Jump to content

Trance

Global Moderator
  • Posts

    3,896
  • Credits

  • Joined

  • Last visited

  • Days Won

    61
  • Feedback

    0%

Everything posted by Trance

  1. I have refreshed the GitHub repositories referenced in the main topic to enhance the coherence between the guides.
  2. I've added Webmin Installation Guide - a web-based system administration tool.
  3. @ZOUMHS Please follow the rules: 10) Prices must be displayed (and visible) in public on the main topic.
  4. Topic renamed from L2Gold Classic to L2Gold Essence. We are excited to announce the expansion of our team for the remastered Essence chronicle. Our goal is to adopt a classic, long-lasting playstyle while still maintaining the legacy of the gold-style. With that in mind, we are thrilled to introduce the following members who will help us achieve this vision: Electronica: Our new Community Manager, Electronica brings a wealth of experience in community management to our team. He will represent the community and ensure that player needs and concerns are addressed to the Developer and other staff members. Electronica will also assist with communication and other aspects of the server. Psy: A Game Master with experience in various custom private servers, Psy will help ensure fair gameplay and assist with dispute resolution. He has a deep understanding of the server and its customizations. Techno: Another Game Master with experience in Interlude and all the latest chronicles, Techno brings a passion for gaming to our team. He will work alongside Psy and House to monitor gameplay and help maintain a fair and enjoyable game environment for all players. House: Another Game Master, our seasoned veteran, House, has been part of the World of Lineage community since the official release of Chronical C3 in 2005. As a project manager in real life, he brings his organizational skills and attention to detail to our team. He will work closely with the Game Masters to ensure that everything runs smoothly. AskForMore: Our Community Helper, AskForMore, is a familiar face to many players. He knows the server inside out and is always ready to assist with any questions or concerns. He will continue to be an essential part of our team. We are still looking for one more Game Master and two GM Helpers to join our team. Game Masters will be responsible for monitoring gameplay, resolving disputes, and ensuring a fair and enjoyable game environment. GM Helpers will assist the Game Masters with their duties and help monitor game activity. We are confident that our team of experienced and dedicated individuals will help us achieve our goal of providing a classic and enjoyable gaming experience. We look forward to working together and hope that you'll join us on this journey. Discord: https://discord.gg/zA5KWH8cMc
  5. Please follow the rules: 10) Prices must be displayed (and visible) in public on the main topic.
  6. Please follow the rules: 10) Prices must be displayed (and visible) in public on the main topic.
  7. Please follow the rules: 10) Prices must be displayed (and visible) in public on the main topic.
  8. Thanks for pointing out that I forgot to add the installation of conntrack in my GitHub repository, as it is already integrated into this repository. To install conntrack, you can use the following command: sudo apt-get install conntrack -y it's possible that your system has some restrictions on the maximum allowed values for net.ipv4.tcp_rmem and net.ipv4.tcp_wmem, try to lower the values. It's basically min, default, max - receive buffer space for TCP connections. Which configuration did you try to apply? P.S. I've updated the GitHub repo.
  9. It's time to focus on the most popular Linux distro. I've shared the following repositories on GitHub: Installing IPTables, Ipset, Conntrack and netfilter-persistent on Ubuntu Server 22.04 This guide will walk you through the process of installing IPTables, Ipset, Conntrack and netfilter-persistent on Ubuntu Server 22.04. netfilter-persistent: allow you to save and load your IPSET and IPTABLES rules automatically on boot. This ensures that your firewall settings are always loaded, even after a reboot. Optimizing Ubuntu 22.04 for Low Latency and High Performance This guide will walk you through the steps for optimizing your Ubuntu 22.04 system for low latency and high performance. The optimizations aim to improve the performance of a Linux-based system by modifying various network settings. Some of the changes include increasing the maximum number of open file descriptors, increasing the maximum number of processes, enabling TCP time-wait reuse, adjusting TCP keepalive time, setting the local port range for TCP connections, and increasing the maximum number of allowed concurrent network connections. Additionally, the values for the system's network buffer sizes are also increased to improve network performance. The optimizations aim to improve the system's overall stability and responsiveness in handling high network traffic. MariaDB installation and optimization on Ubuntu This guide explains how to install and optimize MariaDB on Ubuntu Checking if the script is run as root Checking if the script has been run before Updating package lists and upgrading packages Installing MariaDB if it's not already installed Prompting the user to select an optimization level (either to use up to 50% of total RAM and CPU, or up to 100% if MariaDB is the sole service on the server) Backing up the original MariaDB configuration file Calculating hardware-based settings (based on total memory and CPU cores) Configuring MariaDB performance settings based on the chosen optimization level and hardware Restarting the MariaDB service if the user agrees MariaDB Management Script for Ubuntu This shell script provides a simple way to manage MariaDB on Ubuntu 22.04 or newer. Creating, deleting, and flushing MariaDB users. Creating, deleting, and updating databases. Importing and exporting SQL files. Webmin Installation Guide for Ubuntu Server 22.04 Webmin is a web-based system administration tool for Unix/Linux systems that allows users to manage their system resources and services through a web interface. It provides a graphical user interface (GUI) for many common administrative tasks and simplifies the management of a Linux system for both novice and experienced users. System configuration: Webmin provides a GUI for configuring many aspects of your system, including network settings, user accounts, system services, and hardware settings. Package management: Webmin makes it easy to manage software packages on your system. You can view and install available packages, update installed packages, and configure package repositories. Server management: Webmin supports a variety of server applications, including Apache, MySQL, and PostgreSQL. You can configure server settings, manage virtual hosts and databases, and view server logs. File management: Webmin includes a file manager that allows you to browse and manage files on your system, including copying, moving, and deleting files. Monitoring: Webmin provides real-time monitoring of system resources such as CPU usage, memory usage, and disk space. You can also set up alerts to be notified when resource usage exceeds specified thresholds. Security: Webmin includes a variety of security features, including SSL/TLS encryption for web traffic, authentication and authorization for user accounts, and firewall configuration. Your feedback is welcome.
  10. Is this classic client adapted to Interlude's protocol or what?
  11. Use computeIfAbsent() to avoid creating empty effect maps for players with no effects. Use Entry in the forEach() loop instead of two parameters.
