I just setup a minecraft server on an old laptop, but to make it acessible i needed to open up a port. Currently, these are the ufw rules i have. when my friends want to connect, i will have them find their public ip and ill whilelist only them. is this secure enough? thanks
`Status: active
To Action From
22/tcp ALLOW Anywhere Anywhere ALLOW my.pcs.local.ip`
also, minecraft is installed under a separate user, without root privlege
Why is port 22 open? Is this on your router as well or just the server?
This is SSH, which you should pretty much never have open (to the internet! Local is fine) MC is by default 25565. You will have every bot on the internet probing that port.
ssh is local only. so I should change all ports from default then huh
Your ssh rule says it’s from anywhere. You want to change port 22 to 25565, and run /op username on your Minecraft server to whitelist your friends. Make sure your whitelist flag is turned on with your server config.
Instead of allowing traffic over your port from anywhere, you can specify your friend’s external IP.
You can test it out by running ‘telnet <ip> <port>’ to check if the port is open. This is best done from another network.
Having SSH open to the internet is normal. Don’t use password authentication with weak passwords.
Normal for who? I wouldn’t expose SSH on 22 to the internet unless you have someone whose full time job is monitoring it for security and keeping it up to date. There are a whole lotta downsides and virtually no upsides given that more secure alternatives have almost zero overhead.
Shodan reports that 35,780,216 hosts have SSH exposed to the internet.
Moving SSH to ports other than 22 is not security. The bots trying port 22 on random addresses with random passwords don’t have a chance of getting in unless you’re using password authentication with weak passwords or your SSH is very old.
SSH security updates are very infrequent and it takes practically no effort to keep SSH up to date. If you’re using a stable distribution, just enable automatic security updates.
Moving to another port isn’t a bad idea though. It gives you cleaner logs which is nice.
Not for people who are asking questions about port forwarding
If you have ssh open to the world then it’s better to disable root logins entirely and also disable passwords, relying on ssh keys instead.
For public facing only use key based authentication. Passwords have too much risk associated for public facing ssh
yeah no I should have considered that. didn’t lick the most secure password. will change when I get home
Don’t use passwords for public SSH in the first place. Disable password authentication and use pubkeys.
And disable ssh to root. Hell, just disable root login altogether and use sudo.