Best Practices For Minecraft/Linux In General

Discussion in 'Server & Community Management' started by Corin, Aug 5, 2013.

Thread Status:
Not open for further replies.
  1. So, you just got your new Linux server and only know the basics to it, great! It's always nice to see people learning Linux.

    Protip: Get into good habits early, prevents having to correct bad habits later IE using root to login.

    Update your shit:
    This is standard procedure when you get your first dedicated server/VPS, run the updaters for the dist.

    For Ubuntu/Debian based dist: apt-get update;apt-get -y dist-upgrade
    For CentOS/RHEL based dist: yum update

    Those commands will update all of your systems packages/apply distribution security patches thus making you more secure both OS side and application side.

    Add your own user:
    The second thing you must always do is add your own user account. Using purely root is the biggest mistake all new admin make. root is the single most powerful account on your system and if someone compromises it, you might as well wave goodbye to it all.

    adduser (your wanted username goes here)
    So for me it'd be: adduser cbryars

    This just in from Mace268, apparently CentOS does not ask you for a password for adduser accounts.

    Once you run the adduser command, run:
    passwd (your username)
    This will let you change/add the password for the user account you just created, so for example, for me it would be:
    passwd cbryars

    Add yourself to sudo:
    Now you're probably thinking "So if I can't login as root, how the fuck do I do stuff like update or add new packages?" The answer is sudo. Sudo allows you to change to another user, run aplications as other users and so on.
    So, first we need to install sudo, if it's not already installed.

    For Ubuntu/Debian based dist: apt-get install sudo
    For CentOS/RHEL based dist: yum install sudo

    Now that you've installed sudo, you'll need to add yourself to the sudoers, this is the easy part.

    usermod -a -G admin (yourusernamehere)
    So for me it'd be:
    usermod -a -G admin cbryars

    If you run a Debian based dist, you'll need to restart the sudo service for this to take affect, just do: service sudo restart

    Quick tutorial to sudo!

    When you're logged into your user you'll want to change users a lot (trust me, it's a godsend) for that you'll want to use sudo -su, for example:
    sudo -su minecraft
    This will change your shell to the system username: minecraft
    All things you run while under sudo -su will be run AS THAT USER, so if you say run java, the process will be under the user minecraft!

    So say you want to get to root, this is even easier:
    sudo -s
    That's it, running that command will elevate you to a root shell and allow you to essentially login as root without logging in a root!

    If you wish to leave a sudo -su/sudo -s'd shell and get back to your normal user account, just run the command: exit
    It'll bring you back to your own shell.

    Modify your SSHd config:
    Now you're probably thinking "Why would I need to do this? It works, right?" and you'd be right, however a nice touch always is changing a few basic things to boost your security.
    First of all disable root.
    You have no idea how many times I have to tell people, disable fucking root, you have sudo so why would you need to login as root?

    First of all, open up your sshd config: nano /etc/ssh/sshd_config
    Once you've done that, look for the words "PermitRootLogin"
    If it says "PermitRootLogin yes", change it to "PermitRootLogin no"
    What this will do is disable SSH logins to the user root, you have sudo -s, so who cares, you certainly don't :D.

    Next step in the same file is to change the port.
    This is purely optional but it does prevent a lot of annoying bruteforce logs in your /var/log/auth.log
    Look for "Port 22", it should be somewhere at the top of the file.
    Change it to some memorable number; for examples sake, 2421, all you change it to is "Port 2421", it's as simple as that.

    IF YOU DO CHANGE THE PORT, REMEMBER IT. YOU'LL NEED IT TO LOG INTO SSH AGAIN.

    Then once you've done all that just simply do:

    For Ubuntu/Debian based dist: service ssh restart
    For CentOS/RHEL based dist: service sshd restart

    This will reload your configs!

    HOREY SHEET, I LOGGED OUT AND NOW I CAN'T LOGIN AS ROOT OMGWTFBBQ

    As I went over before, you disabled root! Just login as the new user you created, once you do that if you need to get to say the root user, just do sudo -s

    This concludes the beginner shit, I'll make another post on the more advanced more Minecrafty stuff.
     
    #1 Corin, Aug 5, 2013
    Last edited: Aug 5, 2013
    • Informative Informative x 19
    • Useful Useful x 8
    • Like Like x 4
    • Agree Agree x 1
  2. So you want to make a Minecraft server? Brilliant! We all got started somewhere and this is how I learned Linux.

    First thing you'll want to do on your brand spanking new VPS/Dedi is install Java.
    Without it you're not really gonna get far.

    Installing Java:
    Now I'll assume you're using your own account like I said to do in the OP, so I'll do these commands on that basis.

    For Debian 6 based distros: sudo apt-get install openjdk-6-jre
    Sorry Squeeze fans, you're outmoded, update to Wheezy already so you can take advantage of the new repos.

