Starting Public Server
The title says about half of what I'm asking here. I am looking to start a Minecraft server that is going to be open to the public, I have dealt with larger private servers before so I am not too worried about traffic volume, but I am more worried about cheats, exploits, attacks, etc. I'm sure you all know what I'm talking about. does anyone have any advice for how to combat some of this.
Currently I know/think:
- Use a reverse proxy
- I am looking at FlameCord for added security, as well as ExploitFixer by the same dev (both paid)
- I am thinking of using a discord server as a proxy between being invited to and then whitelisted on the server (i.e. you have to be in the discord to get whitelisted on the minecraft server.
Does anyone have any further advice that is different from what I've listed above. If anything I said doesn't make sense please tell me why I'm wrong, I want to do this the right way.
Thanks in advance
TLDR: I need advice on how to keep my public minecraft server network secure.
Solution:Jump to solution
They "protect" against ddos by dropping bot ips with iptables, it really only lowers a bit the load on the cpu, if you get a 2gbps flood and your connection is 1gbps theres nothing it can do.
Still id take velocity + limbofilter or at least xCord/NullCordX over flamecord if you care about security...
99 Replies
Oh also if it wasn't clear before, feel free to talk me out of doing this too, but I feel like it isn't that unreasonable. Also if you could ping me when you respond that'd be great!
Why use flamecord?
^
Velocity is the best option for proxy software and it's free
I'm currently using velocity. are there not any benefits to flamecord?
not really from what people might answer you
Ok, they claim it can protect you from certain network attacks, is this untrue or is it also something velocity can do?
how would they block you from network attacks?
they arent a ddos protection service
it says they are on their website?
are they just straight up lying?
thats a Bold claim
most likely
i wouldnt say best
its Something if they do anything at all
I'm not asking about that
I'm asking about the part at the end where it says they protect against ddos
obvoisly best is always bold
I'm happy to stick with velocity, just trying to understand how it works tbh
yeah no they wouldnt be able to protect against DDOS attacks
thats something you need an actual service like tcp shield or neoprotect
:SCbruh:
gotcha
do you recommend either of those in particular
either of?
oh ddos prots
well depends tbf
if you get a host that alr does ddos protection for you, its fine to not get any
I was gonna... self host... is this a bad idea?
uhhhhh
depends how good ur hardware is
my hardware is fine for my application
what is it?
im purely concerned with security
^ tell specs then we can go from there
there is a certain threshold for a Decent self host vs would be better to buy a host host
I'm not personally willing to pay any money for a host, my hardware has proven to be sufficient, I have a i9-10850k with 80GB RAM
oh yeah thatll do you fine
ok security time
is this ur main pc or a pc you have?
its a PC I have, its only for Minecraft
my old gaming pc
it currently has Debian installed
which debian?
12 i think
neat!
gonna be doing stuff from screens or a local panel instance :im_milk_shrug_idk:
id suggest running ubuntu or debian on said machine so you can start work on security a/e
ssh keys so no one else from outside can access said machine
having ddos protection would also be good. id say neoprotect. cheaper for geyser and its pretty decent
im sure others can tell you more
Alright, cool, thank you! Looking forward to hearing what others have to say
If the pc is local have panel closer
Closed
So only u can access
If u need other to access use cf tunnel
Or cf proxy
If you aren't planning on using dynmap u can prob just use a ddos protection like neoprotect
Then have all your ports closed
dont use dynmap in general :YEP:
True bluemap better
But u get idea
ye
Any map plugin
Security wise just permit traffic from proxy only
Drop any other requests at server
Ideally he doesn't need to allow any traffic
If he uses a ddos prot
And let's it go through that
Then only whitelist ddos protection ips
thanks so much for the advice, I'll keep all that in mind
I mean backend
Conditional port forwarding to only accept traffic from proxy
Ah
Btw, I'm not super familiar with all the terminology, what are you referring to when you say panel, is that the interface I'm using to communicate with the server?
Pterodactyl
Pterodactyl is an open-source game server management panel built with PHP, React, and Go. Designed with security in mind, Pterodactyl runs all game servers in isolated Docker containers while exposing a beautiful and intuitive UI to end users.
