I just setup a minecraft server on an old laptop, but to make it acessible i needed to open up a port. Currently, these are the ufw rules i have. when my friends want to connect, i will have them find their public ip and ill whilelist only them. is this secure enough? thanks

`Status: active

To Action From


22/tcp ALLOW Anywhere Anywhere ALLOW my.pcs.local.ip`

also, minecraft is installed under a separate user, without root privlege

  • @[email protected]
    link
    fedilink
    English
    723 months ago

    A port is not secure or insecure. The thing that can lead to security risks is the service that answers that port.

    Use strong authentication and encryption on those services and keep them up to date.

    • @[email protected]
      link
      fedilink
      English
      13 months ago

      You can add IPS to port to add some security checking, but yes, in general port is never secure or unsecure.

  • @[email protected]
    link
    fedilink
    English
    303 months ago

    I would use something like wireguard, or another VPN service you can host yourself if your router supports it natively.

    From the looks of it Minecraft servers seem to have dogshit authentication, so using some form of private network setup is going to be your best move.

    • @[email protected]
      link
      fedilink
      English
      53 months ago

      You don’t have to host the VPN on the router. You can also host it on a separate machine or the same one that’s running the Minecraft server.

      • @[email protected]
        link
        fedilink
        English
        33 months ago

        Oh for sure. What I meant was “check router for a built in VPN and use it if it has one, otherwise use wireguard because it’s the easiest”.

        The specific VPN doesn’t really matter so much. The built-in one would be the easiest, so checking for a solution that took a few clicks is worth it. :)

        • @[email protected]
          link
          fedilink
          English
          13 months ago

          Fair enough.

          But personally I would recommend trying to setup wireguard if your router doesn’t have it integrated. It’s just so much faster than OpenVPN (usually the only built in option).

          • @[email protected]
            link
            fedilink
            English
            23 months ago

            Yeah, it’s definitely faster, but I’m not sure it’s going to make too much of a difference for a Minecraft server.

            With setting it up being a bit annoying by hand, I’d still rank the router option higher even if it’s a worse VPN. Otherwise you risk ending up in that yak shaving situation where you’re fighting with routing tables and DNS when you wanted a Minecraft server.

            • @[email protected]
              link
              fedilink
              English
              23 months ago

              Yeah, that’s also fair. I have a tendency to overcomplicate things like this when all I wanted was a simple service.

  • @[email protected]
    link
    fedilink
    English
    263 months ago

    Why is port 22 open? Is this on your router as well or just the server?

    This is SSH, which you should pretty much never have open (to the internet! Local is fine) MC is by default 25565. You will have every bot on the internet probing that port.

    • @[email protected]
      link
      fedilink
      English
      283 months ago

      Having SSH open to the internet is normal. Don’t use password authentication with weak passwords.

      • @[email protected]
        link
        fedilink
        English
        103 months ago

        Normal for who? I wouldn’t expose SSH on 22 to the internet unless you have someone whose full time job is monitoring it for security and keeping it up to date. There are a whole lotta downsides and virtually no upsides given that more secure alternatives have almost zero overhead.

        • @[email protected]
          link
          fedilink
          English
          113 months ago

          Shodan reports that 35,780,216 hosts have SSH exposed to the internet.

          Moving SSH to ports other than 22 is not security. The bots trying port 22 on random addresses with random passwords don’t have a chance of getting in unless you’re using password authentication with weak passwords or your SSH is very old.

          SSH security updates are very infrequent and it takes practically no effort to keep SSH up to date. If you’re using a stable distribution, just enable automatic security updates.

          • @[email protected]
            link
            fedilink
            English
            53 months ago

            Moving to another port isn’t a bad idea though. It gives you cleaner logs which is nice.

          • JustEnoughDucks
            link
            fedilink
            English
            33 months ago

            To be fair, if something is open by default or very easy to enable without informing about the risks, tons of people will have it exposed without thinking.

            It isn’t that “tons of people do it so it is normal and perfectly fine” but more “people don’t realize.” It also uses some nontrivial amount of resources to process and block those attempts, even if they never have a chance of getting in.

