Arma 3: Server Security

From Bohemia Interactive Community
Jump to: navigation, search

Server Security

Several of these settings directly contribute to the security of the server and have been highlighted as important, particularly for running Public (no password) servers.

The most updated ones that give a good protection (and are, de facto, the standard for public servers) are
battlEye = 1;
verifySignatures = 2;
allowedFilePatching = 0;
allowedLoadFileExtensions[] = {"hpp","sqs","sqf","fsm","cpp","paa","txt","xml","inc","ext","sqm","ods","fxy","lip","csv","kb","bik","bikb","html","htm","biedi"};
allowedPreprocessFileExtensions[] = {"hpp","sqs","sqf","fsm","cpp","paa","txt","xml","inc","ext","sqm","ods","fxy","lip","csv","kb","bik","bikb","html","htm","biedi"};
allowedHTMLLoadExtensions[] = {"htm","html","xml","txt"};
//allowedHTMLLoadURIs[] = {};
passwordAdmin = "xyzxyz123";
serverCommandPassword = "xyzxyz456";

Note: allowedLoad*/allowedPreprocess*/allowedHTML* are server.cfg settings with array list of extensions, for server-side use only.
Above are listed examples for basic-game MP modes, server-admin may attempt to make it stricter for theirs servers (if too strict then server's log file will contain warning entries about unable read)
With the exception of allowedHTMLLoadURIs those arrays covers both files inside and outside PBOs so don't change the above defaults w/o testing first as there's a chance you'll break the game.
Warning: Not listing any extension means everything is allowed. Defining the setting as empty arrays means nothing is allowed.
To read loadFile , preprocessFile , preprocessFileLineNumbers and to remember, those works on files only-within Arma 3 server directory and it's sub-directories !

Refer to ArmA: Addon Signatures for current best practices in server mod signing and the use of key signature files.

To further increase security of your servers remember BattlEye has ability to utilize server-side (including preventing remote execution) and client-side script check filters.

Note: these BattlEye filters needs to be written specifically for each mission and mod as the scripting differs in each of them.

To understand: Engine supports absolute (full path) outside Arma 3 server folder for command-line parameters -servermod=, -mod= and same for profile directories and config locations
this puts those out of reach by various load script command features which are limited only within Arma 3 folder and it's sub-directories (for logical security reason)
thus e.g. safe folder-structure looks like:
\arma3server\
\arma3server\@publicmods\
\arma3server_servermods_secrethash\
\arma3server_profiles_and_configs_secrethash\
yet note that callExtensions are loaded only from arma 3 server root / subfolders

See Also