Advanced minecraft security guide

Discussion in 'Server & Community Management' started by Sammwy, Jan 25, 2020.

  1. HELLO! Almost a year ago I created this guide where I show how to protect your minecraft server. however, I have lost access to that account and by error I have blocked the thread so I write it again here (In a more structured, orderly and updated way)

    Also available on github: Click here

    [​IMG]
    What is this guide for?
    This guide is created with the sole purpose of protecting our server against exploit abuse that could damage the server or network.

    With this guide you can block most exploits and bugs that the Grieffers (A.K.A Skiddies) use to break our cubes.

    Why do I need to secure my server?
    If you search on Google "Grief minecraft server" this will give you enough reason to protect your server, in summary you run the risk that your account is compromised or that hacked clients can attack your vulnerable minecraft server/network.

    What I need?
    You don't need much knowledge, try to know at least: how plugins are installed, how they are configured, how ports work, how servers and packets work. Also to improve security I recommend not using host pages, use a VPS or Dedicated (Best option)

    Disclaimer
    It is impossible to block all exploits, most of the grief is due to the stupidity of the owners, administrators or who has made a patent configuration of the server as the fact of using plugins with bypasses or configuring them incorectly.

    Nor do I promise you that your network/server will be completely inescapable, nor will I be responsible for any damage you do to your server with this guide. (If you follow everything to the letter nothing bad will happen)

    [​IMG]

    If you don't use bungeecord (which one you should use) you can skip this part even though I don't recommend it at all.

    Default configuration
    The bungeecord server already comes with a default configuration that helps users understand how it works, but it is dangerous to leave some parameters as they are.

    Code (YAML):
    # Leaving this is quite dangerous.
    groups
    :
      md_5
    :
     - admin

    # change them to how they are continuing
    groups
    :
      md_5
    : []

    # make sure that the following values are as follows.
    ip_forward
    : true
    prevent_proxy_connections
    : true

    # This only if your server has support for non-premium users or if you want users to enter the lobby to forcefully enter.
    listeners
    :
      force_default_server
    : true
    Authentication plugin
    Never use auth plugins in the bungeecord, it may sound safe but it can be exploited in many ways, it is best to have a dedicated auth server, in case of using multiple lobbies use a MySQL connection. Also do not use AuthmeBridgeBungee and if you are not going to listen to this point and you will still place an Auth plugin in the bungee, at least use DynamicBungeeAuth that of all of the market, is the one that is best programmed in my opinion.

    Example of exploit: if you are kicked from the spigot instance but the bungeecord does not eject your currentServer variable it could be null giving you the opportunity to bypass functions locked on the auth server. As an example changepassword or unregister (It happens when you send packets to the spigot server that this closes your connection instantly in an insecure way which the bungeecord fails to detect)

    the truth is that I don't know how to reproduce it but I have executed them myself and in rare occasions this works.

    What plugins should i not use
    It is advisable to have the minimum possible plugins in the Bungeecord instance, even so avoid placing this type of plugins:
    1. Global report system (Like any "/report" plugin)
    2. Global moderation system (Like Litebans)
    3. Global message system or staff chat
    4. Permissions plugins for bungeecord (Like BungeePerms)
    5. Any authentication plugin (Like BungeeAuth)
    6. Viaversion (Use Flamecord or Travertine)
    7. Any antivpn/proxy system.
    Block Invalid Packets
    To protect our server from attacks of invalid exploits and packages, it is advisable to use Flamecord (Flamecord is a proxy software, travertine fork that mitigates exploit attacks) download it here.

    Block exploits
    we can secure our spigot servers from the bungeecord instance with some useful plugins, ExploitFixer is the most recommended (and it's free)

    Block bots
    The most advisable thing is to block bots in the bungeecord instance, for this we will use the following Antibot plugin.

    Remember that bot attacks cause a waste of resources on your server that can crashe it.

    World Downloader
    To prevent users from downloading our server constructions using WorldDownloaderMod, we will use this plugin that blocks that mod.