            There is yet a reason I can find to have it forwarded for home use. Need to ssh into a machine to fix it? VPN.

            There are plenty of secure web-based tools to manage your server without a VPN also.

            • @[email protected]
              link
              fedilink
              English
              63 months ago

              A large percentage of those hosts with SSH enabled are cloud machines because it’s standard for cloud machines to be only accessible by SSH by default. I’ve never seen a serious security guide that says to set up a VPN and move SSH behind the VPN, although some cloud instances are inherently like this because they’re on a virtual private network managed by the hosting provider for other reasons.

              SSH is much simpler and more universal than a VPN. You can often use SSH port forwarding to access services without configuring a VPN. Recommending everyone to set up a VPN for everything makes networking and remote access much more complicated for new users.

              • JustEnoughDucks
                link
                fedilink
                English
                53 months ago

                OK that is fair, though that is not self hosted…

                VPS machines are a completely different beast than self hosting. But I guess I only said home use, not specifically self-hosting though we are in a self-hosted community. There are 1000 guides for setting up a VPN on your home network.

        • @[email protected]
          link
          fedilink
          English
          33 months ago

          I had it open for a web server for 2.5 years because I was lazy and my IP changed a lot and I traveled and didn’t have a VPN setup and never had any issues as far as I could tell. Disabled password and root auth but was also fine with wiping that server if there were issues. It’s certainly not recommended but isn’t immediately always going to be an issue

          • @[email protected]
            link
            fedilink
            English
            43 months ago

            ssh is one of the most secure servers you can run. The tailscale propaganda is crazy in this community.

      • @[email protected]
        link
        fedilink
        English
        33 months ago

        For public facing only use key based authentication. Passwords have too much risk associated for public facing ssh

      • @[email protected]
        link
        fedilink
        English
        33 months ago

        If you have ssh open to the world then it’s better to disable root logins entirely and also disable passwords, relying on ssh keys instead.

      • strawberryOP
        link
        fedilink
        13 months ago

        yeah no I should have considered that. didn’t lick the most secure password. will change when I get home

        • 2xsaiko
          link
          fedilink
          English
          163 months ago

          Don’t use passwords for public SSH in the first place. Disable password authentication and use pubkeys.

    • strawberryOP
      link
      fedilink
      33 months ago

      ssh is local only. so I should change all ports from default then huh

      • @[email protected]
        link
        fedilink
        English
        33 months ago

        Your ssh rule says it’s from anywhere. You want to change port 22 to 25565, and run /op username on your Minecraft server to whitelist your friends. Make sure your whitelist flag is turned on with your server config.

        Instead of allowing traffic over your port from anywhere, you can specify your friend’s external IP.

        • @[email protected]
          link
          fedilink
          English
          33 months ago

          You can test it out by running ‘telnet <ip> <port>’ to check if the port is open. This is best done from another network.

  • @[email protected]
    link
    fedilink
    English
    26
    edit-2
    3 months ago

    as long you are only forwarding Minecraft’s 25565 port from your router to your server machine, it should be fine. Just make sure to keep Online mode on, use the whitelist, and get your plugins from trusted sources. Otherwise I wouldn’t worry too much.

    I see others recommending VPN solutions like zerotier for your friends to connect to; I don’t personally feel like this is necessary, and (in my experience), making your friends do more technical setup than just connecting to the server is often a big turn-off.

    Bonus: If you ever take a peek at your server logs while it’s running (and exposed to the Internet, if you avoid said VPN solutions), you might notice a lot of weird connections from IPs and usernames you don’t recognize. These are server scanners and threat scanners that look for vulnerable servers to connect to and exploit. This is normal and you’ll be fine as long as you keep that whitelist and stay up-to-date on developments in the server admin space.

  • Lettuce eat lettuce
    link
    fedilink
    English
    123 months ago

    IP white lists and firewall exceptions will help, but exposing ports on your home router is almost always a bad idea, especially for something as trivial as a game server.

    I would highly recommend Tailscale. It’s free for up to 3 users, and if you have more friends than that, I would have them all sign up with free accounts and then share your laptop device with their tailnets.

