How to Set Up Remote RCON on SA-MP Server: Secure Admin Access
Configure SA-MP RCON to administer your server remotely via client or external tools — strong password, port, firewall, commands, and audit logging.
RCON (Remote Console) is the native admin channel of the SA-MP server — authorizes commands like kick, ban, mapname, reload, and exit through a password. Unlike in-game admin systems written into the gamemode, RCON works at the server core level: responds even without a gamemode loaded, authenticates via password in server.cfg, and accepts external connections over UDP on the same port as the game.
This guide is for SA-MP owners who want to administer the server remotely — whether through the SA-MP client itself via /rcon login, or through external tools like samp-rcon in Python for automation. It covers configuration in server.cfg, secure password generation, firewall rules, IP restriction, and practical command usage.
Estimated time: 15 to 25 minutes, including strong password generation, firewall adjustments, and connectivity tests.
Prerequisites
SA-MP server already installed and running (Windows Server or Linux), access to the server.cfg file (typically at /samp/server.cfg on Linux or C:\samp\server.cfg on Windows), permission to restart the server process, and admin access to the operating system firewall. If you’ll use an external tool, Python 3.8+ installed on your local machine.
7777 (UDP) server.cfg Unencrypted UDP rcon_login_attempts (default 3) Confirm beforehand that the server responds on the expected IP. On a VPS or dedicated, ensure UDP port 7777 (or the one defined in port) is open at the edge. If the server is behind NAT, port forwarding needs to cover UDP — RCON never uses TCP.
Enable RCON in server.cfg
RCON is controlled by two directives in server.cfg: rcon (on/off) and rcon_password (sets the password). Without rcon 1, any login attempt is silently rejected — the client receives “Bad RCON password” even when passing the correct string.
Open server.cfg in a text editor and locate or add the RCON lines:
rcon 1
rcon_password YOUR_PASSWORD_HERE
rcon_login_attempts 3rcon 1 enables the admin channel. rcon_password sets the string used for authentication. rcon_login_attempts limits in-game failures before banning the player’s IP (doesn’t affect external RCON, but it’s good practice).
Generate a strong random password — don’t reuse a panel or database password. On Linux:
openssl rand -base64 32 | tr -d '/+=' | head -c 32On Windows PowerShell:
-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 32 | % {[char]$_})Paste the result into rcon_password. Avoid $, ", ', and spaces — the SA-MP client parser breaks on these.
The RCON password travels over UDP without encryption. Short passwords (8-12 chars) are crackable in hours via brute force on the network. Use at least 24 random characters. If you suspect compromise, rotate the password and restart the server immediately.
Save the file and restart the SA-MP server to load the changes. RCON doesn’t reload via command — requires a full process restart.
On Linux with screen/tmux:
killall samp03svr && cd /samp && ./samp03svr &On Windows, stop the samp-server.exe process in Task Manager and start it again via the executable or service.
Restrict RCON in the firewall
By default, any IP that reaches the game port can attempt RCON login. Restricting the admin channel to admin team IPs drastically reduces the attack surface — brute force only works if the packet reaches the server.
On Linux with iptables, allow the general game port but add a specific log/drop rule for suspicious attempts:
sudo iptables -A INPUT -p udp --dport 7777 -m recent --name RCONFLOOD --update --seconds 60 --hitcount 20 -j DROP
sudo iptables -A INPUT -p udp --dport 7777 -m recent --name RCONFLOOD --set
sudo iptables -A INPUT -p udp --dport 7777 -j ACCEPTThis blocks IPs sending more than 20 UDP packets in 60 seconds to the server’s port — a generic mitigation that catches RCON brute force without harming legitimate players (who send ~10-15 packets/sec under normal conditions).
If you want to restrict RCON strictly to known admin IPs, create a more aggressive rule and allow game traffic separately. This requires separating RCON packets from game packets in the payload — non-trivial without deep packet inspection.
The practical solution: keep the server on a private network and expose port 7777 via a UDP reverse proxy that filters by source IP at an upper layer. On a Hostini VPS, the edge protection already filters anomalous UDP patterns before reaching the server.
If you block all IPs except yours and your home IP is dynamic, you’ll lose admin access on the next router reset. Use a static IP on the admin network or a dedicated VPN with a fixed IP. Keep an alternate access route (KVM console or SSH on the host) to restore rules in emergencies.
Log in via RCON through the SA-MP client
The most direct way to test is to connect to the server using the SA-MP client itself and authenticate via command.
Join the server normally (Servers → Add → IP:port) and, with your character spawned, open chat and type:
/rcon login YOUR_PASSWORD_HEREThe server responds with SERVER: You are logged in as admin. in chat. From there, any RCON command works prefixed by /rcon.
Test basic commands to validate:
/rcon cmdlist
/rcon players
/rcon hostname New Server Name
/rcon weather 15
/rcon gravity 0.005cmdlist lists all available RCON commands. players shows connected players with ID. hostname, weather, and gravity change server properties at runtime — useful for events.
Use an external tool for automation
To schedule restarts, filterscript reloads, or broadcasts via cron, the path is an external tool that sends RCON packets without needing a connected SA-MP client.