Oh yeah, I've heard of pterodactyl, I'm using lodestone atm
ngl tho don't really like it
O just use whatever ur comfortable with
O
I tried pterodactyl before, I just have been experiementing with other stuff
I'll probably go back to it
panel isnt tha critical tbh
yeah
Ive never found the need for myself to go touch the prod server, which kinda negates the point
you guys just made me remember I left the port for lodestone open because I had to leave for a trip and had to rush to get it available, but I have way better ways of doing that now and no need to keep it forwarded
β οΈ do not
Amp worked fine on a local host server
was fun :EZY:
use a vpn
yeah I have a vpn now
tailscale :yeahyupyupyepyepyupmhmyeah:
I just forgot I left that port open
i know people who leaves their rdp opened to the internet and ended up with a compromised network
yeaaahh
so the idea is I open a port to the ddos protection thing, then point that to velocity? or did I miss a step here?
i believe it works like
traffic -> ddos prot -> velocity -> backend
but I dont actually use a ddos prot myself, so not sure where that sits
but velocity def goes to backend
my understanding was also what you said so hopefully we are right
There are anti bot plugins for velocity. A proxy can't do anything for DDOS attacks
do you have any recommendations for anti bot plugins
Solution
They "protect" against ddos by dropping bot ips with iptables, it really only lowers a bit the load on the cpu, if you get a 2gbps flood and your connection is 1gbps theres nothing it can do.
Still id take velocity + limbofilter or at least xCord/NullCordX over flamecord if you care about security
Id recommend getting at least a business line, residentials usually have bad routes/unstable connections and will usually limit packets/s so it may kick players.
And it will most likely cause issues with whatever third party ddos protected reverse proxy provider you use
Limbofilter is definetly the best one for velocity, still if your home connection isnt at least like 2.5G i would recommend having a service with layer7 filtering sit on top
thanks so much for the info
I'll look into limbofilter, I already have Verizon Business 1Gbps internet so it should be okay.
and I decided to go with TCP shield, at least for now
Verizon Business is basically just fast residential
To eliminate any issues i would recommend a dedicated line
My friend uses verizon though and he likes it so it shouldn't be that bad, still
I'm not going to switch at the moment, but if it becomes a real issue I will keep it in mind for the future
Sure just keep in mind they will completely ignore any network issue reported due to you self hosting
You mean they won't provide support for me?
I can prob live with that
is there someone who would?
Nope
Like they do but anything network related they will ignore
Honestly i get them, troubleshooting issues with self hosters is a pain
Still they may abuse that ToS clause a bit
Yeah I get that
but would that be the case with other people like neoprotect?
Im pretty sure Neo also has that ToS clause
makes sense
well I'm still not too worried about it
According to some customers they have even ignored ddos reports and blamed it on self hosting
Are you recommending that I don't use them?
Depends
Are you using the free plan?
Or paying $250
free
for now
Ah then just use tcpshield
alr cool, I have that set up atm
Yeah pretty much for free protection they are the option
Honestly im considering adding that clause too π
completely fair
I noticed that they don't do udp tho
so if I use geyser, should I find a service that does, or is there a better way to secure that?
at least for free
gl finding a free udp service that is anywhere solid
udp is a pain
alr
well maybe if the server grows more I could pay for udp services later
ill just skip the bedrock server for the time being
also I was looking at playit.gg and it says they don't support custom domains for free, what's stopping me from adding a cname record though?
how they do forwarding probably
or its against tos and will get you blocked
even when doing cname to another domain, it will still have your hostname you joined with
I see
alright
I'll stick with tcpshield free for now, if I decide to add geyser later, I'll look into other paid options
Ah
Udp will be expensive anywhere
What's ur budget?
I'm trying to do everything for free at the moment. If I do expand I haven't decided what the budget will be but it won't be super large
I was thinking $200 a year might get me somewhere but I really don't have a number at the moment
Oof thats though
cheapest "reputable" ddos provider with UDP will be at least $360/y
like I said, I don't really know at the moment what I'd be willing to spend but that's good to keep in mind
who would you consider to be reputable?
other than papyrus (I assume)
not that I wouldn't be willing to look into your services
I mean reputable as in "popular/known":
- TCPShield
- Infinity Filter
- NeoProtect
- Cosmic
I miss papyrus 15usd month π’
Not a lot of services would get my "personal seal of approval"
I think it was
#3 PacketsDecreaser/Aurologic (Good for small budgets)
#2 Cloudflare Magic Transit/Spectrum (Not cheap usually)
#1 Making your own
Its impossible to provide our level of service now for that price, we dont even profit off the $30 plans...
I mean I liked it when u didn't have spectrum wasn't it good then or no
I never got ping spikes on papyrus but do all time on noobprotect
Its not just Spectrum
Rips
back on $15 days we ran Path as "Volumetric" provider
obviously now thats absolutely not doable since their network is in shambles
We now have our own network and do most of the filtering;
Ah pains
And as you can guess, thats not as cheap to maintain
Ye
it should still deliver better lantecy then path though
And any problems you can put Spectrum on top