Looking at some of the posts in discussion, it’s clear that some fivem servers are getting pwned. Whether this is due to negligence inside fivem as a server owner or outside remains to be seen, but there is a way this can be prevented (or at least spotted immediately) - File integrity monitoring. Aka hash verification.
This will ensure that if any of the files are changed for whatever reason, x happens. What is x? X could be notifying the server team, x could be stopping the server from starting, whatever the case may be. Without it however, we run the risk of server owners machines getting popped for hosting fiveM servers. And even worse off yet, zap-hosting server clusters getting popped…
Just a suggestion, but one made with a sense of urgency in mind. Hope this gets read by the right eyes…
It’s also clear that without active “assistance” from server owners this would never be possible. You can add as much “file integrity” logic as you want, however it won’t help – people won’t read any warnings (see how “large assets” warnings in server console are basically ignored by most server owners and then FiveM gets blamed for “bad streaming”). Such solution will also not help with protection at all. Because malicious actors can not only infect your resources, but also the whole operation system. The severity of the consequences depends on the security measures taken, such as Docker, proper fs permissions, etc.
The ONLY solution to this issue would be to NEVER DOWNLOAD RESOURCES FROM ANYWHERE EXCEPT TEBEX AND THIS FORUM. That’s it, period. 99.9999% of such infections happens when server owners are blindly downloading “leaked”/“free”/“cheaper than tebex” resources from weird sources. Which are “oh wow” usually obfuscated so you can’t even analyze it properly (this is also why FiveM blocked some obfuscators before). You can add as much warnings as possible, but people will press that “wipe the whole OS” button if there would be “100% free resource” next to it.
We should raise awareness, not make some weird workaround that wouldn’t ever work as intended. Not even talking about the fact that any warnings like that would confuse even more people who are just updating their resources.
Sorry, but I blatantly disagree with this entire post man.
First of all the idea that “people just won’t read warnings” is a false statement and a discredit to the serious server owners in this community. Sure yes, we have a lot of noobs (myself included, no doubt), however, this ecosystem consists of a spectrum of all types of users. Sure there’s people who never even touched a computer and are using this community to host and or manage a server, HOWEVER, there are also some people that we don’t really hear from that are killing it (server management sided, as well as code and app-security-practice-sided as well). To assume that more security implementations ‘would get ignored by most server owners’ seems more like a cheap shot to avoid more work than an actual reason.
If anything, it’s an education point about the effects of making bad decisions instead of just coming on the forum and being told to wipe your machine.
Secondly as per your ‘only solution’ I will say that in security, there’s no silver bullet…and I mean EVER. Sure there are implementations in place to prevent malware / dirty lua from reaching the public’s eyes on tebex and here, but what about zero days? What about new methods of reverse shells that our guys just don’t know about yet. Security is evolution, and what this statement creates is a false sense of security in my honest opinion.
In my opinion, one of the BEST ways to stay secure is as you mentioned taking proper security measures, education, and tools and utilities that will help you understand your system better.
I mean think about this entire community. How many people here are actual sysadmins? How many people here are actual developers (of ANY language let alone lua)? Yet we give them this and that and tell em ‘good luck, go learn docker?’
First of all the idea that “people just won’t read warnings” is a false statement and a discredit to the serious server owners in this community
“Serious server owners” won’t ever fall for such a bait. And it’s not a false statement, unfortunately it’s how it works in real world when you have millions of users. The world would be so better and more safe if people actually paid attention to warnings and notifications properly
To assume that more security implementations ‘would get ignored by most server owners’ seems more like a cheap shot to avoid more work than an actual reason.
First of all, what you suggested isn’t about “security” at all. Any content creator would end up disabling it as it will flood console every single time you update your resource. Secondary, it won’t protect from anything, if a user downloaded a resource from the usual places of resources with built-in malicious code (e.g. “free leaks”, etc), this user won’t be even notified, because there’s nothing was changed (it’s a fresh resource!) but the OS infection process has began, it’s too late. The solution is easy, as I said, use Tebex and this forum, that’s it. Don’t download anything weird from 3-rd party services, you 100% will be scammed in any of many ways.
If anything, it’s an education point about the effects of making bad decisions instead of just coming on the forum and being told to wipe your machine.
In case of getting your server machine infected, wiping the whole machine and manually checking every single resource is the only way to be sure that you’re safe. Unfortunately, this is how computers work, antiviruses can’t help you with that.
In my opinion, one of the BEST ways to stay secure is as you mentioned taking proper security measures, education, and tools and utilities that will help you understand your system better.
Yeah, FiveM should teach people how to use PCs, how to install Windows, how to enable their antivirus, how to speak, walk, eat and blah-blah-blah. There’s way more viable sources of getting aware about various aspects of being a PC user or generally a server owner. There’s indeed various of tutorials about how to protect yourself as a FiveM/RedM server owner, but we can’t teach people to do everything.
I mean think about this entire community. How many people here are actual sysadmins? How many people here are actual developers (of ANY language let alone lua)? Yet we give them this and that and tell em ‘good luck, go learn docker?’
We do think about the entire community and the only thing we can do in reality is raising awareness and asking people to be safe. There’s literally NO WAY to fight against such abuse when people literally installing malware and infecting their own server machine themself. See how it works in operational systems, no matter what security measures you implement, people will find a way to bypass it.
And please consider this as my personal opinion, I’m not talking for the whole project’s team (I forgot that I have the Cfx.re badge).
I agree, they wouldn’t fall for the low hanging fruit, however, a utility that notifies them with timestamps could stand to BENEFIT them for a large plethora of attacks.