  12. My reply is strictly referring to server side.
  13. These old features remind me of childhood memories.
  14. Hi, I think it's a huge advantage if you run the L2OFF server on a VM on a Linux machine - Ubuntu Server 22.04. Let me know if you have any suggestions that can improve this guide. For the past few weeks I've been creating all sorts of sh or python scripts at work for Linux. So I thought I'd make this guide. INSTALL VIRTUALBOX sudo apt-get update sudo apt-get install virtualbox Download the Windows ISO file for the version of Windows you want to install on your virtual machine. We'll use Windows 10 as an example here. Create a new virtual machine using the following command: VBoxManage createvm --name "VM name" --ostype Windows10 --register Replace "VM name" with the name you want to give your virtual machine. Configure the virtual machine using the following commands: VBoxManage modifyvm "VM name" --memory 2048 --vram 128 VBoxManage modifyvm "VM name" --boot1 dvd --boot2 disk --boot3 none --boot4 none VBoxManage modifyvm "VM name" --nic1 nat VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,,2106,,2106" VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,,7777,,7777" Replace "VM name" with the name of your virtual machine. Create a virtual hard disk for your virtual machine using the following command: VBoxManage createhd --filename "/path/to/harddisk.vdi" --size 20480 Replace "/path/to/harddisk.vdi" with the path where you want to store the virtual hard disk. Attach the Windows ISO file to the virtual machine using the following command: VBoxManage storageattach "VM name" --storagectl IDE --port 0 --device 0 --type dvddrive --medium "/path/to/windows.iso" Replace "VM name" with the name of your virtual machine, as specified, and replace "/path/to/your/motherfucking/windows.iso" with the path to the Windows ISO file you downloaded. Start the virtual machine using the following command: VBoxHeadless --startvm "VM name" Replace "VM name" with the name of your virtual machine. Windows will now boot from the ISO file you selected. Follow the on-screen instructions to install Windows. Once Windows is installed, you can install VirtualBox Guest Additions to improve performance and add features like shared folders. In the virtual machine, navigate to the "Devices" menu and select "Insert Guest Additions CD image". In Windows, open "This PC" and navigate to the CD drive. Run the "VBoxWindowsAdditions.exe" file to install Guest Additions. TRAFFIC FORWARDING To forward incoming TCP connections on ports 2106 and 7777 to your Windows virtual machine on Ubuntu Server, you can use NAT and port forwarding. Make sure your Windows virtual machine is shut down. Open a terminal window on your Ubuntu Server. Use the following command to list the network interfaces on your server: ip addr Identify the IP address of the network interface you want to use for the port forwarding. It will be listed under the "inet" section. Use the following commands to forward port 2106 to your Windows virtual machine: VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,,2106,,2106" Replace "VM name" with the name of your Windows virtual machine, as specified in VirtualBox. Use the following commands to forward port 7777 to your Windows virtual machine: VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,,7777,,7777" Replace "VM name" with the name of your Windows virtual machine, as specified in VirtualBox. Start your Windows virtual machine. In Windows, configure your applications to listen on ports 2106 and 7777, and they will now receive incoming connections that are forwarded from your Ubuntu Server. USE MORE RESOURCES You can configure your Windows virtual machine in VirtualBox to use all available CPU cores and all available RAM on your Ubuntu Server. Make sure your Windows virtual machine is shut down. Open a terminal window on your Ubuntu Server. Use the following command to set the number of CPU cores that your virtual machine will use: VBoxManage modifyvm "VM name" --cpus $(nproc) Replace "VM name" with the name of your Windows virtual machine, as specified in VirtualBox. Use the following command to set the amount of RAM that your virtual machine will use: VBoxManage modifyvm "VM name" --memory $(free -m | awk '/^Mem:/{print $2}') Replace "VM name" with the name of your Windows virtual machine, as specified in VirtualBox. Start the virtual machine. That's all, I think. You can make the virtual machine have a different IP if you buy additional IPs from OVH.
  15. To detect players using Adrenaline, you can implement a system that monitors game activity and identifies patterns of behavior that are indicative of botting. To detect these patterns, you can implement algorithms that analyze player behavior and flag any instances that deviate significantly from what is considered normal. Additionally, you can also gather data on known botting software and their behavior patterns, and use this information to develop more sophisticated detection algorithms. I'm not judging your share, just thinking out loud.
  16. P.S. I will have to remake all these guides at one point I'm not very happy with them but it should be enough for now.
  17. Hi @MetaMan, Even though some people may be familiar with the files and/or the story. Please provide more information about the share.