    Block Commands
    Here is a way to block global commands on our server, this can be very useful to disable commands that can compromise server security.
    for this we will use a plugin calle BungeeCommandBlock

    Host Limiter
    Although it is not very useful but it can be if you put it to good use, you can block from which domain each user must enter or allow only 1 for all. Those who open the door to create a domain system for each staff on the server.
    for this we will use a plugin calle BungeeHostLimiter

    Premium mode
    It is not recommended since there have been cases of servers which this plugin has been bypassed but in the networks that I saw that they had it, these cases were not reported, and although it is not recommended if you had to choose a plugin in a premium way, I would choose FastLogin

    Bungee Authme
    Not to be confused with BungeeAuthmeBridge (this plugin is garbage), the following plugin is official from Authme developers and simply blocks the actions sent to the bungee by users who have not logged in. (Commands, messages, etc.)

    Warning: It could cause incompatibility with premium authentication plugins.
    Plugin: AuthmeBungee

    Hide Plugins
    To prevent users from observing the server plugins using the TabComplete method, we can use the plugin called: [CanelaAntiPluginSteal] (https://www.spigotmc.org/resources/canela-anti-pluginsteal.1150/)

    Summary
    The truth is not necessary to follow all these steps except for Block Bots, Block Exploits and Block Block Invalid Packets. While everything is in order it should not be why there are exploits in the bungeecord.

    [​IMG]
    Block Spigot Exploits
    As in bungee, we must protect our Spigot server from exploit attacks, for this we will use this plugin. Exploitfixer works for both Spigot and bungeecord, it is advisable to have it in both instances since there are exploits for spigot that bungee is unable to detect.

    Block OP
    It is highly recommended to block the OP and not give it to anyone, not even have it ourselves. To block that a user can obtain OP thanks to a permit or by another operator, we will use Anti ForceOP.
    You can also configure that operators do not have any type of permissions by changing this parameter in the spigot server configuration:

    Code (Text):
    op-permission-level=0
    Default value: 4
    Recommended value: 0

    IP Based Protection
    If you want one more layer of protection, you can protect the accounts of all staff using AccountGuard. This plugin allows you to restrict the IP address from which you can access an account. In this way you can protect your account or those of the staff so that they can only be accessed from their respective IP address.

    Cracked Authentication
    If your server supports non-premium players, you must have an authentication plugin, otherwise your server will be compromised to hacked clients. For this you can use a plugin below:
    Authme Reloaded (Recommended).
    Login Security.

    WorldEdit Crash
    There are several exploits when using worldedit that can crash the server besides that this plugin uses many resources and its tasks are Sync (that is, that the users will suffer from lag and the server will be frozen while this plugin is working) to correct this we will use FastAsyncWorldEdit

    For Creative Servers
    There are several hacked clients capable of generating malicious, corrupt items or with custom NBT tags that can range from crashing to the server to taking huge enchantments.
    For this we will use ExploitFixer and/or ItemFixer.

    Block Items Duplication
    By default the minecraft code has some bugs that allow duplicate objects in the chests taking advantage of certain bugs, to solve this you can use a plugin below:
    ExploitFixer (Recommended).
    Dupe Fixes (Dedicated plugins just for Dupe Exploits).
    Confiscate (Premium and excellent option with some usefull functions!!)

    KickAll Exploit
    Normally in minecraft when you enter the server and your account is already online, it is disconnected giving way to the most recent connection, authme and bungeecord solve this but if your server is a network and you choose to use ipwhitelist since you can not install a software firewall then your server is vulnerable to an exploit that matches for each online player, making a connection which kicks the selected player (kicking all players)

    To solve this we will use the plugin called AntiUserSteal

    UUID Spoof
    Hacked clients can easily change their uuid, which imposes a great risk for servers without adequate protection, luckily there are several plugins that solve this, for example ExploitFixer and AntiUUIDSpoof (Recommended for mixed-mode).

    Custom Payload Exploit
    CustomPayload packets are called packages that are sent to the server with a specific parameter, these packages are mostly used for communication between the client and the server in some mods or for communication between spigot/bungeecord.
    Sending such large-scale packets or packets that the server cannot process can crash the server if it does not have adequate protection.

    To solve this we can use ExploitFixer or CustomPayloadFixer.

    Bot Protection for Spigot
    If you do not have a bungeecord instance then the plugin mentioned in Block bots will not work for you, here is a list of antibot plugins which could be useful:
    AntiBot-Ultra.
    AntiBot-Attack.