Install the samp-rcon Python package on the machine that will automate:
pip install samp-rconAnd run direct commands:
samp-rcon 192.0.2.10 7777 YOUR_PASSWORD "gmx"
samp-rcon 192.0.2.10 7777 YOUR_PASSWORD "reloadfs anticheat"
samp-rcon 192.0.2.10 7777 YOUR_PASSWORD "say Scheduled restart in 5 minutes"gmx does a full gamemode reload. reloadfs reloads a specific filterscript. say sends a broadcast message to in-game chat.
When RCON is used in automated scripts, log every command executed (timestamp + command + result). This makes troubleshooting easier when something fires off-schedule and leaves an audit trail for security review. Stdout from samp-rcon returns the server response — just redirect to a file.
Verification
Confirm RCON is functional and protected:
# Test valid login
samp-rcon YOUR_IP 7777 YOUR_PASSWORD "players"
# Test wrong password (should return Bad RCON)
samp-rcon YOUR_IP 7777 wrong "players"Expected output for valid login: list of players. For wrong password: failure message. Check the SA-MP server log — each RCON attempt generates a line like RCON: Connection from 1.2.3.4:54321 - Login attempt.
Troubleshooting
Login returns “Bad RCON password” even with the correct password
Confirm rcon 1 (not rcon 0) in server.cfg and that the file was saved before the restart. If the password has special characters, test with an alphanumeric-only password to isolate — the SA-MP client parser has known bugs with $, quotes, and dollar signs.
RCON works locally but not from the internet
Check the operating system firewall and the edge firewall (provider/datacenter). UDP packets need bidirectional routing. Use nc -u -v YOUR_IP 7777 from the external machine to confirm UDP connectivity — if it hangs without response, it’s the firewall.
Brute force attempts appear in the log
Rotate the password immediately, enable the iptables recent rule (Step 04), and consider moving the server to a network with edge DDoS protection. Logs in server_log.txt show the source IP of each attempt — block individual reincident IPs via iptables -A INPUT -s IP -j DROP.
Next steps
With RCON configured, consider the following next moves:
- Implement a tiered in-game admin system (levels 1-5) to reduce raw RCON usage
- Set up centralized logging of RCON commands for auditing
- Evaluate anticheat plugins (sampac, NEX-AC) that run separately from RCON
- Document an incident runbook so the admin team knows when to rotate passwords and restart
If you’re putting the SA-MP server into production for a large community, a Hostini VPS comes with edge DDoS protection and IP-configurable firewall — isolating the admin channel becomes much simpler when the underlying infrastructure filters anomalous patterns before the server. See the options at /jogos.
Frequently asked questions
What's the difference between RCON and in-game admin in SA-MP?
RCON is the native SA-MP server protocol — authenticates via the password defined in `rcon_password` in server.cfg and grants access to core commands (kick, ban, mapname, reload, exit). In-game admin is any level system implemented in the gamemode/filterscript (e.g., /makeadmin in pawn). RCON works even without a gamemode loaded and responds over UDP on the server's port; in-game admin depends on the script running and the player being connected.
Why does my /rcon login always fail with the correct password?
Three common causes: (1) `rcon` is set to `0` in server.cfg — needs `rcon 1` to enable; (2) special characters in the password conflict with the client parser (avoid spaces, quotes, and dollar signs); (3) the player isn't logged in or the server has `rcon_login_attempts` set and you exceeded the limit. Check the server logs: each attempt prints `RCON (In-Game): Player ... <NAME> failed login attempt`.
Is it safe to expose RCON to the internet?
Not without precautions. SA-MP RCON transmits the password over UDP without encryption — any sniffer along the path captures it. Practical mitigations: (1) 32+ random character password, never the same as the panel; (2) firewall allowing RCON only from admin IPs; (3) failed attempt logs via plugin (Streamer/sscanf don't cover this, use a custom logger); (4) rotate the password on any suspicion. There's no RCON over TLS in SA-MP — it's a protocol limitation.
How do I change the RCON port to be different from the game port?
You can't. SA-MP RCON shares the same UDP port as the game server (default 7777). There's no separate config — `port 7777` in server.cfg covers both channels. To isolate admin traffic, the only option is firewall: allow the game port to `0.0.0.0/0` (players) and restrict RCON packets via upper-layer rules. In practice, source IP control is the real mitigation.
Which external tool works for sending bulk RCON commands?
SAMP RCON Tool (classic Windows GUI), samp-rcon (Python, maintained on GitHub, cross-platform), and queries via `socat`/`netcat` with manual payload. The most used for automation is the Python package — `pip install samp-rcon` and run `samp-rcon <ip> <port> <password> 'cmdlist'`. Useful for scheduling `gmx`, filterscript reloads, or broadcasts via cron without going in-game.
Does RCON have rate limiting or brute force protection?
The SA-MP server has no native rate limit on RCON — each valid attempt processes the login regardless of frequency. The only built-in protection is `rcon_login_attempts` (default 3) which bans the IP of the in-game authenticated player after N failures. For external RCON (no player object), there's no throttle. Real solution: rate limit at the firewall (iptables `recent` module) or at the network edge limiting UDP packets per IP.