DEV Community

Cover image for How to Create a Minecraft Server: Hardening the Server
Sam Erickson
Sam Erickson

Posted on

How to Create a Minecraft Server: Hardening the Server

Photo by Sai Kiran Anagani on Unsplash

Now that our server is up and running we need to harden it. Or make it more difficult for anyone to gain unauthorized access to it.

There are lots of posts about this online. Here are some of my favorites:

Securing SSHD

I remember the first time I mistakenly connected my raspberry-pi to the internet with port forwarding enabled on my router. I was hit with thousands of login attempts for random IP addresses within half an hour. One advantage to this is that I was forced to learn about better ssh practices.

Configuring SSHD

We are going to start by editing /etc/ssh/sshd_config.

Once you have that file open you want to uncomment and modify the following lines (I have arranged them by default value first, changed value second):

port 22 change this to an arbitrary number like 2916 (not 22, 80, 8080, etc.)
PermitRootLogin no
PubKeyAuthentication yes

PasswordAuthentication no
PermitEmptyPasswords no

# This makes it so that only login attempts from specific IP 
#  addresses can gain
#  access to your server. You can get your public IP address by 
#  typing: "whats my ip" into duckduckgo.com
#
# You can always add new ip addresses from the web console in 
#   your linode account if you get accidentally locked out.
#
# For more information:
#  https://www.cyberciti.biz/tips/howto-openssh-sshd-listen-multiple-ip-address.html
ListenAddress <your-public-ip-address>
Enter fullscreen mode Exit fullscreen mode

Creating an SSH Key

Next we need to create and add an rsa key to the server. On your local machine issue the following command:

ssh-keygen -b4096
Enter fullscreen mode Exit fullscreen mode

Then press enter to save it to the default location, or enter a custom location. I recommend using ~/.ssh/id_rsa for the privileged user and ~/.ssh/minecraft_rsa for the Minecraft user.

Then enter a passphrase, this is another layer of added protection in case someone gets a hold of your private key. (*Note that you can also leave this blank for no passphrase, but it is highly discouraged).

Copying the SSH Key to the Minecraft Server

We can do this by issuing the following command (note that if you entered a different filename/file location, you need to use them here):

ssh-copy-id -i ~/.ssh/id_rsa <username>@hostip
ssh-copy-id -i ~/.ssh/minecraft_rsa minecraft@hostip
Enter fullscreen mode Exit fullscreen mode

If you do not know your servers username or password (if you are currently using the web terminal) you can copy the key manually using the following steps:

  1. Copy ~/.ssh/minecraft_rsa.pub to clipboard. You can do this in the following ways
    1. Windows (WSL): cat ~/.ssh/minecraft_rsa.pub | clip.exe
    2. Ubuntu: cat ~/.ssh/minecraft_rsa.pub | xclip
    3. MacOS: cat ~/.ssh/minecraft_rsa.pub | pbcopy
  2. Create the following file in your text editor of choice: ~/.ssh/authorized_keys note that this file may already exist
  3. Append your /home/miencraft/.ssh/minecraft_rsa.pub key to the end of this file
  4. Copy your other users ssh key to clipboard
  5. Paste that users key into /home/<username>/.ssh/authorized_keys

Finally, we need to restart the sshd service so that our changes take effect.

sudo systemctl restart sshd
Enter fullscreen mode Exit fullscreen mode

Configuring the FireWall

I have found the easiest way to do this is using ufw. We start by enabling the service:

sudo ufw enable
Enter fullscreen mode Exit fullscreen mode

Next we need to setup some default rules

sudo ufw default deny incomming
sudo ufw default allow outgoing
Enter fullscreen mode Exit fullscreen mode

We also need to allow the port we specified for ssh to be open (remember I chose 2916, you need to replace that with the value you chose):

sudo ufw allow 2916/tcp
Enter fullscreen mode Exit fullscreen mode

Now we need to allow traffic through port 25565 (the default port for Minecraft servers).

sudo ufw allow 25565/tcp
Enter fullscreen mode Exit fullscreen mode

We can check and see all our rules by the following command:

sudo ufw status
Enter fullscreen mode Exit fullscreen mode

Hardening the Network a Step Farther

This is a tip I learned while trying to disable ICMP broadcast requests. Taken from that Tech Republic article written by Jack Wallen that I mentioned in the beginning of this article.

There is a very simple way to prevent source routing of incoming packets (and log all malformed IPs) on your Ubuntu Server. Open a terminal window, issue the command sudo nano /etc/sysctl.conf, and uncomment or add the following lines:

# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0 
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0 
net.ipv6.conf.default.accept_redirects = 0

# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1
Enter fullscreen mode Exit fullscreen mode

We then restart the service so that the changes take effect:

sudo sysctl -p
Enter fullscreen mode Exit fullscreen mode

Setting Up the SSH Config On Our Local Machine

To make it easier to copy files and to access the server, we will be creating entries in our local machines ssh config (~/.ssh/config). Open that file in your favorite text editor and insert the following:

Host            linode
Hostname        <linode-server-ip>
Port            2916
User            <username>

Host            minecraft
Hostname        <linode-server-ip>
IdentityFile    ~/.ssh/minecraft_rsa
Port            2916
User            minecraft
Enter fullscreen mode Exit fullscreen mode

Now when we want to login to our server via ssh we can use:

ssh <username>
Enter fullscreen mode Exit fullscreen mode

or

ssh minecraft
Enter fullscreen mode Exit fullscreen mode

This also makes copying files a lot easier. More on that later.

If you have any suggjectsions or comments on how I could do this better please leave them down below!

Discussion (1)

Collapse
aubalaca profile image
Aubalaca • Edited

Ohh nice, actually really usefull post dude. I like it. I tried once to create a server for minecraft however i guess i have done something wrong so the server has worked less than 2 months and then it just went down, now i will be looking forward to try it again. Also about the server hosting it is really interesting and really useful thing for a lot of people. I do remember someone told me about a server hosting service, i guess it was about ggservers.com, as the best hosting, what do you know about them?