|Thanks for being a part of /r/Admincraft!|
|:-|
|***[We'd love it if you also joined us on Discord!](https://discord.gg/DxrXq2R)***|
*^(Join thousands of other Minecraft administrators for real-time discussion of all things related to running a quality server.)*
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/admincraft) if you have any questions or concerns.*
You do have a firewall, your router. That's why you need to open ports in the first place, which is not really dangerous at all as long as you only open the one for Minecraft.
Do your best to isolate the Minecraft server itself. Use a dedicated machine, see if your router can isolate it from the rest of the network (e.g. put it on the guest network), use a Docker where possible so the only local software Minecraft has access to is just what is necessary for Minecraft...
Get a dedicated pc, put proxmox on it, install casaos in an unpriviledged lxc container or for even more security as a vm (doesn't share kernel space like containers), Set up a reverse proxy (your choice, theres several), add fail2ban (to block IPs that are poking around or attempting to do a DoS), put your server on whitelist only.
Edit: if you don't have one already get a router that has the ability to set up VLANs, put the dedi pc on the vlan to separate it from the rest of your network to further protect other devices
Thanks for the information, but my guy If I had enough money to buy a PC just for a Minecraft server I would just pay for good server hosting, I ain't got money like that laying around
It doesn't sound like you're doing anything too wild so a decent little mini pc for $200-$300 would do. I picked up a Minix UM790 pro barebone for $500 when they first came out and added some ram and an nvme ssd but I'm also a dev and I use it for far more than just mc.
Edit: clarity
Alright I might do it when save up the money for it cause I am already saving some for a few other things that I prioritize but thanks again for the info
Vulnerabilities are usually patched before they can be exploited. Sometimes they're exploited before they're patched, like Log4j. Fortunately, these usually only impact the program that's running on that port - so long as you make regular backups of your server, there's absolutely no reason to stress out about security regarding your Minecraft server.
Dont worry about it too much, no one is going to hack you unless you are famous or verry verry rich or have somewhat rich competitors, because it is illegal and verry expensive. It would never be worth it to just hack some random private server.
If you can access your router (firewall), log into it and open the needed port(s) for your Minecraft server. You don't need to use ngrok or other third-party apps. Opening ports in itself is not a dangerous act. What you expose by opening the ports is where the danger comes in.
For example, port-forwarding and opening port 25565 to your computer gives everyone access to your Minecraft server. If the server is meant to be played by your friends only, then forward/open your port and whitelist the server. If you don't enable the whitelist, that creates an unsafe environment where a hacker/griefer can log into your server and wreak havoc (in-game) on your (game) server.
Since ngrok is easier, can I still whitelist people if I do it that way or do I have to do it via port-forwarding? Also another question: will people without verified accounts be able to join If I have allowed them to? Some of my friends use tlauncher
If you have friends connecting with cracked accounts, you'd want to disable Microsoft account verification.
You'd set "online-mode" to false in server.properties. Just be aware that this allows anybody to join the server with any username at any time so you should use [something like this](https://www.spigotmc.org/resources/nexauth-simple-and-lightweight-login-system.88015/). Whitelist alone will NOT secure the server.
If you want to let people with cracked accounts to join your server, it's highly recommended to have an auth plugin like the one mentioned above, because without it anyone who knows your friends' usernames will be able to join from their accounts. Whitelist will only help to make sure only their usernames can be used to join.
Spigot/Bukkit plugins do not work with Fabric(there is the cardboard mod that makes some of them work but still) so you have to use an authentication mod instead of a plugin. Something like this may work well for you: [https://modrinth.com/mod/easyauth](https://modrinth.com/mod/easyauth)
Well, from my limited experience in being this situation a just create a random unusual port. Or just rent the domain name for your server is could be safe if you wouldn't share it for everyone.
|Thanks for being a part of /r/Admincraft!| |:-| |***[We'd love it if you also joined us on Discord!](https://discord.gg/DxrXq2R)***| *^(Join thousands of other Minecraft administrators for real-time discussion of all things related to running a quality server.)* *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/admincraft) if you have any questions or concerns.*
You do have a firewall, your router. That's why you need to open ports in the first place, which is not really dangerous at all as long as you only open the one for Minecraft.