    Remember that bot attacks cause a waste of resources on your server that can crashe it.

    Hide Plugins in Spigot
    If you do not have a bungeecord instance then the plugin mentioned in Hide Plugins will not work for you, to block users from seeing your plugins you can use PLSecure,

    2nd Check for Staff
    If you want to have a second authentication for your administrative staff then you can opt for this plugin.
    PinProtect adds a second authentication in the form of a pin in case the password is bypassed. (It is advisable to place it in the lobby)

    IPWhitelist
    It is highly recommended that you have a firewall software on the server system, but if you do not have access to a terminal either because you use a web page that offers a host for minecraft servers or for any other reason and you have a Network, then you must use IPWhitelist.

    IPWhitelist restricts from which bungeecord your Spigot server can be accessed.
    otherwise the door is open to which they can access with any username if they discover the port of your Spigot server.

    Book Exploit
    There are hacked clients able to create books with almost infinite enchantments. These books when interacting with a user cause the server to have to process a lot of information causing a memory overflow and causing it to close.
    To fix this we can use Book-Sign Exploit Fix or ExploitFixer.

    Bad Potion Exploit
    as well as hacked books, the same thing happens with potions, AntiHackedPotions or ExploitFixer, those plugins detects potions with dangerously high spells or that can get the server crashed and removes them.

    Skull Exploit
    Like the previous points, minecraft heads have many properties that can be exploited and corrupt worlds, chunks or crash the server. We can detect and remove them using Skull Exploit Fix or ExploitFixer.

    Spigot Summary
    the truth is that most exploits are covered by ExploitFixer, but do not overlook AntiBot protection and some points that ExploitFixer still does not solve.

    [​IMG]
    The most advisable thing is to use a firewall to block the ports of the spigot servers from ips that do not come from the local network (127.0.0.1) but making spigot only listen to the local IP (127.0.0.1) is a good practice that NEVER forget.

    Code (YAML):
    # On spigot servers (server.properties)
    server-ip= 127.0.0.1
    Code (YAML):
    # On bungeecord instance (config.yml)
    # in any server in the "servers" list:
    servers
    :
      server-1
    :
        address
    : 127.0.0.1:xxxxx
        restricted
    : false
      server-2
    :
        address
    : 127.0.0.1:xxxxx
        restricted
    : false
      server-3
    :
        address
    : 127.0.0.1:xxxxx
        restricted
    : false

    IP Forward
    if the bungeecord hook or ip forward are deactivated then the spigot servers will be unable to recognize the IP address of the users.

    For this we will place the ip_forward option in the bungeecord config.yml to true, and the "bungeecord" option in the spigot.yml file of all spigot servers to true.

    Code (YAML):
    # Config.yml of Bungeecord
    ip_forward
    : true
    # Spigot.yml of each spigot server
    settings
    :
      bungeecord
    : true

    Firewall
    A firewall is a software that allows us to restrict incoming and outgoing connections to the server, it is extremely recommended to use IPTables or UFW.

    You can get more information searching on the internet.

    The END
    Maded with ❤️ Need help? contact me on twitter: @Sammwy_
     
    #1 Sammwy, Jan 25, 2020
    Last edited: Jan 26, 2020
    • Like Like x 3
    • Winner Winner x 1
    • Informative Informative x 1
    • Useful Useful x 1
  2. these plugins don't work well
    World Downloader
    it is possible to bypass very easily
    there are practically many ways to do it

    Bungee Command Block
    i don't recommend this

    method to block commands
    ExploitFixer
    and
    spigot.yml
    commands:
    tab-complete: -1


    BungeeHostLimiter
    this does not offer real protection

    Canela Anti-PluginSteal
    AntiBungeePluginSteal
    do not use this it is practically possible to bypass

    SkinsRestorer or luckperms in bungeecord
    it is not recommended for bot attacks these plugins usually crashear before bot attack

    Anti ForceOP
    This plugin does not work properly either, it is possible to bypass

    if you really want a protection use luckperms and disable the op from the configuration in this way it will be impossible to give OP

    AccountGuard
    I recommend this plugin is very good I also recommend blocking the plugin commands and just executing the commands from the console is much safer :)


    AntiUserSteal
    Nice

    IPWhitelist
    this is not safe at all

    very good your guide can be polished a little more
     
  3. That is the objective, to correct the guide between the community since the previous one is blocked by error avoiding new answers.
    In a few days I will update it, thank you very much for your contribution!!
     
