This playbook / role configures a Linux machine with an instance of the Unreal Tournament 2004 dedicated server. It will take the following steps (roughly):
- prepare the system with common settings;
- configure firewall rules via UFW;
- install required dependencies;
- download and install the UT2004 server via LinuxGSM;
- copy a custom
ut2k4server.iniconfiguration file; - install cron jobs start the game at boot, and to monitor/restart the game on crash;
- copy some extra custom game data;
- configure the No-IP dynamic DNS service;
- install and configure Nginx as reverse proxy for the UT2004 web admin interface;
- install fail2ban and have it monitor Nginx logs for brute-force attempts;
- enable some SSH hardening options;
- start the game server process.
- Create the virtual machine with your cloud provider. Note down the public IP and access credentials.
- An SSH key is required.
- The default username for Ubuntu server 24.04 is
ubuntu.
- If you want a dynamic domain name, create an account on www.noip.com, then create a DNS record and a DDNS key.
- Otherwise, use
--skip-tags=dyn_dnslater.
- Otherwise, use
- Modify
hosts.ymlwith the parameters of your target host. - Modify
secrets.ymlwith your desired configuration. - Run
ansible-playbook ut2004.yml. Some useful options:-vvfor verbose output;--tags=...or--skip-tags=...to select or exclude steps;--list-tasksto list every task that will be run.
- The playbook will change the OpenSSH listen port to a custom one (see
secrets.yml). This is not a sufficient security measure on its own, but can reduce bruteforce attempts and log spam. Usessh -p <port>orscp -P <port>to connect to the machine after this playbook has run. - To manually update the dynamic DNS:
~/noip/noip-duc -g <domain> -u <username> -p <password> -v --once - unrealwiki.org has a lot of useful documentation, including a wiki and a reference for ut2k4server.ini
- Digital Ocean has an Ansible cheat sheet
- See below for some useful operative commands
The game server will start at boot. To start/stop manually:
sudo su - ut2004
./ut2k4server start
./ut2k4server stop
./ut2k4server details
./ut2k4server console
# To quit, press "CTRL+b" then "d", NOT "CTRL-C"!
bashtop
s-tui
Most settings are stored in ~ut2004/serverfiles/System/ut2k4server.ini. Some settings are passed via command-line arguments, which are stored in ~ut2004/lgsm/config-lgsm/common.cfg. Files in these folder also contain settings for LinuxGSM, such as monitor settings.
LinuxGSM cron jobs:
sudo cat ~ut2004/cron.log
sudo tail -f ~ut2004/cron.log
sudo less [-R|-r] ~ut2004/cron.log
Fail2ban:
sudo systemctl status fail2ban
sudo fail2ban-client status
sudo fail2ban-client status ut2004-webadmin
grep "Ban" /var/log/fail2ban.log
Nginx:
less /var/log/nginx/access.log
egrep -v "ServerAdmin" /var/log/nginx/access.log
SSH server (note that it uses socket-based activation):
journalctl -t sshd -f
journalctl -u ssh
To backup all logs:
mkdir logs
cd logs
cp /var/log/nginx/access.log* .
cp /var/log/fail2ban.log* .
journalctl -u ssh > journalclt-ssh.log
journalctl -t sshd > journalclt-sshd.log
sudo cp -r ~ut2004/log lgsm-logs
sudo cp ~ut2004/cron.log .
sudo chown -R ubuntu:ubuntu .
- skip download and install ut2004 and linuxgsm if already installed
- why fwupd service shows as always changed?
- have a cron job to install security updates daily, but also pin sensitive packages to a specific version.
- have a task dedicated to upgrading system packages, and modify role ubuntu to only upgrade packages when requested explicitly. Also upgrade linuxgsm and noip-duc.
- fail2ban + ssh jail = block ssh spam
- enable AWS EC2 Connect (in case SSH breaks)
- monitor, summarize, alert unauthorized access attempts
- close port 8075 on UFW (we already proxy it on port 80), but only if nginx is configured.