I just setup a minecraft server on an old laptop, but to make it acessible i needed to open up a port. Currently, these are the ufw rules i have. when my friends want to connect, i will have them find their public ip and ill whilelist only them. is this secure enough? thanks

`Status: active

To Action From


22/tcp ALLOW Anywhere Anywhere ALLOW my.pcs.local.ip`

also, minecraft is installed under a separate user, without root privlege

  • mark3748@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    26
    arrow-down
    5
    ·
    2 months ago

    Why is port 22 open? Is this on your router as well or just the server?

    This is SSH, which you should pretty much never have open (to the internet! Local is fine) MC is by default 25565. You will have every bot on the internet probing that port.

      • Manifish_Destiny@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        2 months ago

        Your ssh rule says it’s from anywhere. You want to change port 22 to 25565, and run /op username on your Minecraft server to whitelist your friends. Make sure your whitelist flag is turned on with your server config.

        Instead of allowing traffic over your port from anywhere, you can specify your friend’s external IP.

        • Manifish_Destiny@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          2 months ago

          You can test it out by running ‘telnet <ip> <port>’ to check if the port is open. This is best done from another network.

      • strawberry@kbin.earthOP
        link
        fedilink
        arrow-up
        1
        ·
        2 months ago

        yeah no I should have considered that. didn’t lick the most secure password. will change when I get home

        • 2xsaiko@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          17
          ·
          2 months ago

          Don’t use passwords for public SSH in the first place. Disable password authentication and use pubkeys.

          • catloaf@lemm.ee
            link
            fedilink
            English
            arrow-up
            10
            arrow-down
            1
            ·
            2 months ago

            And disable ssh to root. Hell, just disable root login altogether and use sudo.

      • teawrecks@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        10
        arrow-down
        3
        ·
        2 months ago

        Normal for who? I wouldn’t expose SSH on 22 to the internet unless you have someone whose full time job is monitoring it for security and keeping it up to date. There are a whole lotta downsides and virtually no upsides given that more secure alternatives have almost zero overhead.

        • keyez@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          2 months ago

          I had it open for a web server for 2.5 years because I was lazy and my IP changed a lot and I traveled and didn’t have a VPN setup and never had any issues as far as I could tell. Disabled password and root auth but was also fine with wiping that server if there were issues. It’s certainly not recommended but isn’t immediately always going to be an issue

          • atzanteol@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            1
            ·
            2 months ago

            ssh is one of the most secure servers you can run. The tailscale propaganda is crazy in this community.

        • i_am_not_a_robot@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          11
          ·
          2 months ago

          Shodan reports that 35,780,216 hosts have SSH exposed to the internet.

          Moving SSH to ports other than 22 is not security. The bots trying port 22 on random addresses with random passwords don’t have a chance of getting in unless you’re using password authentication with weak passwords or your SSH is very old.

          SSH security updates are very infrequent and it takes practically no effort to keep SSH up to date. If you’re using a stable distribution, just enable automatic security updates.

          • lud@lemm.ee
            link
            fedilink
            English
            arrow-up
            5
            arrow-down
            2
            ·
            2 months ago

            Moving to another port isn’t a bad idea though. It gives you cleaner logs which is nice.

          • JustEnoughDucks@feddit.nl
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            2
            ·
            2 months ago

            To be fair, if something is open by default or very easy to enable without informing about the risks, tons of people will have it exposed without thinking.

            It isn’t that “tons of people do it so it is normal and perfectly fine” but more “people don’t realize.” It also uses some nontrivial amount of resources to process and block those attempts, even if they never have a chance of getting in.

            There is yet a reason I can find to have it forwarded for home use. Need to ssh into a machine to fix it? VPN.

            There are plenty of secure web-based tools to manage your server without a VPN also.

            • i_am_not_a_robot@discuss.tchncs.de
              link
              fedilink
              English
              arrow-up
              6
              ·
              2 months ago

              A large percentage of those hosts with SSH enabled are cloud machines because it’s standard for cloud machines to be only accessible by SSH by default. I’ve never seen a serious security guide that says to set up a VPN and move SSH behind the VPN, although some cloud instances are inherently like this because they’re on a virtual private network managed by the hosting provider for other reasons.

              SSH is much simpler and more universal than a VPN. You can often use SSH port forwarding to access services without configuring a VPN. Recommending everyone to set up a VPN for everything makes networking and remote access much more complicated for new users.

              • JustEnoughDucks@feddit.nl
                link
                fedilink
                English
                arrow-up
                5
                arrow-down
                1
                ·
                2 months ago

                OK that is fair, though that is not self hosted…

                VPS machines are a completely different beast than self hosting. But I guess I only said home use, not specifically self-hosting though we are in a self-hosted community. There are 1000 guides for setting up a VPN on your home network.

      • Trainguyrom@reddthat.com
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        2 months ago

        For public facing only use key based authentication. Passwords have too much risk associated for public facing ssh

      • IphtashuFitz@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        2 months ago

        If you have ssh open to the world then it’s better to disable root logins entirely and also disable passwords, relying on ssh keys instead.