  18. Description This topic is part of a multi-part series. We'll try to get everything straight to the point in this guide, without unnecessary over-explanation. PART 1 [CLICK HERE] Work faster with a better terminal emulator. Use a better editor. Basic L2J server setup. Manage and secure your MySQL server. [!] PART 2 [CLICK HERE] Secure your Linux server. Tuning system profiles. [!] Network performance tuning. [!] How to build and manage a firewall using iptables and conntrack - simplified version. [!] PART 3 [THIS GUIDE] Understanding and managing the OVH Firewall. [!] How to build and manage a firewall using iptables, conntrack, ipset and synproxy - advanced version. [!] Mitigating most of the DDoS attacks. [!] Understanding and managing the firewall at OVH Please read carefully as I am sharing the intellectual property with you right now. OVH will NOT vacuum any traffic unless it is detected by them that you are being attacked. In fact, the firewall is disabled by default and OVH will force it to enable once they have detected that you are being attacked. This can take anywhere from a few seconds to a few minutes, no VAC in the world will be triggered instantly. I think some of the strongest VACs in the world fire in about 12 seconds. If your machine is vulnerable, it may fill its resources before OVH's VAC can help you. That is why it is very important to have a machine on Linux that is well configured. I will say one more thing that will probably blow your mind. OVH's VAC is not perfect, in fact it has very few vulnerabilities, one of the vulnerabilities is that it cannot block malformed ACK connections - which we'll handle it on our Linux server. Create a Firewall In the OVHcloud Control Panel, click on the Bare Metal Cloud menu and open IP. You can use the drop-down menu underneath “My public IP addresses and associated services” to filter your services according to category. Configuring the Network Firewall A priority (from 0 to 19, 0 being the first rule to be applied, followed by the others). 0. Same networking rule applies to the OVH Firewall, like we did with the IPTables firewall. Allow all ESTABLISHED. If the connection is already ESTABLISHED with the server, it will ignore all of the below. 1, 2. Allowing my VPN networks for any TCP/IPV4 protocol - ICMP (ping-ing), TCP, etc; for any port. You can do the same for your webhost if you have anything that needs to connect to your MySQL server; you could limit it to TCP and 3306 port though instead of accessing it all. 3, 4, 5. Allowing any TCP connection on the specific ports our server needs. It's very important to have the option SYN checked. So the attacker can't use our ports if a connection is not ESTABLISHED. When a new player is connecting to the server, it will go to Rule 3 and 4 and then any other communication further will be handled by Rule 0 because it's already ESTABLISHED, meaning any other rule after that point won't apply. The OVH Firewall won't deny connections by default, so we have to add a rule at the end - Rule 19. To deny it all. From the same drop-menu where we've enabled and configured the Firewall, we can activate Mitigation: permanent mode. So we have it triggered at all times for a faster response. How To Build And Manage A Firewall with IPTables, Conntrack, IPSet and SYNPROXY We will get more serious now. Keep in mind that we'll be working with the IPTables rules we've created in the previous topic, so do NOT jump that part! We will still use IPTables and Conntrack, and on top of that we'll use IPSet and SYNPROXY. IPSet We'll use it to create sets of addresses to allow or block with our IPTables rules. We will manually add the IPs we want to allow them access to certain ports for management purposes. We'll also use it to automatically keep IPs that iptables will block for a certain amount of time that we set with IPSet. P.S. They're part of the installation packages in one of the previous parts of my Linux Series. We'll create several sets: ipset_allowed_ports will be used to keep the trusted IPs we need to access SSH, MySQL, etc. ipset create ipset_allowed_ports hash:net ipset_whitelist will be used to manually whitelist ourselves to ignore every single IPTables rule; for extra precaution. This will the first rule in every singe table/chain. ipset create ipset_whitelist hash:net ipset_players_whitelist will be used to manually whitelist Players that somehow are blocked by our rules. This would only happen if they're traffic is suspiciously triggering our Anti-DDoS rules. It usually happens if they're infected with a malware or something like that. It happened to about 5 players on my previous servers in the past. Hey! We care about all our players. ipset create ipset_players_whitelist hash:net ipset_blacklist will be used to manually ban whoever we want. ipset create ipset_blacklist hash:net The next 3 sets will be used by the iptables' rules to add banned IPs for 300 seconds. Preferably to increase it to several hours once it has been tested. ipset create banned_limit_conn hash:net timeout 300 ipset create banned_limit_synproxy_ack hash:net timeout 300 ipset create banned_limit_syn hash:net timeout 300 Tips and tricks: See all ipsets: ipset list Flush all IPs in a set: ipset flush banned_limit_conn ipset flush banned_limit_synproxy_ack ipset flush banned_limit_syn Manually add an IP to our sets example: ipset add ipset_allowed_ports 188.0.0.193 # My VPN #2 ipset add ipset_players_whitelist 94.71.4.115 # Player "ANU" ipset add ipset_whitelist 188.0.0.193 # My VPN #2 SAVE IPSET ipset save > /etc/ipset.conf Clean the config so you can save it all again - assuming you did some changes. sudo echo -n "" > /etc/ipset.conf IPSET SERVICE By default, CentOS won't store those sets to be used at startup. We'll have to create a service dedicated for it instead. Let's create the service file by suing our favorite editor nano. sudo nano /etc/systemd/system/ipset-persistent.service ipset-persistent.service: [Unit] Description=ipset persistent configuration Before=network.target # ipset sets should be loaded before iptables # Because creating iptables rules with names of non-existent sets is not possible Before=netfilter-persistent.service Before=ufw.service ConditionFileNotEmpty=/etc/ipset.conf [Service] Type=oneshot RemainAfterExit=yes ExecStart=/sbin/ipset restore -exist -file /etc/ipset.conf # Uncomment to save changed sets on reboot # ExecStop=/sbin/ipset save -file /etc/iptables/ipset ExecStop=/sbin/ipset flush ExecStopPost=/sbin/ipset destroy [Install] WantedBy=multi-user.target RequiredBy=netfilter-persistent.service RequiredBy=ufw.service And save it by using CTRL+X, Y, ENTER. Now we need to run the following commands to reload daemon, restart the service we've created, check the status and enable