Secure your server

The anticheat resource is not the only resource responsible of spawning entities on the server from external sources. As the anticheat resource is a standalone resource, it is important to design your server resources carefully in order to ensure security for your server. In order to protect your server, you can practice the following security measures.

Handle entity creation on your server

In order to protect your server from spawning entities from external sources, it is recommended to shift the entity spawn from client side to server side directly from your server resources by creating a server side function in your framework that spawns the entity and use it instead the client side natives or directly use server side native for spawning entities and add to your server.cfg one of the lines below at your choice

sv_entityLockdown relaxed #Blocks only client-created entities that are not owned by scripts.

sv_entityLockdown strict #Prevents clients from creating any entities.

It is recommended to make tests before launching this shift.

Create Vehicle (https://docs.fivem.net/natives/?_0xDD75460A)

Example of wrong usage

Client side
local vehicle = CreateVehicle(GetHashKey("adder"), coords[1], coords[2], coords[3], 200.0, true, false)
TaskWarpPedIntoVehicle(PlayerPedId(), vehicle, -1)

Example of right usage

Server side
function tvRP.CreateVehicle(hash, x, y, z, heading, isNetwork, netMissionEntity)
    local source = source
    local user_id = vRP.getUserId(source)
    if source and user_id then
        local vehicle = CreateVehicle(hash, x, y, z, heading, isNetwork, netMissionEntity)
        Wait(100)
        if DoesEntityExist(vehicle) then
            SetPedIntoVehicle(GetPlayerPed(source), vehicle, -1)
            return NetworkGetNetworkIdFromEntity(vehicle)
        end
    end
    return nil
end
Client side

If you do not use any native on the spawned vehicle you can use:

local vehicle = vRPserver.CreateVehicle({GetHashKey("adder"), coords[1], coords[2], coords[3], 200.0, true, false})

If you use any native on the spawned vehicle you can use:

vRPserver.CreateVehicle({GetHashKey("adder"), coords[1], coords[2], coords[3], 200.0, true, false}, function(nveh)
    vehicle = NetToVeh(nveh)
    -- rest of code
end)

Only if you are using CreateVehicle client native in a thread to spawn a vehicle on the server it may spawn a vehicle for each player on the server, so you should use only server side vehicle creation with CreateVehicle server native in order to create only one vehicle.

Create Ped (https://docs.fivem.net/natives/?_0x389EF71)

Example of wrong usage

Client side
local ped = CreatePed(4, "s_m_y_construct_01", coords[1], coords[2], coords[3], 200.0, false, true)

Example of right usage

Server side
function tvRP.CreatePed(pedType, hash, x, y, z, heading, isNetwork, bScriptHostPed)
    local source = source
    local user_id = vRP.getUserId(source)
    if source and user_id then
        local ped = CreatePed(pedType, hash, x, y, z, heading, isNetwork, bScriptHostPed)
        Wait(100)
        if DoesEntityExist(ped) then
            return NetworkGetNetworkIdFromEntity(ped)
        end
    end
    return nil
end
Client side

If you do not use any native on the spawned ped you can use:

local ped = vRPserver.CreatePed({4, "s_m_y_construct_01", coords[1], coords[2], coords[3], 200.0, false, true})

If you use any native on the spawned ped you can use:

vRPserver.CreatePed({4, "s_m_y_construct_01", coords[1], coords[2], coords[3], 200.0, false, true}, function(nped)
    ped = NetToPed(nped)
    -- rest of code
end)

Only if you are using CreatePed client native in a thread to spawn a ped on the server it may spawn a ped for each player on the server, so you should use only server side ped creation with CreatePed server native in order to create only one ped.

Create Object (https://docs.fivem.net/natives/?_0x2F7AA05C)

Example of wrong usage

Client side
local object = CreateObject(GetHashKey("prop_roadcone02a"), coords[1], coords[2], coords[3], true, true, true)

Example of right usage

Server side
function tvRP.CreateObject(hash, x, y, z, isNetwork, netMissionEntity, doorFlag)
    local source = source
    local user_id = vRP.getUserId(source)
    if source and user_id then
        local object = CreateObject(hash, x, y, z, isNetwork, netMissionEntity, doorFlag)
        Wait(100)
        if DoesEntityExist(object) then
            return NetworkGetNetworkIdFromEntity(object)
        end
    end
    return nil
end
Client side

If you do not use any native on the spawned object you can use:

local object = vRPserver.CreateObject({GetHashKey("prop_roadcone02a"), coords[1], coords[2], coords[3], true, true, true})

If you use any native on the spawned object you can use:

vRPserver.CreateObject({GetHashKey("prop_roadcone02a"), coords[1], coords[2], coords[3], true, true, true}, function(nobj)
    object = NetToObj(nobj)
    -- rest of code
end)

Only if you are using CreateObject client native in a thread to spawn an object on the server it may spawn an object for each player on the server, so you should use only server side object creation with CreateObject server native in order to create only one object.

The server side functions for spawning entities have been provided as an example for the vRP framework. To use these functions within a resource, you also need to include the following tunnel in client side:

vRPserver = Tunnel.getInterface("vRP", "resourcename")

Our recommendation is to use server natives CreateVehicle, CreatePed or CreateObject instead of above functions, but in order to make a faster tranistion you can also use the functions showed as an example above.

Handle weapons on your server

In order to protect your server from spawning weapons from external sources there are two ways that can prevent such functions, more than anticheat resource can already do

  1. Weapons from weapon wheel

    If you are using the weapon wheel on your server you can set Config.antiSpawnWeapon to true, if it is set to false as it is by default and ensure that you do not have any script in your server that spawns weapon in your players' hand or not using the weapon wheel. More than this feature you can create in your server a script that will allow getting and using weapons only if you have a specific group, faction or number of hours played on the server in order access weapons from gunshops. Unless the player does not have a specific group, faction or number of hours played on the server in order to access weapons from gunshops and the player owns weapons, the player can be banned

  2. Weapons from server inventory

    If you are using an inventory script that allow using weapons only from inventory, you have to ensure that weapon wheel is disabled completely, even if the player is in the vehicle. In this case Config.antiSpawnWeapon has to be set to false. In order to check if the player has a valid weapon in his inventory, you can create a script that checks if the player has the weapon in inventory. Beside this check you can also use the same check as above, if the player does not have a specific group, faction or number of hours played on the server in order to access weapons from gunshops and the player owns weapons, the player can be banned. In this scenario you have to take in consideration that trading weapon items can impact this check.

Handle functions and events

In order to protect your server from re-running functions or events, it is recommended to create the functions or events as much as possible on server side and contain various checks such as requiring permission (group, faction, level, played hours), requiring items, checking the number of items, location, cooldowns, duty (active task), number of attempts in a specific time. If you do not know how to make this kind of checks, you can use the event protection provided by the anticheat for the events you want to protect.

PreviousServer crash preventionNextAnti aimbot

Last updated