There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

How can I keep my forwarded port secure?

I just setup a minecraft server on an old laptop, but to make it acessible i needed to open up a port. Currently, these are the ufw rules i have. when my friends want to connect, i will have them find their public ip and ill whilelist only them. is this secure enough? thanks

`Status: active

To Action From

22/tcp ALLOW Anywhere
Anywhere ALLOW my.pcs.local.ip`

also, minecraft is installed under a separate user, without root privlege

ShortN0te ,

A port is not secure or insecure. The thing that can lead to security risks is the service that answers that port.

Use strong authentication and encryption on those services and keep them up to date.

StrawberryPigtails ,

The simplest way to do this, is to put the server on a private vpn (I use Tailscale, there are others) and expose ports only to the vpn. Then you share access to the vpn with your friends.

With Tailscale, this is as simple as sending them a share link for the host. They will need to have an account at Tailscale, and have the client running, but they will then be able to access the host with a static ip address.

As a general rule of thumb, nothing should be exposed to the public internet unless you want that service to be public access and then you need to keep it up to date. If a vulnerability doesn’t currently exist for the service, one will sooner rather than later. SSH, especially password only ssh, can be broken into fairly easily. If you must expose ssh to the public internet for whatever reason, you need to be using IP white lists, password protected keys, change the default port, and turn off service advertisements and ping responses. I’m probably missing something. When someone scans your server randomly, they should see nothing. And if they fail login they should be ip blocked.

chiisana ,
@chiisana@lemmy.chiisana.net avatar

In the old days, it used to be a problem because everyone just connect their windows 98 desktop with all their services directly exposed to the internet because they’re using dial up internet without the concept of a gateway that prevents internet from accessing internal resources. Now days, you’re most likely behind your ISP router that doesn’t forward ports by default, and you’re only exposing the things you’d actually want to expose.

For things you’d actually want to expose, having a service on the default port is fine, and reduces the chances of other systems interacting with it failing because they’d expect it on the default port. Moving them to a different port is just security through obscurity, and honestly doesn’t add too much value. You can port scan the entire public IPv4 space fairly quickly fairly cheaply. In fact, it is most likely that it’s already been mapped:

www.shodan.io/host/<your-ip-here>

Keeping the service up-to-date regularly and applying best practices around it would be much more important and beneficial. For SSH, make sure you’re using key based authentication, and have password based authentication disabled; add fail2ban to automatically ban those trying to brute force. For Minecraft, online mode and white listed only unless you’re running a public one for everyone.

ricecake ,

I would use something like wireguard, or another VPN service you can host yourself if your router supports it natively.

From the looks of it Minecraft servers seem to have dogshit authentication, so using some form of private network setup is going to be your best move.

Decronym Bot , (edited )

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters
IP Internet Protocol
SSH Secure Shell for remote terminal access
TCP Transmission Control Protocol, most often over IP

3 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.

[Thread for this sub, first seen 8th Sep 2024, 20:35] [FAQ] [Full list] [Contact] [Source code]

mark3748 ,

Why is port 22 open? Is this on your router as well or just the server?

This is SSH, which you should pretty much never have open (to the internet! Local is fine) MC is by default 25565. You will have every bot on the internet probing that port.

strawberry OP ,

ssh is local only. so I should change all ports from default then huh

mark3748 ,

No, SSH is fairly vulnerable and not very secure at default, it’s a big target. For your Minecraft server you should be fine on the default port.

I have run a pair of MC servers for about a decade with no issues, survival on port 25565, and creative on 25567.

i_am_not_a_robot ,

Having SSH open to the internet is normal. Don’t use password authentication with weak passwords.

strawberry OP ,

yeah no I should have considered that. didn't lick the most secure password. will change when I get home

breadsmasher ,
@breadsmasher@lemmy.world avatar

are you sharing a server solely to play with friends?

You could consider using something like zerotier to create a private network

just_another_person , (edited )

You cant. You can only do your best to make it as secure as possible, but given enough time, someone can break it.

Basic tips:

  • don’t run any services on their defaults ports
  • don’t allow password auth for any exposed service. Ever.
  • run intrusion detection (fail2ban for simple ssh / Crowdsec for something a little beefier)

For ssh specifically, lock down your sshd config, make sure only key-based auth is enabled, and maybe as an extra step, create a dedicated user, and jail it by only allowing it access for the commands you need to interact with.

catloaf , (edited )

More or less. The biggest issue is if your or their IP address changes, it’ll stop working.

I don’t know what Minecraft’s track record is on security, but I assume it’s not great. Ideally, you’d also put public facing services in a DMZ, so that if they do get compromised, they can’t reach anything else.

slazer2au ,

assuming they are not behind a CGN whitelisting your mates place should be OK. But I would also move SSH away from a well known port. In the event something happens to the whitelist, crawlers will not jump on you straight away.

strawberry OP ,

so just change ssh to like 137/TCP?

22 isn't forwarded

slazer2au ,

Might throw some off but that is NetBios and things will totally go for that because Windows is terrible for security.

All my stuff avoids anything below 1000 or that ends in 22 because most people will just go 2222 or 1022. pick a random number between 1001 and 65000

strawberry OP ,

the server is hosted on Ubuntu server, but I'll keep that in mind

ShortN0te ,

no. The default port is fine. Changing the default port does nothing for security. It only stops some basic crawler, when you are scared by crawler, then you should not host anything on the internet.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • [email protected]
  • random
  • lifeLocal
  • goranko
  • All magazines
    •