[Question] About 'Anti-Cheat's

[#Kz]

Hello again Dears!

Really i wanna thank you all very much for the answers on last topic that's was very helpful! I've a new question about the anti-cheats. I know that's MTA clients by default has a anti-cheat like detecting cleo modes and other .. but someone are still using an server anti-cheat for they servers, it's really required or not? if my answer is Yes, why?

 

[Thanks for watching this topic].

[IIYAMA]

If a cheater is able to set elementdata clientside. A lot of servers will be breached. So the answer to that is yes/no.

90% of the cheating I have seen at scripting level(we are in the scripting section) is done by corrupted staff. The resource runcode and even admin(execute command) itself do have scripting based inputs, which can easy manipulate elementData.

 

So, prevent cheating is a better way of doing instead of writing an complex anti cheat.

• Use tables instead of elementdata for important data. (like money / stats)
• Always check if players are logged in as admin, while execute an action that should be available for admins only.
• Do never give strange players admin / other ranks, if you haven't edited your acl properly. They will be able to do everything they want if they are smart enough. (Even stealing your resources)
• Do not upload runcode on your public server. (remove it)

 

Other cheats (flying/aimbot/ etc.)? You noticed cheating while your mta server is up-to-date? You might consider an anti cheat, if you are 100% sure it isn't the result of a corrupted staff-member.

[#Kz]

2 hours ago, IIYAMA said:

If a cheater is able to set elementdata clientside. A lot of servers will be breached. So the answer to that is yes/no.

90% of the cheating I have seen at scripting level(we are in the scripting section) is done by corrupted staff. The resource runcode and even admin(execute command) itself do have scripting based inputs, which can easy manipulate elementData.

 

So, prevent cheating is a better way of doing instead of writing an complex anti cheat.

• Use tables instead of elementdata for important data. (like money / stats)
• Always check if players are logged in as admin, while execute an action that should be available for admins only.
• Do never give strange players admin / other ranks, if you haven't edited your acl properly. They will be able to do everything they want if they are smart enough. (Even stealing your resources)
• Do not upload runcode on your public server. (remove it)

 

Other cheats (flying/aimbot/ etc.)? You noticed cheating while your mta server is up-to-date? You might consider an anti cheat, if you are 100% sure it isn't the result of a corrupted staff-member.

Hey @IIYAMA.

Thank you a lot for your answer! helpful.

[3aGl3]

I don't see what's wrong in at least a simple anti cheat, also depending on what you understand under "anti-cheat" the answer should definitely be yes.

I think you should take actions against code injections or memory alteration like AHK or Cheat Engine can perform. Also you should consider the Script Security article on the wiki.
Oh and yes, I do consider this "anti-cheat"...
One could also consider to take some basic actions against things like speed hacks, maybe bots (aim, minigane, etc.) and the like. Just some very basic stuff as well as logging any breaches/anomalies. This may also help to find bugs in your code...

Last but not least as said before security is probably a good anti-cheat too.
Don't even have resources like runcode on your server, log all admin actions and also make sure you can trust your staff.

[Dutchman101]

MTA has a very strong built in anti-cheat, you can read more about that (and how so) here and here.

But still though, take a good look at this: https://wiki.multitheftauto.com/wiki/Script_security

.. Because, despite the strenght of MTA anti-cheat, and it including many security patches to make someone writing or having a working Lua injector extremely unlikely, please always keep script security ("never trust the client") in mind, as nothing is impossible. Most servers have insufficient checking and script security in most if not all of their resources, so in the event someone has a "hacked client" (working Lua injector) they can do a lot of damage to the server, and/or gain cheating advantage for themselves or others. No matter how fast MTA is patching it, the damage would have already been dealt.

I know that quite a few of the serious servers on MTA have scripters that are skilled enough to keep script security in mind, and they made it a priority. So that aspect is taken care of. But again, on most servers it's piss poor.. so I hope scripters that are reading this will understand and do something.

* Note: i rewrote this post in 2020, due to high traffic and the ability to educate some people on script security.

Edited September 24, 2020 by Dutchman101

[koragg]

Is this really necessary on a race server? I just use element data to sync the vehicle's speed, gears, nitro level, etc with all players (while spectating a player it will show his values instead of yours or 0s).

[3aGl3]

15 hours ago, koragg said:

Is this really necessary on a race server? I just use element data to sync the vehicle's speed, gears, nitro level, etc with all players (while spectating a player it will show his values instead of yours or 0s).

I imagine that a race server is as vulnerable as any other server, however if you never had any problems with cheaters the first answer that comes to mind very well be no.

You should keep in mind however, once someone wrote a cheat/hack of some sort for your server it is to late. Especially a highly competitive server like race can be destroyed by a hacker within hours. Imagine someone writes a code injection that completely overwrites his vehicles handling to something way over the top (high speed, acceleration, grip and control), how fun will it be for the other players? Yup, sucks.

On a freeroam server one might say people can do pretty much anything anyway but the server might want to block the minigun, hydra and hunter. I've seen that or similar on a bunch of freeroam servers, for reasons obvious. Cheats you still give those things to players, etc.

So all that being said the obvious answer is yes, an anti cheat makes total sense.

However I just also thought of another side, if you have a private server for instance and you are absolutely sure only trusted people have access you could probably ommit anti cheat. Same if you have an absolutely reliable team, good overall security and there is always someone who can take a look at the server and ban/kick any cheaters.

Edited April 17, 2017 by 3aGl3

[koragg]

3 hours ago, 3aGl3 said:

However I just also thought of another side, if you have a private server for instance and you are absolutely sure only trusted people have access you could probably ommit anti cheat. Same if you have an absolutely reliable team, good overall security and there is always someone who can take a look at the server and ban/kick any cheaters.

Well it's not private (anymore) but I got just 3 admins, out of which 2 helped me with fixing bugs (they needed /debugscript 3) and aren't active at all and another is a friend of mine who just wanted to be able to set maps and a bit more. I've given moderator access to a bunch of people but my ACL allows mods to only /redo, /random and /votemap so I guess I shouldn't really worry for now. Thanks for the info though, as if there come more players maybe I'd need to secure it further.

 

Note: When I say 'admins' above I mean SuperModerators with all access an admin has except that to the Server and Resources tabs in the admin panel.

Edited April 17, 2017 by koragg