  4. Nice guide, except for the flamecord advertise and the **Flamecord is a proxy software, travertine fork that mitigates exploit attacks** I tested it, it doesn't, is just a fork of a fork of a fork. I know it is your software, but don't recommend shit that doesn't work.

    Just use viaversion or travertine and you will be fine.
     
    • Agree Agree x 1
  5. This guide reminds me of something LinsaFTW made, which was a fucking mess.
     
    • Agree Agree x 4
  6. I am a Flamecord developer, if you have and want to contribute something talk to the private! so you can explain to me where the fault is.
     
    • Funny Funny x 1
  7. my guide is a mess or linsa's guide?
     
  8. Why is it a mess? I mean, i made it to link customers to a guide that is simplified and easy to understand.

    I would like you to test it again, in later versions we have tested with customers all the attacks available in MCSpam.tech website.

    Older versions of FlameCord didnt patch all the exploits. The issue was that MCSpam blacklisted us so we couldnt test their methods so we have lot of trouble recreating them. I think you should inform yourself a little more before giving a opinion.

    If you are curious about what FlameCord does, it just adds a .flush() method before doing any close, has a small firewall feature just to block connections that are detected as malicious, detects connections that send invalid packets like invalid protocol, null ping, outofbounds... We did some code changes too to prevent unnecesary cpu usage and prevent some exploits on the netty thread.
     
    • Funny Funny x 1
    • Optimistic Optimistic x 1
  9. @xTradehg Would you like to give your opinion? Thanks.
     
  10. u salty because i said your fork is pure shit.
    I just remembered that a time ago half spigot forum roasted you so i don't really need to comment anything.
    Have a nice day.
     
  11. When was i roasted? I was true in a argument i had about "null address" you can actually forward null addresses to spigot servers that have bungee true and ive confirmed it by doing so.

    A argument is not "roasting", is learning from others. You are salty for no reason. I just want to give what i know to people and learn what other people knows. I dont know why you're trying to bully me/being a jerk. Im not a "master of the spigot system of the java god of transistors" im just a programmer trying to learn and help others, dont get me wrong.

    I dont understand your logic... someone publishes something that works and you just insult them? You know there is people that because of not finding guides they buy "protection guides" from "griefers/kids" that they end up telling you "install ipwhitelist"? Please have more emphaty with this people. They are just minecraft gamers trying to host a simple server and get griefed and scammed.

    This guides are being published to link people to them so they can easily fix their server issues.
     
    • Funny Funny x 1
    • Optimistic Optimistic x 1
  12. You can't seem to grasp common sense. What you know is how to completely misguide people into what you call a "Guide", I feel sorry for anyone who legitimately uses this garbage. I will admit this though, this guide is way more messier than your's. So, congrats. Your guide isn't the worst I ever seen ,it's now Sammwy. People aren't salty, they are giving constructive criticism. Most of this guide is just linking your plugin "ExploitFixer" along with other useless plugins. Nobody is bullying you or harassing you. You're getting these terms mixed up. Your arguments are as pointless as people who think rating me as optimistic for something so petty. Sorry, not sorry. There are times where I have to be blunt. Until you learn to accept feedback, you will never get better. I don't give a fuck what the spanish community think about you.

    If you actually want to learn how to write a guide correctly. Refer to the wonderful guides that MrDienns presented in a orderly fashion.
    https://www.spigotmc.org/threads/minecraft-security-part-1-awareness.414081/
    https://www.spigotmc.org/threads/minecraft-security-part-2-the-exploit-chain.414155/
     
    • Agree Agree x 1
  13. If you think that you're constructive then can you atleast point out where is the error of our guides? Everytime someone pointed out a error we fixed it so idk what error of our guides are u talking about.

    I always accept feedback... Im the kind of person who wants to improve. Thats why i always answer and read comments.
     
  14. People already have pointed MANY flaws with your guide, I'm not here to repeat myself again. I linked above 2 guides made by MrDienns. I noticed you edited your post a few moments at the time of writing this, you don't really accept feedback. That's proven to be false. On a couple of posts, I gave you constructive criticism and you and Sammwy took it as a attack.
     