    For Ubuntu/Debian 7 based dist: sudo apt-get install openjdk-7-jre
    For CentOS/RHEL based dist: sudo yum install java7

    Another thing you'd do good to install is screen, it's handy little tool that allows you to run applications in another "screen" as so to speak, it's marvelous for stuff like Minecraft.

    For Ubuntu/Debian based dist: sudo apt-get install screen
    For CentOS/RHEL based dist: sudo yum install screen

    Adding your servers user:
    So you got Java, smashing!

    Next step is doing the single most basic security step when running a Minecraft server.
    RUNNING THE SERVER UNDER A DIFFERENT USER THAN ROOT.

    Seriously, a lot of kids do this and it makes me cringe so so much. You have no idea how much of a security flaw this is.

    All you have to do is just this:
    adduser minecraft
    That is it. Running this command and running your servers under it has just saved you being rooted by a rouge plugin. Congratulations.

    Now if you run CentOS or equiv, change its password:
    passwd minecraft

    Now to get to that user from just your current shell, all you have to do is like I taught you in the OP:
    sudo -su minecraft

    You can of course login as this user manually though SSH if you wish but for laziness ease, sudo -su helps a lot.

    Running your Minecraft server:

    So you did all the shit above, wehey, now it's time to start the bastard.
    First of all I'll assume you sudo -su'd to the user you're using for Minecraft.

    Next step is getting stuff downloaded and running.
    First things first, get to the home directory of the minecraft user.
    cd ~
    This will bring you to the home dir, then you want to get Spigot.
    wget http://ci.md-5.net/job/Spigot/lastSuccessfulBuild/artifact/Spigot-Server/target/spigot.jar
    This will download the latest successful built version of Spigot, feel free to download any other server software you see fit (Bukkit/Vanilla/whatever) just swap out the download link to Spigot for the other software.

    Next step is getting a screen for it up, so when you disconnect from SSH or whatever, the server wont shut down.

    Now, if you sudo -su'd, it'll complain about pty's being wrong and whatnot, there's an easy workaround for this, just do:
    script /dev/null

    Next step is starting the screen, just do:
    screen -S minecraft
    This will create your screen.

    Next step is starting the server, all you literally do is this:
    java -jar spigot.jar

    And this will start your server!

    Next you'll want to detach from the screen, all you have to do is "CTRL+ A + D" on your keyboard, this will detach you from it.
    If you wish to resume it at a later time, just do:
    screen -r minecraft

    And it'll bring you back to it!

    Accessing your servers files
    So of course, you have your server, next thing you want to do is upload files/download them.
    So how the hell do we do this?

    The answer? SFTP.
    Do not use normal FTP, it's insecure and sends your password in plain text over to the server.

    First of all, grab an FTP client, I recommend FileZilla
    Now say your servers IP is 123.123.123.123
    As your host in FileZilla you'd put in sftp://123.123.123.123 (Or your domain if you have one pointed at it)
    As your Username you'd put in: minecraft (or whatever you made your servers username)
    As your password you'd put in whatever you made the password for that account.
    Port 22 (Unless you listened to the OP and changed your port for SSH, in which case, use that)

    And that should be it!

    This concludes the Minecraft side of it, I can't help but feel I've left out a huge chunk, oh well, please let me know if I missed anything.
     
    #2 Corin, Aug 5, 2013
    Last edited: Aug 5, 2013
    • Informative x 8
    • Useful x 4
    • Like x 3
    • Agree x 1
    • Winner x 1
  3. So next step is the advanced shiz, you've got your secured server, you've got your Minecraft server running.
    oh sweet Jesus my fingers hurt, why am I even still awake?
    Now what?
    If you want more than what screen can provide and want a proper wrapper for the server, you can always grab a control panel/wrapper.

    There's quite a few:
    rtoolkit
    mark2
    MCMyAdmin
    And everyone's favorite and every devs nightmare, Multicraft!

    I'm not going to guide you through their installs, they each have install guides on their sites.
    Stop being lazy.

    Anyways so now you have a snazzy new dedicated server with sexy stuff going on.
    What next? A little bit of securing never hurt nobody.

    Securing your servers from idiots: Firewall edition
    Now this isn't foolproof, this is just a small bit of security that nobody minds.

    Firstly, what with the reason Minecraft slowloris exploit, there's a nice little iptables rule here that can prevent this being used:
    sudo iptables -I INPUT -p tcp --dport 25565 -m state --state NEW -m recent --set
    sudo iptables -I INPUT -p tcp --dport 25565 -m state --state NEW -m recent --update --seconds 5 --hitcount 20 -j DROP

    What this basically does is, if someone tries to connect to your server 20 times from the same IP simultaneously within 5 seconds, it'll simply drop the new connections until the old ones are cleared up.

    Obviously you can modify this to your tastes, if you don't like it, simply do:
    sudo iptables -F
    And it'll clear your firewall rules.

    The reason this hitcount is so high is because the owner of CookieSlap managed to get himself dropped because he had 10+ instances of the server in his server list, each ping created a new connection andddd it dropped the new connections from him.

    gg itsatacoshop247.

