid" --algo bm --from 30 --to 36 -m recent --name $hexip --set -j DROP
      /sbin/iptables -A PLRS-$1-$2 -p udp -m string --string "getservers" --algo bm --from 30 --to 36 -j DROP
      /sbin/iptables -A PLRS-$1-$2 -p udp -m string --string "getstatus" --algo bm --from 30 --to 36 -j STAT-$1-$2
      /sbin/iptables -A PLRS-$1-$2 -p udp -m string --string "getinfo" --algo bm --from 30 --to 36 -j INFO-$1-$2
      /sbin/iptables -A PLRS-$1-$2 -p udp -m string --string "getchallenge" --algo bm --from 30 --to 36 -j CHLG-$1-$2
      /sbin/iptables -A PLRS-$1-$2 -p udp -m string --string "connect" --algo bm --from 30 --to 36 -j CONN-$1-$2
      /sbin/iptables -A PLRS-$1-$2 -p udp -m string --string "rcon " --algo bm --from 30 --to 36 -j ACCEPT

      # Special whitelisting rules --------------------------------------------
      # Now to drop packets from anyone who is not a whitelisted player.
      # Then we update the timestamp, and expire any players who have not sent a
      # normal game update packet for 600 seconds (10 minutes).
      # please note that your version of iptables must support the --reap
      # option of the recent module, in order to do the auto expiration.
      /sbin/iptables -A PLRS-$1-$2 -p udp -m recent --name $hexip ! --rcheck -j DROP
      /sbin/iptables -A PLRS-$1-$2 -p udp -m recent --name $hexip --update --seconds 600 --reap

      # Before we do rate limiting on the player, drop any packets that are
      # too big or too small.  Sometimes the DOSer will be able to steal a
      # valid player's IP address and spam it with big packets.  We just drop
      # those. Typically no incoming player packet for Q3-protocol servers
      # should ever be smaller than 32 or bigger than 800 bytes.
      #/sbin/iptables -A PLRS-$1-$2 -p udp -m length --length 0:32 -j DROP
      #/sbin/iptables -A PLRS-$1-$2 -p udp -m length --length 800:16384 -j DROP

      # Ok, its a packet from a player IP, now rate limit to 100/sec just in case
      # someone is flooding with a valid player IP address they stole.
      # If you have an older version of hashlimit (that doesn't support --hashlimit-above)
      # then uncomment the following two lines and comment out the two after that.
      # /sbin/iptables -A PLRS-$1-$2 -p udp -m hashlimit --hashlimit-name $hexip --hashlimit 100/sec --hashlimit-burst 100 --hashlimit-mode srcip,srcport --hashlimit-htable-size 128 --hashlimit-htable-max 128 --hashlimit-htable-gcinterval 1000 --hashlimit-htable-expire 10000 -j ACCEPT
      # /sbin/iptables -A PLRS-$1-$2 -p udp -j DROP
      /sbin/iptables -A PLRS-$1-$2 -p udp -m hashlimit --hashlimit-name $hexip --hashlimit-above 100/sec --hashlimit-burst 100 --hashlimit-mode srcip,srcport --hashlimit-htable-size 128 --hashlimit-htable-max 128 --hashlimit-htable-gcinterval 1000 --hashlimit-htable-expire 10000 -j DROP
      /sbin/iptables -A PLRS-$1-$2 -p udp -j ACCEPT

      # Now for the rule that sends the IP:PORT UDP frames to PLRS ------------
      # This is the only rule that goes into the normal INPUT chain.
      /sbin/iptables -A INPUT -p udp -d $1 --dport $2 -j PLRS-$1-$2

      echo "complete!"
    fi
  fi
fi


More information about the cod mailing list