  15. I want to kindly ask you to repeat the flaws.

    I dont think that guides you've sent are useful because they are made for programmers that already have experience. Most of server owners doesnt even know how to make a hello world in java.

    The purpose of the guide that sammwy and i made is to give a quick fix for non-programmers.
     
  16. Btw i know your point... you want every server owner to know programming and know how the server structure works...

    but ya know? i was a kid before and i had a dream to host a minecraft network just broken for years because of people like you forcing kids to know programming and all that stuff. It was really tough for me. I had to learn programming because no one made plugins or simple guides for non-programmers.

    Most of people in this community is like "just code yourself, dumb" dude, i was 12 years old... It was really hard for me to learn coding and i just wanted to host a network for people to play... I had a 200 player base and i got it al ruined because of exploits and no one provided at that time something that worked for non-programmers.

    Now that im 19 and i know programming, i made ExploitFixer with all the fixes necessary for all the kids who doesnt know programming and want to have a exploit-free server without paying or learning programming. You know there's people that just blackmails and steals hundreds from kids because of simple exploits like UUID Spoof? (UUID Spoof cant even be considered a exploit)

    This is because people like YOU just want everyone to know programming and all that stuff. It doesnt work like that. Let the 12 year old have a easy and free solution. Dont be toxic with them.

    And i will repeat: I know your point, it would be nice that everyone knows programming and how this works, but you cant just force kids to learn all this stuff... They are just kids looking for fun... There are some owners that know nothing and own big networks and thats a exception. Most of owners are kids.
     
  17. Oh yeah sorry for that. We are too bad at english and explaining things i have to admit. And some of the exploits we commented arent only for cracked servers, its just that with cracked you can use any alts you want and crash everything without losing anything. But it doesnt mean the exploits arent working on premium servers.
     
  18. Sigh. That's the complete opposite. You're not getting the issues that I'm trying to address. I have no problem with people not knowing about how servers work, the issue that I'm having with you both is that there is no organization in your guides. It's out of place. Don't get me started on your plugin "ExploitFixer" we'll save that another time. I'm not here to praise you for your work. I will repeat this again. While I don't think the guides should be over complicated, it shouldn't be all over the place. By your logic, if I were to offer a presentation about let's say "Apples", and for people that know nothing about apples and want to learn about it, does that give me a excuse to make a guide about apples that's all over the place? Let's say I was talking about apples, then all of a sudden I'm talking about bananas for some unknown reason. That's not the best analogy, I know. I have absolutely no issue with people asking for help if they don't know about servers. I'm still not sure how you got me saying "I want everyone to know about programming and how server structure works". If that was the case, there would be no need for me to make this account. I have mentioned time and again, this account was merely created to help others. I guess, the same could be said for you and many others.The guides that I linked may be a bit complicated, but that's why it's ordered into sections. I'm not being toxic. These claims made about me are very inaccurate.

    The guides that you and Sammwy made are all over the place. I still stand by that statement. Either you two kept promoting plugins that were useless or promoted plugins that have no relation to the topic that you're discussing. Let me go a bit more in depth, these fools linked so many plugins such as plugin blockers, command blockers, when all of this can be done without plugins. So many Not to mention, a lot of the same plugins linked into a guide multiple times doesn't make it right. Before you respond to this, might I need to remind everyone that LinsaFTW runs a cracked server. You don't need to touch the default configuration of bungeecord. The title is very misleading in every way. It should be "Guide on how to secure a server (cracked)" because that's what basically this is. Both you and Sammwy's guide are leaned towards cracked servers and we both know how the SpigotMC community feels about cracked servers. :/
     
  19. Im not boasting about my server, i think its pretty bad and needs lot of work. I just wanted to state that i was 12 year old, didnt know programming and ran a 200 player network. I think it was too much for a 12 year old kid without any programming knowledge to run that.
     
  20. Secure your network, don't run bungee. Run every server in online mode. Don't install 500 plugins that don't get updates and that can easily be bypassed. Avoid the security domino effect (see @MrDienns articles) and apply common sense.
     
    • Agree Agree x 2
    • Funny Funny x 2