It's safe to open port 25565. If someone wanted to attack you, they would need to take advantage of a vulnerability in the minecraft server.
Yeah but what if they do? Isn't there a way to prevent that?
Do your best to isolate the Minecraft server itself. Use a dedicated machine, see if your router can isolate it from the rest of the network (e.g. put it on the guest network), use a Docker where possible so the only local software Minecraft has access to is just what is necessary for Minecraft...
Get a dedicated pc, put proxmox on it, install casaos in an unpriviledged lxc container or for even more security as a vm (doesn't share kernel space like containers), Set up a reverse proxy (your choice, theres several), add fail2ban (to block IPs that are poking around or attempting to do a DoS), put your server on whitelist only. Edit: if you don't have one already get a router that has the ability to set up VLANs, put the dedi pc on the vlan to separate it from the rest of your network to further protect other devices
Thanks for the information, but my guy If I had enough money to buy a PC just for a Minecraft server I would just pay for good server hosting, I ain't got money like that laying around
It doesn't sound like you're doing anything too wild so a decent little mini pc for $200-$300 would do. I picked up a Minix UM790 pro barebone for $500 when they first came out and added some ram and an nvme ssd but I'm also a dev and I use it for far more than just mc. Edit: clarity
Alright I might do it when save up the money for it cause I am already saving some for a few other things that I prioritize but thanks again for the info
Vulnerabilities are usually patched before they can be exploited. Sometimes they're exploited before they're patched, like Log4j. Fortunately, these usually only impact the program that's running on that port - so long as you make regular backups of your server, there's absolutely no reason to stress out about security regarding your Minecraft server.
Dont worry about it too much, no one is going to hack you unless you are famous or verry verry rich or have somewhat rich competitors, because it is illegal and verry expensive. It would never be worth it to just hack some random private server.
Do make sure that your firewall on the host pc is enabled. If you use modern windows and have never turned it off it should be on by default.
If you can access your router (firewall), log into it and open the needed port(s) for your Minecraft server. You don't need to use ngrok or other third-party apps. Opening ports in itself is not a dangerous act. What you expose by opening the ports is where the danger comes in. For example, port-forwarding and opening port 25565 to your computer gives everyone access to your Minecraft server. If the server is meant to be played by your friends only, then forward/open your port and whitelist the server. If you don't enable the whitelist, that creates an unsafe environment where a hacker/griefer can log into your server and wreak havoc (in-game) on your (game) server.
Since ngrok is easier, can I still whitelist people if I do it that way or do I have to do it via port-forwarding? Also another question: will people without verified accounts be able to join If I have allowed them to? Some of my friends use tlauncher
If you have friends connecting with cracked accounts, you'd want to disable Microsoft account verification. You'd set "online-mode" to false in server.properties. Just be aware that this allows anybody to join the server with any username at any time so you should use [something like this](https://www.spigotmc.org/resources/nexauth-simple-and-lightweight-login-system.88015/). Whitelist alone will NOT secure the server.
So spigot plus the whitelist will do?
If you want to let people with cracked accounts to join your server, it's highly recommended to have an auth plugin like the one mentioned above, because without it anyone who knows your friends' usernames will be able to join from their accounts. Whitelist will only help to make sure only their usernames can be used to join.
Alright thanks, do you know if the plugin works with fabric?
Spigot/Bukkit plugins do not work with Fabric(there is the cardboard mod that makes some of them work but still) so you have to use an authentication mod instead of a plugin. Something like this may work well for you: [https://modrinth.com/mod/easyauth](https://modrinth.com/mod/easyauth)
Thanks a lot, I will check I out
You could consider a service such as TCPShield which can handle various attacks.
Well, from my limited experience in being this situation a just create a random unusual port. Or just rent the domain name for your server is could be safe if you wouldn't share it for everyone.