    Anyways next thing.
    Blocking Tor.
    There is no good usage to having tor unblocked on your server. None at all.

    First off, create the block to hold all the IP addresses of tor nodes.
    sudo iptables -N TOR_NODES
    sudo iptables -I INPUT -j TOR_NODES

    Next thing you'll want to do is do these commands and use this script (https://gist.github.com/corin12355/6157378):
    sudo -s
    cd ~
    wget https://gist.github.com/corin12355/6157378/raw/ce038f8dadd6f8fa773b3fb1be161fbdc284f055/Drop.sh
    chmod +x Drop.sh
    crontab -e
    Go to the bottom of the crontab and add this:
    00 * * * * /root/Drop.sh
    Then close your editor.
    This should update the tornode list hourly and keep it up to date with any new nodes.

    Basically what this does is automatically downloads a list of every fucking tor node, and drops their connections.

    So if you host a tor node, you're likely going to be dropped.

    And if you're using tor, you're going to be dropped.

    Be careful though, check regularly that the url is still alive, these sites go down quite often but they're not hard to find again. (There's lots of them)

    I'd prefer you proofread what you was running before you ran it though.
    Remember, if shit goes wrong, you still have your active SSH connection, do not fucking close PuTTY, the rules wont affect active connections so you still have time to revert and fix it.

    Also this is an old script of mine, I remember i got it off a site then modified it a little, so props to whoever originally did it.
     
    #3 Corin, Aug 5, 2013
    Last edited: Aug 5, 2013
    • Useful Useful x 6
    • Like Like x 4
    • Informative Informative x 3
  4. Post probably reserved (will delete if not used)
     
    • Funny Funny x 2
  5. joehot200

    Supporter

    Looks good, i am still using the root user, ill make another account :)
     
  6. vemacs

    Artist

    #6 vemacs, Aug 5, 2013
    Last edited: Aug 5, 2013
    • Useful Useful x 1
    • Optimistic Optimistic x 1
  7. Good advice.

    I recommend all new server owners take advice from this man. He knows what he's talking about.

    He pretty much taught me Linux, and I've not been compromised yet. I'm also convinced that CookieSlap is still running because of this guy working behind the scenes.

    There is one thing I would add though, Corin. Mention RSA keys and how to create/use them.

    I know you're not a huge fan and they're not invulnerable, but it IS an extra security step, which fits perfectly with this guide.

    Just don't do like me and disable password auth then go away with SSH on your phone....and no keys... -_-
     
    • Like Like x 1
    • Agree Agree x 1
    • Friendly Friendly x 1
  8. I planned to add it, it's not that I'm not a fan of them, it's more I'm too lazy to create/add/maintain them lel
     
  9. joehot200

    Supporter

    I believe i have been compromised twice, once my VPS had "high bandwith" and some guy from china had hacked into me, another time my password was hsjfl4S6de8 and so i guess was brute-forced.

    Anyway, made a new user account now etc (using this guide), so you can no longer blame me for using root! :)
     
  10. Looks good. Should definitely help when I need help and what not.
     
  11. joehot200

    Supporter

    I think this should be part of the wiki :)
     
    • Agree Agree x 1
  12. This guide is good, however... Never rent a dedi without knowledge. One should acquire needed knowlegde before doing so.

    EDIT: You should disable password authentication for SSH aswell. Use public key authentication.
     
  13. Which fucks you over with ssh clients that don't support ssh keys, IE phones.
    so no, don't disable password auth unless you know for a solid fact you can support it.

    Also you don't need knowledge of Linux before getting a dedi, I bought a dedi and went straight in.
    Trial and error is part of the Linux learning process, it's what makes it fun.
     
    • Informative Informative x 1
  14. There are phone ssh clients that support pubkey auth.
     
  15. yes, there are, but not all of them.

    so don't disable passworth auth unless you're going to go tinfoil to the max.
     
    • Friendly Friendly x 1
  16. If you're keeping password auth, use Fail2Ban to make it more secure, then.
     
  17. Yes, there are. No good when you don't bring your keys with you though.

    Honestly, with how easy it is to lose a phone, DO NOT STORE YOUR KEYS ON IT.
     
    • Agree Agree x 2
  18. Yeah, get your server hacked when you don't know how to make it secure and have another spambot in the web.

    You're right. However, the keys are useless if you use a passphrase for them. I never store the keys on my phone as I don't access SSH using my phone.
     
  19. wow, you really are like, a constant downer.

    If your server gets hacked, big deal, this is a BEGINNERS GUIDE, FOR BEGINNERS. The advanced stuff just locks down shiz, doesn't open security holes. Just reformat and continue if you do get hacked, big deal.
    If you dampen peoples spirits like that nobody is going to want to fucking learn Linux.
     
    • Funny Funny x 1
  20. So, pretty much the same as just using a fucking password? :|
     
Thread Status:
Not open for further replies.