it at startup. systemctl daemon-reload systemctl stop ipset-persistent.service systemctl start ipset-persistent.service systemctl status ipset-persistent.service systemctl enable ipset-persistent.service SYNPROXY Linux Kernel is vulnerable to simple SYN attacks. The basic TCP scalability problem for the Linux kernel is related to how many new connections can be created per second. This directly relates to a lock per socket when in the "listen" state. For "established" state connections, it can scale very well. The "listen" state lock is encountered not only with SYN packets, but also other initial connection state packets like SYN-ACK and ACK packets (the last three-way handshake (3WHS) packet). In the flooding attack scenario, the attacker is sending fake packets aimed at hitting the "listen" state locking problem. As such, we need a mechanism to filter out these fake initial connection attempts before the socket enters the "listen" state lock and blocks new incoming connections. With SYNPROXY, the result is a 20x increase in deflecting SYN-ACK and ACK based attacks. We'll have to use IPSet alongside SYNPROXY. Let's get started by creating the needed logs. Basically, when a packet needs to be dropped by iptables' rules, it will instead log them and add them into the ipsets. This way we have full control, and thanks to IPSet we don't have to add a rule for each IP we want to filter. iptables -t mangle -N log_limit_conn iptables -t mangle -A log_limit_conn -m limit --limit 1/second --limit-burst 5 -j LOG --log-prefix "banned_limit_conn:drop: " --log-level 4 iptables -t mangle -A log_limit_conn -j SET --add-set banned_limit_conn src iptables -t mangle -N log_limit_synproxy_ack iptables -t mangle -A log_limit_synproxy_ack -m limit --limit 1/second --limit-burst 5 -j LOG --log-prefix "banned_limit_synproxy_ack:drop: " --log-level 4 iptables -t mangle -A log_limit_synproxy_ack -j SET --add-set banned_limit_synproxy_ack src iptables -t mangle -N log_limit_syn iptables -t mangle -A log_limit_syn -m limit --limit 1/second --limit-burst 5 -j LOG --log-prefix "banned_limit_syn:drop: " --log-level 4 iptables -t mangle -A log_limit_syn -j SET --add-set banned_limit_syn src Now we can use either the MANGLE or RAW table to block the unwanted connections before reaching other chains. We'll use the RAW table. iptables -t raw -A PREROUTING -m set --match-set ipset_whitelist src -j ACCEPT # Whitelist iptables -A INPUT -m set --match-set ipset_whitelist src -j ACCEPT # Whitelist iptables -A OUTPUT -m set --match-set ipset_whitelist src -j ACCEPT # Whitelist iptables -t raw -A PREROUTING -m set --match-set ipset_blacklist src -j DROP # Blacklist iptables -t raw -A PREROUTING -m set --match-set banned_limit_conn src -j DROP # Limit concurrent conn per IP iptables -t raw -A PREROUTING -m set --match-set banned_limit_synproxy_ack src -j DROP # # Ratelimit the ACK from 3WHS handled by SYNPROXY iptables -t raw -A PREROUTING -m set --match-set banned_limit_syn src -j DROP # Limit SYN Adding ipset_players_whitelist into the MANGLE table before our banned ipsets. So it will avoid those rules but not the rest due to security risks. iptables -t mangle -I PREROUTING -m set --match-set ipset_players_whitelist src -j ACCEPT Adding then we add the following rule AFTER the rules FROM THE PREVIOUS PART OF THE SERIES. iptables -t mangle -I PREROUTING -m set --match-set ipset_players_whitelist src -j ACCEPT Here we start the implementation of the SYNPROXY in the RAW table. 1. SYNPROXY works on untracked conntracks, it will create the appropriate conntrack proxied TCP connections. Also, we want it to only be used on the enp3s0f0 interface which is my NIC with the public IP. Yours may be named eth0 or eth1. iptables -t raw -A PREROUTING -i enp3s0f0 -p tcp -m tcp --syn -m multiport --dports 2106,7777 -j CT --notrack P.S. You can check your work interfaces via ifconfig example: enp3s0f0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 51.10.10.10 netmask 255.255.255.255 broadcast 51.10.10.10 inet6 fe80::f816:3eff:fe4e:b469 prefixlen 64 scopeid 0x20<link> ether fa:16:3e:4e:b4:69 txqueuelen 1000 (Ethernet) RX packets 15063483 bytes 3025357817 (2.8 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 14028825 bytes 2853497188 (2.6 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 5872280 bytes 674391486 (643.1 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 5872280 bytes 674391486 (643.1 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 2. Now we add some extra rules to help our SYNPROXY even more - to use the 3 ipsets banned we added above. This is getting extra clever about it where you won't find anything similar in a mix with SYNPROXY on the internet. iptables -t mangle -A PREROUTING -i enp3s0f0 -p tcp -m tcp --syn -m multiport --dports 2106 -m connlimit --connlimit-above 5 --connlimit-mask 32 --connlimit-saddr -j log_limit_conn iptables -t mangle -A PREROUTING -i enp3s0f0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -m multiport --dports 2106,7777 -m conntrack --ctstate INVALID -m hashlimit --hashlimit-above 5/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-srcmask 24 --hashlimit-name limit_synproxy_ack -j log_limit_synproxy_ack iptables -t mangle -A PREROUTING -i enp3s0f0 -p tcp -m tcp --syn -m multiport --dports 2106,7777 -m hashlimit --hashlimit-above 5/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name limit_syn --hashlimit-srcmask 24 -j log_limit_syn 1st rule will limit concurrent connections per IP, currently only set on the Login Server 2106, so you still let Internet Cafes and multiple game boxes. 2nd rule will ratelimit the ACK from 3WHS handled by SYNPROXY. 3rd rule will limit the SYN, which we discussed above why that is important with SYNPROXY. 3. Now going to the FILTER table, we finish the implementation of the SYNPROXY. iptables -A FORWARD -i enp3s0f0 -p tcp -m tcp -m multiport --dports 2106,7777 -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 iptables -A FORWARD -i enp3s0f0 -p tcp -m tcp -m multiport --dports 2106,7777 -m state --state INVALID -j DROP 1st rule is catching state: UNTRACKED == SYN packets, INVALID == ACK from 3WHS. 2nd rule will drop rest of state INVALID, this will e.g. catch SYN-ACK packet attacks. This will protect from 99% of the DDoS attacks if your resources can handle it. A recap with all rules put together in the proper order: ### [IPSET] ### ipset create ipset_allowed_ports hash:net ipset create ipset_whitelist hash:net ipset create ipset_players_whitelist hash:net ipset create ipset_blacklist hash:net ipset create banned_limit_conn hash:net timeout 300 ipset create banned_limit_synproxy_ack hash:net timeout 300 ipset create banned_limit_syn hash:net timeout 300 ### [LOGS] ### iptables -t mangle -N log_limit_conn iptables -t mangle -A log_limit_conn -m limit --limit 1/second --limit-burst 5 -j LOG --log-prefix "banned_limit_conn:drop: " --log-level 4 iptables -t mangle -A log_limit_conn -j SET --add-set banned_limit_conn src iptables -t mangle -N log_limit_synproxy_ack iptables -t mangle -A log_limit_synproxy_ack -m limit --limit 1/second --limit-burst 5 -j LOG --log-prefix "banned_limit_synproxy_ack:drop: " --log-level 4 iptables -t mangle -A log_limit_synproxy_ack -j SET --add-set banned_limit_synproxy_ack src iptables -t mangle -N log_limit_syn iptables -t mangle -A log_limit_syn -m limit --limit 1/second --limit-burst 5 -j LOG --log-prefix "banned_limit_syn:drop: " --log-level 4 iptables -t mangle -A log_limit_syn -j SET --add-set banned_limit_syn src ### [RAW] ### iptables -t raw -A PREROUTING -m set --match-set ipset_whitelist src -j ACCEPT # Whitelist iptables -t raw -A PREROUTING -m set --match-set ipset_blacklist src -j DROP # Blacklist iptables -t raw -A PREROUTING -m set --match-set banned_limit_conn src -j DROP # Limit concurrent conn per IP iptables -t raw -A PREROUTING -m set --match-set banned_limit_synproxy_ack src -j DROP # # Ratelimit the ACK from 3WHS handled by SYNPROXY iptables -t raw -A PREROUTING -m set --match-set banned_limit_syn src -j DROP # Limit SYN iptables -t raw -A PREROUTING -i enp3s0f0 -p tcp -m tcp --syn -m multiport --dports 2106,7777 -j CT --notrack # SYNPROXY works on untracked conntracks, it will create the appropiate conntrack proxied TCP conn ### [MANGLE] ### iptables -t mangle -A PREROUTING -m set --match-set ipset_whitelist src -j ACCEPT # Whitelist iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP # Drop TCP packets that are new and are not SYN iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP # Drop SYN packets with suspicious MSS value iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP # Block packets with bogus TCP flags iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP # Limit SYN iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP # Block spoofed packets iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP iptables -t mangle -I PREROUTING -m set --match-set ipset_players_whitelist src -j ACCEPT # Players Whitelist iptables -t mangle -A PREROUTING -i enp3s0f0 -p tcp -m tcp --syn -m multiport --dports 2106 -m connlimit --connlimit-above 5 --connlimit-mask 32 --connlimit-saddr -j log_limit_conn # Limit concurrent conn per IP iptables -t mangle -A PREROUTING -i enp3s0f0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -m multiport --dports 2106,7777 -m conntrack --ctstate INVALID -m hashlimit --hashlimit-above 5/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-srcmask 24 --hashlimit-name limit_synproxy_ack -j log_limit_synproxy_ack # Ratelimit the ACK from 3WHS handled by SYNPROXY iptables -t mangle -A PREROUTING -i enp3s0f0 -p tcp -m tcp --syn -m multiport --dports 2106,7777 -m hashlimit --hashlimit-above 5/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name limit_syn --hashlimit-srcmask 24 -j log_limit_syn # Limit SYN ### [INPUT] ### iptables -A INPUT -i lo -j ACCEPT # Unlimited traffic on loopback iptables -A INPUT -m set --match-set ipset_whitelist src -j ACCEPT # Whitelist iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Established connections iptables -A INPUT -p icmp -m set --match-set ipset_allowed_ports src -m conntrack --ctstate NEW -j ACCEPT # Allowed ICMP iptables -A INPUT -p tcp -m tcp -m multiport --dports 22,3306 -m set --match-set ipset_allowed_ports src -m conntrack --ctstate NEW -j ACCEPT # Allowed PORTS iptables -A FORWARD -i enp3s0f0 -p tcp -m tcp -m multiport --dports 2106,7777 -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 # Catching state: UNTRACKED == SYN packets, INVALID == ACK from 3WHS iptables -A FORWARD -i enp3s0f0 -p tcp -m tcp -m multiport --dports 2106,7777 -m state --state INVALID -j DROP # Drop rest of state INVALID, this will e.g. catch SYN-ACK packet attacks ### [OUTPUT] ### iptables -A OUTPUT -o lo -j ACCEPT # Unlimited traffic on loopback iptables -A OUTPUT -m set --match-set ipset_whitelist src -j ACCEPT # Whitelist iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT # Established connections iptables -A OUTPUT -p tcp -m tcp --tcp-flags ALL ACK,SYN -j ACCEPT # Allow the response to the SYN for the 3WHS before the connection is marked as established iptables -A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT # OS updates and Vote reward #iptables -A OUTPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-prefix "output:drop: " --log-level 4 # Log output dropped packets; Set default chain policies: iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP Save All sudo echo -n "" > /etc/ipset.conf # empty the ipset ipset save > /etc/ipset.conf # save the ipset service iptables save We'll get more into how to capture/catch, monitor and handle all types of attacks in the next part; and to always have a Plan B. Tips and Tricks See conntrack used: cat /proc/sys/net/netfilter/nf_conntrack_count See conntrack max: cat /proc/sys/net/netfilter/nf_conntrack_max See SYNPROXY, if values are being updated, then it works: watch -n1 cat /proc/net/stat/synproxy Credits Give me credits if you share it anywhere else, including my Discord and MxC topic's URL. Discord: Trance#0694
  19. Description This topic is part of a multi-part series. We'll try to get everything straight to the point in this guide, without unnecessary over-explanation. PART 1[CLICK HERE] Work faster with a better terminal emulator. Use a better editor. Basic L2J server setup. Manage and secure your MySQL server. [!] PART 2 [THIS GUIDE] Secure your Linux server. Tuning system profiles. [!] Network performance tuning. [!] How to build and manage a firewall using iptables and conntrack - simplified version. [!] PART 3 [CLICK HERE] Understanding and managing the OVH Firewall. [!] How to build and manage a firewall using iptables, conntrack, ipset and synproxy - advanced version. [!] Mitigating most of the DDoS attacks. [!] Secure Your Linux Server Create a new user account. We should never log into our server as root: adduser trance Give your new user account sudo rights: usermod -a -G sudo trance Secure SSH Connection We could use a SSH key instead SSH password authentication. The keys are usually stored into user's directory/.ssh/authorized_keys You can google how to generated a SSH key or you can simply use MobaXterm's: Upload the SSH key: ssh-copy-id trance@<ip_address> WARNING - First double check if you can successfully login via the SSH key before disabling the SSH password authentication. Now since we all have the same favorite editor nano, let's use it it to disable the SSH password authentication. nano /etc/ssh/sshd_config Change the following options to: PasswordAuthentication no PermitRootLogin no