    It’s very easy to setup and use, costs nothing, and will be far more secure than opening ports and trying to set up IP white lists, protocol limitations, etc.

    Tailscale creates something called an “overlay network” it’s basically a virtual LAN that exists on top of your real network and can be extended to other people and devices over the internet. It’s fully encrypted, fast, and like I said, very easy to set up.

        • @[email protected]
          link
          fedilink
          English
          43 months ago

          In the old days hamachi used to be all the rage to VLAN with your friends with pirated copies of games. Wonder how hamachi is doing nowadays.

      • Lettuce eat lettuce
        link
        fedilink
        English
        43 months ago

        ?..It’s a great tool that provides all the security of VPN access without having to struggle with the more technical aspects of spinning up your own VPN, and it’s zero cost for personal use.

        You could also use Netbird if you wanted, but I have been using Tailscale extensively and it’s awesome.

    • @Hawk
      link
      English
      53 months ago

      Yeah if this is for a small number of users, I would recommend wireguard or tailgate.

      Port forwarding is asking for trouble.

  • @[email protected]
    link
    fedilink
    English
    113 months ago

    More effort than I would consider. I’d just allow all traffic incoming on that port. I’d only consider whitelist if someone was giving me grief. Even then that would be after blacklisting an IP wasn’t solving my problem.

    • @[email protected]
      link
      fedilink
      English
      103 months ago

      Port 22 is the default SSH port and it receives a TON of malicious traffic any time it’s open to the whole internet. 20 years ago I saw a newly installed server with a weak root password get infected by an IP address in China less than an hour after being connected to the open internet.

      With all the bots out there these days it would probably take a lot less time if we ran the same experiment again.

      • @[email protected]
        link
        fedilink
        English
        73 months ago

        Ha. That’s my bad. I didn’t even read the firewall rules listing 22/SSH. I agree on not opening 22 to the world. It just invites bots throwing passwords at it.

        I just read Minecraft in the original post which from reading runs from 25565 which I wouldn’t worry about. If OP needs 22 for admission I’d either whitelist it or use a VPN/Tailscale.

        • @[email protected]
          link
          fedilink
          English
          23 months ago

          25565 also gets a decent amount of malicious traffic because of Minecraft though. I’d recommend switching the port to something different at the very least. When I hosted a server for the first time on 25565 my router pretty immediately gave me warnings about attempted network traffic coming from Europe/Asia when I (and everyone I gave the IP to) live in the US.

  • @[email protected]
    link
    fedilink
    English
    10
    edit-2
    3 months ago

    if I were you, I would do IP whitelisting at the firewall instead of or besides the Minecraft server

    • @[email protected]
      link
      fedilink
      English
      43 months ago

      This might also become a hassle since basically all residential connections (likely of OPs friends) have dynamic IPs - if someone wants to join while OP is away, but their IP has changed since their last connection, now they have to wait on OP to update the firewall rules.

      Apart from getting your MSA token stolen, there’s not really much that can get around server login (yet). All online-mode logins pass through Microsoft (part of the reason why Xbox service outages seem to affect Minecraft so much).

      If your friends all individually seem to stay within some certain IP ranges (ex, first handful digits always stay the same, 12.34.56.xx), then I’d say go ahead with whitelisting them fully (ex, 12.34.56.xx --> 12.34.56.0/24, CIDR notation). If they jump around unpredictability, I would stick with the username-based whitelisting and online-mode-only.

      • @[email protected]
        link
        fedilink
        English
        13 months ago

        maybe a wireguard network is the way to go then, of course without being configured as the default destination for everything. there IPs are always fixed, but at that point you don’t even need a firewall

  • @[email protected]
    link
    fedilink
    English
    73 months ago

    are you sharing a server solely to play with friends?

    You could consider using something like zerotier to create a private network

    • pgetsos
      link
      fedilink
      23 months ago

      I also use Zerotier for such cases. Not sure if you can somehow limit the ports they see, but works great in general

        • @[email protected]
          link
          fedilink
          English
          13 months ago

          Got it, I’m aware password auth can be brute forced, sadly many services don’t support more advanced auth methods so I’ve got a couple homelab apps that can only do password auth. I’m using very strong passwords and 2FA where available, and have been looking into an SSO solution like Authentik, but again not all services are supported.

