Fix: 'Bad rcon_password' / RCON Not Authenticating

July 2, 2025 Daemon666 7 min read 13 vues

You type rcon commands and the server answers Bad rcon_password. or simply ignores you. RCON on the Half-Life engine is a challenge/response protocol over the same UDP port as the game, and there are only a handful of things that break it: the password the server actually loaded is not the one you think, you are locked out by too many failures, or your client never sent the right password at all. Work through them in order.

1. Confirm the password the server actually loaded

rcon_password is set in server.cfg, but it can be silently overridden by autoexec.cfg, by a per-map config, or by an amxx admin config. On the server console (local, no RCON needed) run:

rcon_password

It prints the current value. If it is empty, RCON is disabled entirely — the engine refuses all RCON when the password is blank, and that is the single most common cause. Set it and it must be non-empty:

rcon_password "a-long-random-string-no-spaces"

2. Kill the quoting and whitespace traps

A password with a space in it, or a stray character from a copy-paste, is a frequent culprit. In a .cfg file the value must be quoted if it contains anything unusual, and it must not have a trailing space before the newline. A password saved from Windows Notepad can also carry a hidden carriage return. Prefer a plain alphanumeric password with no spaces, quotes, or shell metacharacters while you are debugging — you can harden it later.

3. Set the password on the client the right way

From a CS 1.6 client console you must set rcon_password locally and be pointed at the server:

rcon_password "a-long-random-string-no-spaces"
rcon status

If you are not connected to the server, also set the address:

rcon_address YOUR_SERVER_IP:27015

A mismatch between rcon_address and the server you are actually on will send the RCON packet into the void and you will see Bad rcon_password or a timeout even though the password is correct.

4. Check you are not locked out (ReHLDS)

On ReHLDS there are anti-bruteforce cvars, and a few wrong attempts will lock your IP for a window. Look at them on the server:

sv_rcon_maxfailures
sv_rcon_minfailures
sv_rcon_minfailuretime
sv_rcon_banpenalty

The default behaviour bans an IP after sv_rcon_maxfailures bad attempts within sv_rcon_minfailuretime seconds, for sv_rcon_banpenalty minutes. While you are locked out, even the correct password is rejected. Wait out the penalty, or on the server console temporarily raise the limits:

sv_rcon_maxfailures 10
sv_rcon_minfailuretime 5

Set them back to something strict once you are in — RCON brute-forcing is a real attack, not a hypothetical.

5. Make sure RCON traffic reaches the server

Classic HLDS RCON rides UDP on the game port. Some hosts and firewalls treat RCON differently, and some panels expose a separate TCP RCON. If the game connects but RCON never answers, confirm the port is open both ways:

ss -lunp | grep 27015

If you administer through a web panel or a remote tool, that tool has its own address/password fields — a stale entry there produces the same Bad rcon_password while your in-game console works fine.

6. Did server.cfg even execute?

If several settings besides RCON are also not applying, the whole server.cfg may not be running. It executes automatically only for the default map load; a custom map-start sequence, a mapcycle that skips it, or a bad filename (server.cfg.txt from Windows Explorer hiding the real extension) all leave it un-executed. Force it once and re-check:

exec server.cfg
rcon_password

If rcon_password is now correct after a manual exec but was empty before it, the file exists and is right — it simply was not being run at startup, and that is the real bug to chase.

Common errors

  • Bad rcon_password. with a correct password — you are inside a ReHLDS failure lockout, or rcon_address points at the wrong server.
  • Bad rcon server response — the challenge step failed, usually a firewall dropping the return packet or a NAT that rewrites the source port. Open UDP 27015 both directions.
  • RCON silently does nothingrcon_password is empty on the server, which disables RCON completely.
  • Works locally, fails remotely — the value differs because a per-map or autoexec.cfg reset it after server.cfg ran. Grep your configs for a second rcon_password line.

Verification

From a client that is connected to the server, set the password and run a harmless privileged command:

rcon_password "a-long-random-string-no-spaces"
rcon stats

If rcon stats returns the server's CPU/in/out table, RCON authenticated. As a habit, do not administer day-to-day through raw RCON at all — put real admins in users.ini with AMXX and use an admin menu instead, so the RCON password stays a break-glass secret you rarely type.

Contributeurs: Daemon666 ✦
Partager :