Tuning System Profiles Optimize the performance of a system by adjusting various device settings based on a variety of use case workloads. Install and enable. yum install tuned systemctl enable --now tuned You can see all available profiles with the following: tuned-adm list Available profiles: balanced - Ideal for systems that require a compromise between power saving and performance. desktop - Derived from the balanced profile. Provides faster response of interactive applications. throughput-performance - Tunes the system for maximum throughput. latency-performance - Ideal for server systems that require low latency at the expense of power consumption. network-latency - Derived from the latency-performance profile. It enables additional network tuning parameters to provide low network latency. network-throughput - Derived from the throughput-performance profile. Additional network tuning parameters are applied for maximum network throughput. powersave - Tunes the system for maximum power saving. oracle - Optimized for Oracle database loads based on the throughput-performance profile. virtual-guest - Tunes the system for maximum performance if it runs on a virtual machine. virtual-host - Tunes the system for maximum performance if it acts as a host for virtual machines. See currently running profile: tuned-adm active I recommend latency-performance or network-latency. You can choose a profile just like this: tuned-adm recommend network-latency Turn off tuned tuning activity with tuned-adm off. tuned-adm off Network Performance Tuning We'll have to touch the HOT spot, the kernel. If you think an OS can handle it all by default, you're wrong! We can view all your current kernel settings via: sysctl -a We can add our custom settings to be saved in the following config: nano /etc/sysctl.conf I've put all this together myself. You can google everything one by one if you'd like to know for what it is. I've added some useful comments. These values are well calculated, not randomly added. # General kernel.randomize_va_space = 0 net.core.netdev_max_backlog = 25000 net.core.rmem_max = 4136960 net.core.wmem_max = 4136960 net.ipv4.tcp_congestion_control = cubic net.ipv4.tcp_fin_timeout = 1 net.ipv4.tcp_limit_output_bytes = 131072 net.ipv4.tcp_low_latency = 0 net.ipv4.tcp_max_tw_buckets = 45000 net.ipv4.tcp_rmem = 4096 87380 4136960 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_wmem = 4096 16384 4136960 # Desactivate the automatic conntrack helper assignment. net.netfilter.nf_conntrack_helper = 0 # Enable the use of syncookies when the syn backlog queue is full. net.ipv4.tcp_syncookies = 1 # SYNPROXY - This is necessary to have ACK packets (from 3WHS) marked as INVALID state. # Disable picking up already established connections. net.netfilter.nf_conntrack_tcp_loose = 0 # SYNPROXY - TCP timestamps as SYN cookies utilize this TCP option field. # Tells the kernel to use timestamps as defined in RFC 1323. net.ipv4.tcp_timestamps = 1 # Default size is calculated by dividing total memory # by 16384 to determine the number of buckets but the hash table will # never have fewer than 32 and limited to 16384 buckets. For systems # with more than 4GB of memory it will be 65536 buckets. net.netfilter.nf_conntrack_buckets = 500000 # SYNPROXY - it's recommended to do some conntrack entry tuning to increase the default 64K conn limit. # nf_conntrack_buckets * 4 net.netfilter.nf_conntrack_max = 2000000 # nf_conntrack_max / 4 # as reference only: echo 500000 > /sys/module/nf_conntrack/parameters/hashsize net.netfilter.nf_conntrack_tcp_timeout_established = 1800 # default 432000 (5 days); 1800 = 30 minutes net.netfilter.nf_conntrack_tcp_timeout_close = 10 # default: 10 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 20 # default: 60 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 30 # default: 120 net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30 # default: 30 net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 30 # default: 60 net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 30 # default: 120 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 20 # default: 120 And then... Applying all of the above: sysctl -p Running the following as well have it all set: echo 2000000 > /sys/module/nf_conntrack/parameters/hashsize echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper Our conntrack can handle so many connections now! IPTables and Conntrack Conntrack allows us to use NEW, ESTABLISHED, RELATED states in ipables for the incoming connections. So we need to store all that info! We need to disable and replace the firewalld with iptables: sudo yum remove firewalld -y sudo yum install iptables-services -y sudo yum install conntrack-tools -y sudo yum install ipset -y sudo yum install ipset-service -y sudo systemctl start iptables sudo systemctl start ip6tables sudo systemctl enable iptables sudo systemctl enable ip6tables The following commands will be used to flush the entire iptables every time we f*ck it up. iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -t raw -F iptables -t raw -X iptables -F iptables -X iptables -t filter -P INPUT ACCEPT iptables -t filter -P FORWARD ACCEPT iptables -t filter -P OUTPUT ACCEPT iptables -t filter -F iptables -t filter -X service iptables save IPTables' Chains Chains - A chain is a string of rules. When a packet is received, iptables finds the appropriate table, then runs it through the chain of rules until it finds a match. Rules - A rule is a statement that tells the system what to do with a packet. Rules can block one type of packet, or forward another type of packet. To make it easier for us to understand how the chains in iptables work: You’ll find that most if not all guides on how to block DDoS attacks using iptables use the filter table and the INPUT chain for anti-DDoS rules. The issue with this approach is that the INPUT chain is only processed after the PREROUTING and FORWARD chains and therefore only applies if the packet doesn’t match any of these two chains. This causes a delay in the filtering of the packet which consumes resources. In conclusion, to make our rules as effective as possible, we need to move our anti-DDoS rules as far up the chains as possible. The first chain that can apply to a packet is the PREROUTING chain, so ideally we’ll want to filter the bad packets in this chain already. The Actual Basic Rules We can use the following command to see all rules in a particular table: iptables -t <table_name> -L Like iptables -t mangle -L or simply iptables -L for the default table a.k.a. the FILTER table. MANGLE Table PREROUTING Like it was described above, we need to save resources. So we'll have the following basic rules up in the mangle table. 