So i’ve been hosting a modded Minecraft server for my friends and me on weekends. While it’s been a blast, I’ve noticed that our current setup using LAN has its limitations. My friends have been eagerly waiting for their next “fix” (i.e., when they can get back online), and I’ve been replying with a consistent answer: this Friday.

However, exploring cloud providers to spin up a replica of my beloved “Dog Town” Server was a costly endeavor, at least for a setup that’s close to my current configuration. As a result, I’ve turned my attention to self-hosting a Minecraft server on my local network and configuring port forwarding.

To harden my server, I’ve implemented the following measures:

  1. Added ufw (Uncomplicated Firewall) for enhanced security.
  2. Blocked all SSH connections except for the IP addresses of my main PC and LAN rig.
  3. Enabled SSH public key authentication only.
  4. Rebuilt all packages using a hardened GCC compiler.
  5. Disabled root access via /etc/passwd.
  6. Created two users: one with sudo privileges, allowing full access; the other with limited permissions to run a specific script (./run.sh) for starting the server.

Additionally, I’ve set up a fcron job (a job scheduler) as disabled root, which synchronizes my Minecraft server with four folders at the following intervals: 1 hour, 30 minutes, 10 minutes, and 1 day. This ensures that any mods we use are properly synced in case of issues.

any suggestions of making the computer any more secure, aswell as backup solutions? thanks!

–added note, what hostnames do you guys call your servers? I used my favorite band albums and singles for hostnames.

25 points

If you wanted to go overboard, don’t even make the server accessible publicly. Distribute keys to a Wireguard network that is accessible publicly. Mandate your players obtain keys from you to play.

permalink
report
reply
9 points

Even faster – tailscale. For a cheeky way to play with your friends make a burner account with a shared login to get on the same tailnet for free. On the endpoints, turn off tailscale-ssh and any of their other “features” you don’t need.

permalink
report
parent
reply
24 points

IMO the biggest attack vector there would be a Minecraft exploit like log4j, so the most important part to me would make sure the game server is properly sandboxed just in case. Start from a point of view of, the attacker breached Minecraft and has shell access to that user. What can they do from there? Ideally, nothing useful other than maybe running a crypto miner. Don’t reuse passwords obviously.

With systemd, I’d use the various Protect* directives like ProtectHome, ProtectSystem=full, or failing that, a container (Docker, Podman, LXC, manually, there’s options). Just a bare Alpine container with Java would be pretty ideal, as you can’t exploit sudo or some other SUID binaries if they don’t exist in the first place.

That said the WireGuard solution is ideal because it limits potential attackers to people you handed a key, so at least you’d know who breached you.

I’ve fogotten Minecraft servers online and really nothing happened whatsoever.

permalink
report
reply
-34 points

Log4j is a Java logging library lolz

permalink
report
parent
reply
32 points

Yeah, that didn’t stop it from pwning a good chunk of the Internet: https://en.wikipedia.org/wiki/Log4Shell

permalink
report
parent
reply
-16 points

That is an exploit OF log4j. Just pointing out the difference.

permalink
report
parent
reply
1 point

Whitelist and an autobackup mod

permalink
report
reply
4 points
*

So the local machine doesn’t really need the firewall; it definitely doesn’t hurt, but your router should be covering this via port forwarding (ipv4) or just straight up firewall rules (ipv6).

You can basically go two routes to reasonable harden the system IMO. You can either just set up a user without administrative privileges and use something like a systemd system level service to start the server as that user and provide control over it from other users … OR … if you’re really paranoid, use a virtual machine and forward the port from the host machine into the VM.

A lot of what you’re doing is … fine stuff to do, but it’s not really going to help much (e.g. building system packages with hardening flags is good, but it only helps if those packages are actually part of the attack surface or rather what’s exposed to the remote users in someway).

Your biggest risk is going to be plugins that aren’t vetted doing bad things (and really only the VM or using the dedicated user account provides an insulation layer there – the VM really only adds protection against privilege escalation which is pretty hard to pull off on a patched system).

My advice for most people:

  • Make a new user on the system to run each game you want to run
  • Run the game using systemd and that user
  • Use something like kopia + the root user’s crontab (easier than systemd timers, but systemd timers also work) to backup the files on disk

For Minecraft in particular, to properly back things up on a busy server you need to disable auto save, manually force save, do the backup and then enable auto save again after your backup. Kopia can issue commands to talk to the server to do that, but you need a plugin that can react to those commands running on the server (or possibly to use the server console via stdin). Realistically though, that’s overkill and you’ll be just fine backing up the files exactly as they are periodically.

Kopia in particular will do well here because of its deduplication of baked up data + chunking algorithm that breaks up files. That has saved me a crazy amount of storage vs other solutions I’ve tried. Kopia level compression isn’t needed because the Minecraft region files themselves are already highly compressed.

permalink
report
reply
6 points
*

You should isolate it. Use Docker or Podman or any container solution to put the server in a container for isolation from the main system. Any external directory outside the container the server won’t write to should be in read only mode.

If the server is only for your friends. Stop exposing your network to the public and instead use VPNs.

permalink
report
reply
4 points

Regarding VPNs, I wish this was an easier way of doing it. Unfortunately it requires all friends to be tech savvy enough to understand why a vpn is necessary.

permalink
report
parent
reply
2 points

Why would they need to understand? Just tell them that it’s needed to play on the server and set it up for them. Whenever they want to play, they can use the VPN.

permalink
report
parent
reply
1 point

Use wg-easy has a dead simple web ui then just send your friends a link to wireguard downloads page and a copy of the their .conf file it has an import button.

I just tell them its the app you need to connect to my network. True enough and I’ve never had anyone have much issues.

permalink
report
parent
reply

Selfhosted

!selfhosted@lemmy.world

Create post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

Community stats

  • 3.7K

    Monthly active users

  • 2K

    Posts

  • 23K

    Comments