  • slazer2au
    link
    fedilink
    English
    63 months ago

    assuming they are not behind a CGN whitelisting your mates place should be OK. But I would also move SSH away from a well known port. In the event something happens to the whitelist, crawlers will not jump on you straight away.

      • @[email protected]
        link
        fedilink
        English
        83 months ago

        no. The default port is fine. Changing the default port does nothing for security. It only stops some basic crawler, when you are scared by crawler, then you should not host anything on the internet.

        • @[email protected]
          link
          fedilink
          English
          63 months ago

          The volume on 22 will be a lot higher than a non default port. With 22 open my router was basically getting DDOS’d at times

          • @[email protected]
            link
            fedilink
            English
            53 months ago

            Agreed. Anyone who thinks it’s ok to just expose ssh on 22 to the internet has never looked at their logs. The port will be found in minutes, and be hammered by thousands of login attempts by multiple bots 24/7. Sure you can block repeat failed logins, but that list will just always be growing.

          • @[email protected]
            link
            fedilink
            English
            23 months ago

            Then using something like fail2ban to block bad acting connections is far more effective and you even get a security benefit out of it.

            Also, when a few scripts try to connect via ssh DDOS your router then something is messed up. Either a shitty router from 20 years ago or you have a Bandwidth lower than 100kbps.

            • @[email protected]
              link
              fedilink
              English
              33 months ago

              I have fail2ban running on the server itself, also it was a lot more than “a few scripts”

          • @[email protected]
            link
            fedilink
            English
            13 months ago

            Getting “hit” is nothing to worry about by automated scripts. All it does is keep your logs a little bit cleaner. Any attack you should actually worry does not care if your ssh is running on 22 or 7389.

      • slazer2au
        link
        fedilink
        English
        43 months ago

        Might throw some off but that is NetBios and things will totally go for that because Windows is terrible for security.

        All my stuff avoids anything below 1000 or that ends in 22 because most people will just go 2222 or 1022. pick a random number between 1001 and 65000

  • @[email protected]
    link
    fedilink
    English
    63 months ago

    The simplest way to do this, is to put the server on a private vpn (I use Tailscale, there are others) and expose ports only to the vpn. Then you share access to the vpn with your friends.

    With Tailscale, this is as simple as sending them a share link for the host. They will need to have an account at Tailscale, and have the client running, but they will then be able to access the host with a static ip address.

    As a general rule of thumb, nothing should be exposed to the public internet unless you want that service to be public access and then you need to keep it up to date. If a vulnerability doesn’t currently exist for the service, one will sooner rather than later. SSH, especially password only ssh, can be broken into fairly easily. If you must expose ssh to the public internet for whatever reason, you need to be using IP white lists, password protected keys, change the default port, and turn off service advertisements and ping responses. I’m probably missing something. When someone scans your server randomly, they should see nothing. And if they fail login they should be ip blocked.

  • @[email protected]
    link
    fedilink
    English
    4
    edit-2
    3 months ago

    More or less. The biggest issue is if your or their IP address changes, it’ll stop working.

    I don’t know what Minecraft’s track record is on security, but I assume it’s not great. Ideally, you’d also put public facing services in a DMZ, so that if they do get compromised, they can’t reach anything else.

  • @[email protected]B
    link
    fedilink
    English
    3
    edit-2
    3 months ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    DNS Domain Name Service/System
    IP Internet Protocol
    SSH Secure Shell for remote terminal access
    SSO Single Sign-On
    TCP Transmission Control Protocol, most often over IP
    VPN Virtual Private Network
    VPS Virtual Private Server (opposed to shared hosting)

    7 acronyms in this thread; the most compressed thread commented on today has 11 acronyms.

    [Thread #959 for this sub, first seen 8th Sep 2024, 20:35] [FAQ] [Full list] [Contact] [Source code]

  • Possibly linux
    link
    fedilink
    English
    2
    edit-2
    3 months ago

    It is all about risk management. What you are doing now is pretty solid. It might be easier to have them use a mesh VPN like netbird or tailscale