1. Drop INVALID packets, which means the incoming connection is neither NEW, RELATED, or ESTABLISHED. Not needed on Part 3 when SYNPROXY is being used. iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP 2. Drop the TCP packet if it's NEW and NOT a SYN. A TCP 3-way handshake should always start with a SYN. So the attacker can't exploit that. iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP 3. Drop SYN packets with weird MSS value iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP 4. Block packets with bogus TCP flags - basically different set of unusual flags. iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP 5. Block spoofed packets - no explanation is needed I guess. iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP FILTER Table The next table we'll use is the one most people use. Like its name, we filter stuff in here. INPUT - incoming connections 1. Unlimited traffic on (local) loopback iptables -A INPUT -i lo -j ACCEPT 2. We no longer need to filter connections that are already ESTABLISHED. iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 3. Allowing OVH's Gateway, DNS and NTP servers. So we avoid clock sync issues and such. iptables -A INPUT -s 198.244.200.254 -j ACCEPT iptables -A INPUT -s cdns.ovh.net -j ACCEPT iptables -A INPUT -s ntp0.ovh.net -j ACCEPT 4A. Next step we need to allow access to ourselves via SSH. Assuming my IP is 51.10.10.10. iptables -A INPUT -p tcp -m tcp -s 51.10.10.10 --dport 22 -m conntrack --ctstate NEW -j ACCEPT 4B. If my Home IP is changing dynamically, most of the time it stays in the same CIDR - 51.10.10.0/24 from 51.10.10.0 to 51.10.10.255 or 51.10.0.0/16 from 51.10.0.0 to 51.10.255.255. iptables -A INPUT -p tcp -m tcp -s 51.10.10.0/24 --dport 22 -m conntrack --ctstate NEW -j ACCEPT 4C. The best option is to have a VPN with a Dedicated IP (or a static IP at Home) and to allow that IP to access it all. iptables -A INPUT -p tcp -m tcp -s 51.10.10.10/32 -m conntrack --ctstate NEW -j ACCEPT 5A. Allow everyone to access the Login and Game servers on their specific ports. iptables -A INPUT -p tcp -m tcp --dport 2106 -m conntrack --ctstate NEW -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 7777 -m conntrack --ctstate NEW -j ACCEPT 5B. We can add multiple ports in a rule though. iptables -A INPUT -p tcp -m tcp -m multiport --dports 2106,7777 -m conntrack --ctstate NEW -j ACCEPT OUTPUT - from the machine outside 1. Unlimited traffic on (local) loopback iptables -A OUTPUT -o lo -j ACCEPT 2. We no longer need to filter connections that are already ESTABLISHED. iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT 3. Allow the response to the SYN for the 3-way handshake before the connection is marked as ESTABLISHED. iptables -A OUTPUT -p tcp -m tcp --tcp-flags ALL ACK,SYN -j ACCEPT 3. Allowing OVH's Gateway, DNS and NTP servers. So we avoid clock sync issues and such. iptables -A OUTPUT -d 198.244.200.254 -j ACCEPT iptables -A OUTPUT -d cdns.ovh.net -j ACCEPT iptables -A OUTPUT -d ntp0.ovh.net -j ACCEPT 4. Allow OS updates and Vote reward. iptables -A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT 5. Log output dropped packets; it's good for debugging to see why our server can't access something. You'll see it in the kernel logs. You can do the same for INPUT if you'd like to see what you do wrong - be aware of the spam! iptables -A OUTPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-prefix "output:drop: " --log-level 4 You can see kernel logs the same way you'd watch the Game Server console. tail -f /var/log/messages Set default chain policies: iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP Tips and Tricks See the rules and their numbers on the mangle table: iptables -t mangle -L --line-number See the rules and their numbers on the filter table: iptables -t -L --line-number Delete a rule using the line number on the mangle table: iptables -t mangle -D PREROUTING 69 Delete a rule using the line number on the filter table: iptables -D INPUT 69 We'll get into more advanced and complicated firewall practices in the next part! Save All I'm pretty sure this is different on other distros. You may even create a list and always store all your rules in there, and then add that to the startup. service iptables save Credits Give me credits if you share it anywhere else, including my Discord and MxC topic's URL. Discord: Trance#0694
      • 10
      • Thanks
      • Like
      • Upvote
  20. We'll cover more in the next parts of this series. Stability/Uptime - Linux is more reliable. Windows becomes slow over time, it needs to be rebooted more often than Linux. Drivers - Windows drivers are mediocre. Your NIC (Network Interface) will even be taken down if some weird thing happens that it doesn't like. Resources - how resources can be used and modified through the kernel is at a high level. Security - it can be much safer. Networking/Firewall - you can block unwanted traffic, allow desired traffic, redirect packets to alternate TCP/UDP ports, redirect packets to alternate IP addresses, protect against Denial of Service attacks. You can't do most of this on Windows.
  21. Description This topic is part of a multi-part series. We'll try to get everything straight to the point in this guide, without unnecessary over-explanation. PART 1 [THIS GUIDE] Work faster with a better terminal emulator. Use a better editor. Basic L2J server setup. Manage and secure your MySQL server. [!] PART 2 [CLICK HERE] Secure your Linux server. Tuning system profiles. [!] Network performance tuning. [!] How to build and manage a firewall using iptables and conntrack - simplified version. [!] PART 3 [CLICK HERE] Understanding and managing the OVH Firewall. [!] How to build and manage a firewall using iptables, conntrack, ipset and synproxy - advanced version. [!] Mitigating most of the DDoS attacks. [!] Linux Distro In this guide, we will choose the Red Hat distribution, CentOS 8 more precisely. There shouldn't be too much difference between the versions for our purpose. Terminal Emulator F@$% Putty. It is not making your life easier! We should instead use a client with more features, such as password saving and macros. I strongly recommend you MobaXterm, you can record, edit and run macros (among other awesome features). The free version has some minor limitations, but the pro version doesn't and the license is lifetime - this is the one I got. I own a portable version with a master password for security. Pre-Installation In all our commands we will use -y with our CLI commands, so we skip the yes/no confirmation. We'll use the package managers yum and dnf. Most of our commands will include sudo (running on the highest privilege). We could use sudo su to login as super-user instead. It is very important to get all the updates first: sudo yum update -y Installation Starting with the