Skip to content

server: add RCON lockout after repeated failed attempts #831

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Crimewavez wants to merge 4 commits into
base: main
Choose a base branch
from
Open

server: add RCON lockout after repeated failed attempts #831

Crimewavez wants to merge 4 commits into from

Conversation

@Crimewavez
Copy link

@Crimewavez Crimewavez commented Nov 11, 2025

This change adds a simple per-IP RCON authentication lockout on top of the existing rate-limiting logic.

  • After 3 consecutive bad RCON passwords from a given IP, that IP is locked out from RCON for 60 seconds.
  • While locked, all RCON packets from that IP are dropped early including ones with the correct password.
  • Once the lock duration expires, RCON from that IP is accepted again as normal.
  • Existing SVC_RateLimitAddress and SVC_RateLimit behavior is unchanged.

The goal is to make brute-forcing the RCON password significantly harder without changing behavior for other connectionless traffic (getstatus, getinfo, etc).

Current engine behavior uses a leaky bucket via SVC_RateLimitAddress (per-address) and SVC_RateLimit (global) to:

  • throttle connectionless packets (DoS protection),
  • throttle RCON traffic.

This prevents a single IP from spamming RCON indefinitely, but it does not strictly limit how many password guesses an attacker can make over time, as long as they stay under the burst/period thresholds.

A lockout after a small number of failures is a standard way to make brute-force/dictionary attacks impractical, even when the attacker stays within the pure packet rate limits.

Locally verified with:

  • Server and client on the same host.
  • rconpassword set and developer 1 enabled.

From a single IP:
3 incorrect RCON attempts equal in lock message for that IP and 60 seconds of RCON being ignored.

During lock:
Additional incorrect RCON attempts produce “rcon locked …” debug messages and do not reach the password handling. Correct RCON attempts are also ignored until the lock expires.

After ~60 seconds:
Correct RCON requests are accepted again; command output appears as usual.

With multiple IPs on loopback:

Adding a second local IP (e.g. 10.0.0.2) and connecting from it:

  • Lock on 127.0.0.1 does not affect RCON usage from 10.0.0.2.
  • Each IP’s lockout state behaves independently.

llbraughler
llbraughler reviewed Nov 16, 2025
View reviewed changes
code/server/server.h
long hash;

leakyBucket_t *prev, *next;

Copy link

@llbraughler llbraughler Nov 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per style guide, leave out username tags in commits

Copy link
Author

@Crimewavez Crimewavez Nov 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed the user tag from the code as requested.

@Crimewavez
Merge branch 'ioquake:main' into feat/rcon-lockout
25cee57
@Crimewavez
Remove unnecessary comments for Rcon lockout
40052be 
Removed the user tag from the code as requested.
@Crimewavez
Update comment for RCON lockout guard
17f0a81 
Removed the user tag from the code as requested.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@llbraughler llbraughler llbraughler left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Crimewavez @llbraughler