Also, I agree regarding the world being better off… - Many more people should know how to handle alerts. For this community specifically, a large portion of the gap between uneducated and knowing how to handle these types of alerts is education. Since we already have a platform, I don’t see why we don’t use it to foster more educated users (the ones that WANT to be better…);
True, resources do get changed very, very frequently, and new resources will never produce notifications, but the option to view / suppress this on a resource level would be nice, but that’s not even the point.
Not sure if you saw the resource discussion board, but they were modifying default / base fiveM files in order to establish persistence…post exploitation. Yes this does point to being smarter about where you get your resources, but I’ll get to that soon. My point is, for base files that are only changed during updates to the fiveM server, I think it’s good if serverowners (new / experienced) had a timeline of – “oh here’s when this changed, this isn’t good → I can attribute it to the following resources…”
Also, the goal of something like this isn’t to protect, but rather to help players take more immediate action faster, and understand the weight of their actions.
It also stands to help us ALL for if a particular new attack vector slips ALL of our current standing cracks and help us help you guys get to the bottom of it sooner.
Sure, but the idea behind what I mentioned here was the concept of value. Having more informed users would produce more quality data even if the result is the same…at least giving them the option to be more informed helps.
Yeah, this is a great point. Where “IS” the line between what fiveM is responsible and what they SHOULD be responsible for?
I don’t think we should be teaching them a compsci degree, however, I do think that we (all of us) can do more in terms of preventing at least the low hanging fruit.
E.g. Teaching about the concept of secure coding and building with security in mind FIRST, and responsible server ownership, how to publicly host a server, and point them to resources for network segmentation practices, and docker tutorials IF they’re interested. There are people here who want to do more, but are either too ignorant, too embarrassed, or too overwhelmed to know where to start - This is where we can make the difference…
…(of course, in my opinion)
A good point and great question
Your last point is where we connect. I’m not suggesting giving someone a gun and trying to prevent all of the ways they can shoot someone or themselves. And I agree, no one security solution will EVER stop everything - and that’s my point.
Besides going to the wrong website and downloading malicious resources, I’m sure there are other ways a person could get root on a fiveM server. Like some vulnerability in the fiveM server itself (I’m sure there’s been plenty of security related patches - and I thank you and the team for your work so far). Having a more intimate understanding of the backend of fiveM will help us be better as a collective, (in my opinion) if even just a percentage.
And no problem, we’re just having a chat - no harm, no foul. Thanks for sticking with me through this discussion!
If the files are not the same as your last commit they will be marked as modified. Using an IDE like VSC and just open your folder for the repo and you’ll see any files modified awaiting to be committed.
Makes sense I guess, but that’s assuming the person’s using version control and something intuitive like vscode…I don’t know, I disagree, but if that gets nowhere, or if it’s a resource constraint problem (both in hours or actual server resources), there’s no point in me fighting that battle.
If you don’t use some form of version control that’s a bigger problem. And VSC will also tell you exactly what lines have been modified. The only downside would be that it doesn’t notify you if there is a change and you’d have to check manually, but you could write a python script to check for changes and have it send an email to notify of said changes. But if people aren’t using something like git and a half decent IDE then I highly doubt they go to the lengths I just described as a solution.
Yes but that’s under the assumption they’re leveraging git or some version of an IDE that supports that specific kind of workflow. I use git (a lesson almost learned the hard way), and a customized vim environment. There’s nothing wrong with that, but it doesn’t come natively with vc unless I choose to implement it.
But I’m a specific edge-case. My argument is that this can benefit those experienced AND new alike, but once again, if it’s not in the best interests of FiveM, I’ll just call it quits…
You can lead a horse to a river but you can’t force them to drink.
The server owners are liable for anything that happens to their server via resources, the only thing the Project should care about is that the client is sandboxed off and can’t run any potentially malicious software, same as Gmod, Roblox, and every other kind of sandbox(ish) kind of games.
Worrying about how many way a server owner can shoot themselves in the foot because they download potentially malicious software/resources shouldn’t fall on the Project.
Also regarding how to deal with low hanging fruit, everyone can make modding tutorials or make a pr for the docs, but bombarding users with information will usually just lead to them ignoring it, you can try and emphasize things as much as you want, put as many warnings, people will just ignore it.
I guess you can’t, but for the record, I don’t see any of our documentation or best practices as bombardment, especially since it’s not brickwalling anyone from setting up a server or performing tasks…
Similar to how I see such a system being implemented, it’s more of a “there for when you’re ready to learn” approach. Which is good for me…
But that’s okay…I myself will leverage git / figure something out alternatively…
How would you envision this working if a malicious party will just modify the list of valid hashes, or modify the code that checks for these, or so on?
This would be a lot of effort for yet again no practical benefit as attackers will just do whatever to evade detection.
Whether or not you guys and I foresee any value of something like this will just have to be a disagreement between us.
And to answer your question, we’d simply make sure it’s validated off server. Anytime a server starts, when the server does its checkins or whatever mechanism it uses to let the the server browser know it’s available, it can perform checks using a hash provided from the server…or maybe the hash can be hosted somewhere with instructions on how to validate it…
iirc steam does something like this but it’s purely a passive / manual implementation. You’d have to run it yourself and it’s less security focused, but still provides a similar benefit…sorta…
P.S. For the record, the original post’s intention wasn’t for resources, but was instead for core fiveM for the record;
But once again. I understand there’s no interest in the team in doing something like this, so I already let it go
