Fast & Easy Security guide for Minecraft servers (Bungee/Bukkit)

Discussion in 'BungeeCord Discussion' started by LinsaFTW, Mar 20, 2018.

  1. electronicboy

    IRC Staff

    BungeeGuard is basically the best alternative to setting your network up properly, there is no real need to have iptables and bungeeguard setup together, but *shrugs*
     
  2. I didnt test it so i dont know.
     
  3. I like to have more security on my net xd closing all ports, mirroring mi msql database, 2fa, bungeeguard, casual protector etc. xd
    thanks for the info XD
     
  4. Yeah, and adding overhead that isnt that necessary. If you already have a firewall theres no need for a "bungee port protect" plugin.

    I think that adding excesive "protection" can lead to more issues.
     
  5. Just a notification to let everyone know that the guide has been updated completelly :)
     
  6. Lo mejor de lo mejor, muchas gracias Linsa por esta guia :)
     
    • Friendly Friendly x 1
  7. Good job. It's a improvement from the last one. It's still lacking a bit though. I seriously feel like writing a guide, properly demonstrating how to not only secure a server but along with other helpful tips.
     
    • Optimistic Optimistic x 1
  8. Thanks, yeah i tried to explain a little more instead of just dropping the fix.
     
    • Optimistic Optimistic x 1
  9. Linsa, cuando pondras en la guia que tipo de plugins se deben evitar? tipo en bungeecord,spigot y otras cositas
     
  10. No lo se, es que no me gusta darle mala reputacion a devs por que sus plugins esten mal y preferiria avisarles hasta que lo arreglen.
     
  11. UPDATE: Better Firewall rules added to the Guide!
     
  12. This is an excelent guide! I'm making a bungee server rn was gonna get these so it's good i ran into this now than later <3
     
    • Agree Agree x 1
  13. Yes, i hope you don't run into any issues like i did in the past because of not knowing this tips before. :)
     
  14. Fixed a typo!

    This:

    Code (Text):
    -A ufw-before-input -p tcp --dport 25565 -m conntrack --ctstate NEW -m recent --set
    -A ufw-before-input -p tcp --dport 25565 -m conntrack --ctstate NEW -m recent --update --seconds 5 --hitcount 10 -j ufw-user-limit
    -A ufw-before-input -p tcp --dport 25565 -j ufw-user-limit-accept
    To this:

    Code (Text):
    -A ufw-before-input -p tcp --dport 25565 -m conntrack --ctstate NEW -m recent --set
    -A ufw-before-input -p tcp --dport 25565 -m conntrack --ctstate NEW -m recent --update --seconds 5 --hitcount 10 -j ufw-before-limit
    -A ufw-before-input -p tcp --dport 25565 -j ufw-before-limit-accept
     
  15. Alright! We have updated the guide and added new Ratelimit methods.

    2. Open /etc/ufw/before.rules and add the following rules for Ratelimiting.

    Add this lines before "COMMIT" located on the end of the file.

    Code (Text):
    # Connlimit
    -A ufw-before-input -p tcp -m connlimit --connlimit-above 18 --connlimit-mask 32 -j DROP
    # Ratelimit
    -A ufw-before-input -m hashlimit --hashlimit-above 25/minute --hashlimit-burst 8 --hashlimit-mode srcip --hashlimit-htable-expire 120000 --hashlimit-name ratelimit -j DROP
    3.Allow the ports you want opened to the public. (In normal cases 25565 for MC and 22 for SSH)

    sudo ufw allow 25565/tcp
    sudo ufw allow 22/tcp
     
  16. Thank you for the update Linsa, I was using the rules you had before this update. Can you please upload somewhere your previous settings so that I could remove them from before.rules , because right now I don't remember what they were.

    Edit: If I am not mistaken these are the old ones right? Am I missing something?

    Under *filter
    :ufw-before-limit - [0:0]
    :ufw-before-limit-accept - [0:0]

    Above COMMIT
    -A ufw-before-input -p tcp --dport 25565 -m conntrack --ctstate NEW -m recent --set
    -A ufw-before-input -p tcp --dport 25565 -m conntrack --ctstate NEW -m recent --update --seconds 5 --hitcount 10 -j ufw-before-limit
    -A ufw-before-input -p tcp --dport 25565 -j ufw-before-limit-accept

    Edit2: I also have these, which I am not sure if they are from this guide and if they are needed at all.

    ### RATE LIMITING ###
    #-A ufw-before-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
    -A ufw-before-limit -j DROP
    -A ufw-before-limit-accept -j ACCEPT
    ### END RATE LIMITING ###
     
    #96 LucidAPs, Jul 22, 2021
    Last edited: Jul 22, 2021
  17. I think they are those. I don't really remember.
     
  18. So I tried these new rules and they were some problems. Most attempts from players to change servers would fail with this error
    Could not connect to a default or fallback server, please try again later: <translation 'timeout' missing>
    And if I had like 6 - 10 players joining at once, only 1 might be able to join and the rest would timeout.
     
  19. Hello! If your server is separated in different machines you will have to add bypass for them with an early allow :)
     
  20. They are not, Its one machine.