So i’ve been hosting a modded Minecraft server for my friends and me on weekends. While it’s been a blast, I’ve noticed that our current setup using LAN has its limitations. My friends have been eagerly waiting for their next “fix” (i.e., when they can get back online), and I’ve been replying with a consistent answer: this Friday.

However, exploring cloud providers to spin up a replica of my beloved “Dog Town” Server was a costly endeavor, at least for a setup that’s close to my current configuration. As a result, I’ve turned my attention to self-hosting a Minecraft server on my local network and configuring port forwarding.

To harden my server, I’ve implemented the following measures:

  1. Added ufw (Uncomplicated Firewall) for enhanced security.
  2. Blocked all SSH connections except for the IP addresses of my main PC and LAN rig.
  3. Enabled SSH public key authentication only.
  4. Rebuilt all packages using a hardened GCC compiler.
  5. Disabled root access via /etc/passwd.
  6. Created two users: one with sudo privileges, allowing full access; the other with limited permissions to run a specific script (./run.sh) for starting the server.

Additionally, I’ve set up a fcron job (a job scheduler) as disabled root, which synchronizes my Minecraft server with four folders at the following intervals: 1 hour, 30 minutes, 10 minutes, and 1 day. This ensures that any mods we use are properly synced in case of issues.

any suggestions of making the computer any more secure, aswell as backup solutions? thanks!

–added note, what hostnames do you guys call your servers? I used my favorite band albums and singles for hostnames.

25 points

If you wanted to go overboard, don’t even make the server accessible publicly. Distribute keys to a Wireguard network that is accessible publicly. Mandate your players obtain keys from you to play.

permalink
report
reply
9 points

Even faster – tailscale. For a cheeky way to play with your friends make a burner account with a shared login to get on the same tailnet for free. On the endpoints, turn off tailscale-ssh and any of their other “features” you don’t need.

permalink
report
parent
reply
24 points

IMO the biggest attack vector there would be a Minecraft exploit like log4j, so the most important part to me would make sure the game server is properly sandboxed just in case. Start from a point of view of, the attacker breached Minecraft and has shell access to that user. What can they do from there? Ideally, nothing useful other than maybe running a crypto miner. Don’t reuse passwords obviously.

With systemd, I’d use the various Protect* directives like ProtectHome, ProtectSystem=full, or failing that, a container (Docker, Podman, LXC, manually, there’s options). Just a bare Alpine container with Java would be pretty ideal, as you can’t exploit sudo or some other SUID binaries if they don’t exist in the first place.

That said the WireGuard solution is ideal because it limits potential attackers to people you handed a key, so at least you’d know who breached you.

I’ve fogotten Minecraft servers online and really nothing happened whatsoever.

permalink
report
reply
-34 points

Log4j is a Java logging library lolz

permalink
report
parent
reply
32 points

Yeah, that didn’t stop it from pwning a good chunk of the Internet: https://en.wikipedia.org/wiki/Log4Shell

permalink
report
parent
reply
-16 points

That is an exploit OF log4j. Just pointing out the difference.

permalink
report
parent
reply
6 points

Fellow Gentoo user! Kudos.

permalink
report
reply
6 points

Have you tried using an audit tool? Check out https://cisofy.com/lynis/

permalink
report
reply
6 points
*

Is this machine sitting in your LAN, or on its own firewalled off network with a DMZ? No matter how secure it is, you don’t want it on the same network as the machine you do your taxes on.

A good poor mans option is to get a pfsense box with 3 NIC’s. One for WAN, one for LAN, and one for the machine you publicly host with.

Setup firewall rules so that LAN can reach the MC host on needed ports, but not the other way around.

permalink
report
reply
1 point
*

Currently the plan is to use my 48 port cisco switch and put the server on a separate vlan. I assume that is very similar to your pfsense solution? Please correct me if im wrong

permalink
report
parent
reply
4 points
*

You’re adding attack surface by keeping them separated only by vlan. VLAN hopping exploits exist, especially in older firmware, ESPECIALLY on EoL units.

Pfsense is a proper router/firewall built on one of the most hardened networking stacks on the planet. Plus it catches regular software updates, no matter how old your hardware is. You can run it on an old PC with a cheap quad gigabit nic card from eBay if you’d like.

If I might ask, what do you have handling your inter-vlan routing/firewall? Is it the same box you use to handle the firewall/routing between your WAN and LAN?

permalink
report
parent
reply
1 point
*

also follow up question, alot of people are saying to make the mine-craft server run in a vm for host isolation. So what if i spun up 2vm’s

#1 would be a virtualized instance of pf sense, i would then have ethernet 1 on dogtown give internet to the base gentoo install, then have a Ethernet 2 go into PF sense, which will then have firewall rules to restrict access to the vm minecraft server. would that work? or is there somthing im misisng?

Diagram added

permalink
report
parent
reply
1 point

currently my setup is a dsl modem that goes, to my router/WAP which is a eero, that i plan to eventually replace with a Banna pi R4 which will run openwrt. but as of now the eero goes to my 48 port in my server room, and i have all my computer jacked into that. so to answer your question, my firewall is handled by my router and individual local rules by my machines. im kinda new to self hosting and port forwarding and pfsense looks pretty useful. i know pfsense is based on freebsd so is that a big plus vs openwrt?

please let me know, what some potential solutions could be.

permalink
report
parent
reply

Selfhosted

!selfhosted@lemmy.world

Create post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

Community stats

  • 3.7K

    Monthly active users

  • 2K

    Posts

  • 23K

    Comments