following packages: apel-release is an Extra Packages for Enterprise Linux; screen is only useful if you run AAC in screen mode; nano is my favorite editor; tcpdump is a data network packet analyzer - we will use it to capture network packets for analysis - very useful if you are under attack and want to know what and how. sudo yum install epel-release -y sudo yum install screen -y sudo yum install nano -y sudo yum install tcpdump -y Use A Better Editor Nano is easier and quicker! You can open a file like any other editor: nano <directory and filename> Saving is quite simple which is why I like it: CTRL+X -> Y -> ENTER to save CTRL+X -> N -> ENTER not to save Java We'll use wget to get the java from the web: sudo dnf install wget -y wget https://download.oracle.com/java/19/latest/jdk-19_linux-x64_bin.rpm sudo rpm -i jdk-19_linux-x64_bin.rpm MariaDb Installation: sudo yum install mariadb-server -y sudo systemctl start mariadb sudo systemctl enable mariadb Start the configuration: sudo mysql_secure_installation Configuring the MariaDb Important Rules Do NOT use root for remote access. [!] Create a db user for every purpose. [!] Never allow a user from all IPs. [!] In addition to the MySQL IP permission, do the same on the firewall side. [!] MariaDB's config file on CentOS 8 so you can allow remote access: nano /etc/my.cnf.d/mariadb-server.cnf Enter MySQL as root: mysql -u root -p Database creation: CREATE DATABASE login; CREATE DATABASE game; User creation: 1. We can start by creating the local user for the login and game servers; only accessed by the machine itself on localhost. Db username: localuser Db password: localpassword CREATE USER 'localuser'@'localhost' IDENTIFIED BY 'localpassword'; GRANT ALL ON *.* to 'localuser'@'localhost' IDENTIFIED BY 'localpassword' WITH GRANT OPTION; FLUSH PRIVILEGES; 2. We create a remote user, so you can access it from your own computer. Db username: trance Db password: changemelater123 Trance's VPN or HOME IP (if static): 51.10.10.10 CREATE USER 'trance'@'localhost' IDENTIFIED BY 'changemelater123'; GRANT ALL ON *.* to 'trance'@'51.10.10.10' IDENTIFIED BY 'changemelater123' WITH GRANT OPTION; FLUSH PRIVILEGES; 3. We create a web user, for your Account Panel. Db username: ucp Db password: changemelater456 Webhost's IP: 51.11.11.11 CREATE USER 'ucp'@'localhost' IDENTIFIED BY 'changemelater456'; GRANT ALL ON login.* to 'ucp'@'51.11.11.11' IDENTIFIED BY 'changemelater456' WITH GRANT OPTION; FLUSH PRIVILEGES; Tips and tricks: *.* goes like <database name>.<tables access> IP allowance: We can allow a whole network like: 'trance'@'51.10.%.%' Db user limit example: Enter MySQL as root: mysql -u root -p And then: GRANT ALL ON login.* TO 'ucp'@'51.11.11.11' WITH MAX_QUERIES_PER_HOUR 500 MAX_UPDATES_PER_HOUR 50 MAX_CONNECTIONS_PER_HOUR 50 MAX_USER_CONNECTIONS 5; FLUSH PRIVILEGES; See db users and delete any if needed: Enter MySQL as root: mysql -u root -p See all db users: SELECT User,Host FROM mysql.user; Delete a user example: DROP USER 'ucp'@'51.11.11.11'; FLUSH PRIVILEGES; Login and Game Servers Login and Game Servers privilege to run the .sh files: Hypothetically we have the Login and Game servers directory as follows: server/login server/game We only need to do this once if the files are not going to be replaced: cd server/login/ chmod +x LoginServer.sh LoginServerTask.sh cd ~ cd server/game/ chmod +x GameServer.sh GameServerTask.sh Run the Login and Game servers and then see the Game server console: cd server/login/ ./LoginServer.sh cd ~ cd server/game/ ./GameServer.sh -f log/stdout.log Reboot the OS reboot Credits Give me credits if you share it anywhere else, including my Discord and MxC topic's URL. Discord: Trance#0694
  22. Description This is not something new, this tool has been used for several years and yet when I ask for a JFR file, many people do not know what it is. The purpose of this topic is to guide you on the correct way for L2J server administrators or developers to find server performance issues through the JMC software. You can improve stability and performance by finding and fixing memory leaks, CPU overloads, deadlocks; garbage collection performance, synchronization performance, I/O performance, and code execution performance. For example, you can record the Game Server when your players are at Baium; mass PvP-ing. Requirements Oracle JDK 11 and later. JDK Mission Control (JMC) JDK Mission Control (JMC) is a production-time profiling and diagnostics tool. It includes tools to monitor and manage your Java application with very small performance overhead. Java Management console (JMX) connects to a running JVM and collects and displays key characteristics in real time. It is a tool for monitoring and managing a running JVM instance. The tool presents live data about memory and CPU usage, garbage collections, thread activity, and so on. It also includes a fully featured JMX MBean browser that you can use to monitor and manage MBeans in the JVM and in your Java application. Flight Recorder (JFR) is a profiling and event collection framework built into the JDK. Flight Recorder allows Java administrators and developers to gather detailed low-level information about how a JVM and Java applications are behaving. You can use JMC, with a plug-in, to visualize the data collected by JFR. Flight Recorder and JMC together create a complete toolchain to continuously collect low-level and detailed runtime information enabling after-the-fact incident analysis. How-To Do A Flight Record Windows If your server is running on Windows, you can use JDK Mission Control (JMC) directly on your VPS/dedicated server for real-time monitoring or recording. Linux The best way is to capture a java process (like Game Server) using its ID: jcmd 21089 JFR.start duration=1800s filename=baium_fight.jfr 21089 is the process ID. You can list your processes by filtering them with the keyword "java". ps aux | grep java Output example: centos 21089 1.7 31.4 9032320 2454828 ? Sl 03:48 16:36 java -server -Dfile.encoding=UTF-8 -Xmx16G -cp config:./* gold.lineage2.GameServer centos 26017 0.0 0.0 112812 980 pts/2 S+ 19:28 0:00 grep --color=auto java root 29448 0.5 1.9 3024556 155820 ? Sl 2022 239:19 java -server -Dfile.encoding=UTF-8 -Xmx256m -cp config:./* gold.lineage2.LoginServer And open the JFR file via the JDK Mission Control (JMC) software on your Windows machine, or send it to your developer. Download https://www.oracle.com/java/technologies/javase/products-jmc8-downloads.html Bottom Line I don't think it's necessary to tell you how to navigate through this software. It is very simple. It can even generate a summary with suggestions. Resources: JDK Mission Control User Guide
  23. @AlisaCodeDragon, please share the price to the public. Good luck.
×
×
  • Create New...