Securing BungeeCord

Discussion in 'BungeeCord Discussion' started by Joshua James, Jul 30, 2013.

  1. Hi,

    My friend and I are looking to start a 'hub' server where we will have mini-games and possibly a Factions server. Our main concern is security because I know of a server where someone logged in as the Admin and basically destroyed everything. I need to be sure that this will not happen to our server. I was hoping someone who has experience with BungeeCord could explain how to make the servers fully secure.

    Thank you
     
  2. joehot200

    Supporter

    Bind all servers to 127.0.0.1 and then they wont be able to join on the backend ip/ports, then just run it as you normally would :)
     
  3. All I need to do is follow this (http://www.spigotmc.org/threads/1-6-2-bungeecord.392/) and it will be secure?
     
  4. joehot200

    Supporter

    That and what i have said, yes :)
    Oh, and in the config rename "admin" to some random name that isnt md_5 so anyone logging in as md_5 cant use /end or /ip, etc (Presuming you are cracked).
     
  5. I feel more secure using iptables (if you have a linux server) to lock down my server ports.
     
  6. I have these server rules on all my servers so that they can establish direct connections via ports 25120-25130. This will allow me to run Bungee on any of my 3 physical servers. Then the last rule will just deny any other connection that attempts to connect to my backend server ports (which are servers running in offline mode).

    Code (Text):
    #Allow access by internal servers only
    iptables -I INPUT -s 1.2.3.4 -p -tcp --dport 25120:25130 -j ACCEPT
    iptables -I INPUT -s 4.3.2.1 -p -tcp --dport 25120:25130 -j ACCEPT
    iptables -I INPUT -s 127.0.0.1 -p -tcp --dport 25120:25130 -j ACCEPT
    #Drop all other connections destined for back-end servers
    iptables -I INPUT --dport 25570:25580 -j DROP
     
  7. Thank you very much for this. I will be setting this up in a few minutes.
     
  8. Remember,

    to enter the commands in this order:
    iptables -I INPUT --dport 25570:25580 -j DROP
    iptables -I INPUT -s 1.2.3.4 -p -tcp --dport 25120:25130 -j ACCEPT
    iptables -I INPUT -s 4.3.2.1 -p -tcp --dport 25120:25130 -j ACCEPT
    iptables -I INPUT -s 127.0.0.1 -p -tcp --dport 25120:25130 -j ACCEPT

    Be sure to replace '1.2.3.4' and '4.3.2.1' are replaced with your IPs and replace the port range with the one you use for your backend servers :)
     
  9. I get this error while executing the first command

    iptables v1.4.7: unknown option `--dport'
    Try `iptables -h' or 'iptables --help' for more information.
     
  10. Try this:

    Code (Text):
    iptables -I INPUT -p tcp --dport 25570:25580 -j DROP
    iptables -I INPUT -s 1.2.3.4 -p tcp --dport 25120:25130 -j ACCEPT
    iptables -I INPUT -s 4.3.2.1 -p tcp --dport 25120:25130 -j ACCEPT
    iptables -I INPUT -s 127.0.0.1 -p tcp --dport 25120:25130 -j ACCEPT
     
  11. Also note:

    You have to enter the DROP all rule 1st. This will result in all connections being dropped unless you enter it all quickly
     
  12. For the first command the range is the ports the players will be connecting with?
     
  13. It's a port range you define to run your backend servers on
     
  14. What about the other commands, I don't fully understand what that does.
     
  15. Firstly,

    How many physical servers do you have?

    Do you run all on one host? Or do you have it distributed on several physical servers?
     
  16. We are running it all on one server
     

  17. Josh did as you said to do, now we can't access our server via SSH (Putty) or SFTP (WinSCP)

    So..?
     
  18. These commands won't effect those ports.

    If you messed up just flush the tables with 'iptables -flush'
     

  19. We can't, we cannont get into the console...
     
  20. You'll have to boot rescue mode and purge the rules that way. I assure you the commands I gave do not block those protocols. They do not use ports 25120-25130