Is running a public minecraft server a security threat?

[RushFan]

So I'm going to start hosting a Minecraft server publicly but only sharing the address with my close friends. According to my dad who is a network admin at his work, it would be a security risk for my home network if I didn't make it so only whitelisted players could join. Is running it without a whitelist really a risk and could hackers actually find the address to the server and use it to access his whole server network?

[2FA]

There are bots constantly scanning IP addresses for open ports. I get alerts on our routers at work for suspected scans and it's north of 500+ scans per week. Unless you really know how to properly harden the server and network, I wouldn't recommend self hosting without a whitelist.

[AngryBeaver]

@RushFan

Yes and No. It comes down to how you are configuring the device that is running the server. If you make sure to ONLY allow the required ports in your router as well as the machine that is hosting the server then in most cases you should be fine. I mean technically any open port can be a point of entry, but it comes down to minecraft rejecting or resetting connections that are not transmitting what it is looking for (game related information).

 

Now in reality if someone wants in to your network enough they can get in... this is even more true on a consumer connection using consumer grade equipment. In reality the risk is very low as long as you configure your setup properly. There isn't much financial motivation to hit your little minecraft server or the machines on your personal network. It would mostly just be script kiddies wanting to cause problems, but unless you are a big minecraft server that isn't a realistic worry either.

 

So I do not think whitelisting is necessary. The worst thing you have to worry about it someone hacking in the actual game or destroying/trolling your server. Even then you can just ban them and worst case restart your server. If you take backups though you can even mitigate that risk to an acceptable level.

 

Tell your dad to explain what he thinks the actual threats are. Then you and him can evaluate those items and determine what should be mitigated and which are acceptable risks to allow.

[Oshino Shinobu]

Yes, it's a risk. You have to open ports on the firewall and forward them to a local IP. Minecraft is so well known now that the ports will likely be ones relatively frequently attacked. 

 

Using it to access the rest of the network isn't very likely, though, provided you keep your OS up to date with the latest security updates.

 

A way to secure it a little more is to not use the default ports for the Minecraft server. Use a high port number that's not commonly used for something else (something like 18453, for example).

[AngryBeaver]

2 minutes ago, 2FA said:

There are bots constantly scanning IP addresses for open ports. I get alerts on our routers at work for suspected scans and it's north of 500+ scans per week. Unless you really know how to properly harden the server and network, I wouldn't recommend self hosting without a whitelist.

Those scans are normal probing behavior and they are normally targeting companies. They don't normally worry about home networks because the reward potential is very low. Even still you can disable ICMP responses on your router which will help some. You also have to remember that any service that is using a internet connection is opening a port. In those cases it just comes down to how that service handles random responses. In most cases they can just crash that service, it is pretty rare for them to gain a foothold on your machine outside of a big security flaw that hasn't been patched. 

 

4 minutes ago, Oshino Shinobu said:

Yes, it's a risk. You have to open ports on the firewall and forward them to a local IP. Minecraft is so well known now that the ports will likely be ones relatively frequently attacked. 

 

Using it to access the rest of the network isn't very likely, though, provided you keep your OS up to date with the latest security updates.

 

A way to secure it a little more is to not use the default ports for the Minecraft server. Use a high port number that's not commonly used for something else (something like 18453, for example).

What you are referring to is known as security through obscurity. It does add an additional level of security, but again if someone is determined to get in and wants to do a full port scan with macros then they can detect those ports as well as identify what service or software is running on that port. Either way this again comes down to how bad they want to gain access and going after a home connection is pretty rare.

 

Me personally I would grab a Raspberry pi 4 with 4gb of ram and use it to host my minecraft server. Block every port except those needed for minecraft and also make sure your router is likewise configured. Also... please don't follow some guide that has you creating a useraccount named minecraft with some easy password. Have your dad help you setup a user account just for minecraft with a good password. Make sure to keep your OS and server up to date and you should be fine.

[Oshino Shinobu]

Just now, AngryBeaver said:

What you are referring to is known as security through obscurity. It does add an additional level of security, but again if someone is determined to get in and wants to do a full port scan with macros then they can detect those ports as well as identify what service or software is running on that port. Either way this again comes down to how bad they want to gain access and going after a home connection is pretty rare.

True, but it doesn't hurt. Regardless of what you do, if someone really wants to get in, with the skills required, they will. 

 

Minecraft is one of the most commonly hosted servers by general players, so I'd expect the ports for it to be more likely to be targeted. Going for obscurity along with standard security practices, it shouldn't be a risk as far as attacks that target loads of networks using common ports go.

[RushFan]

1 hour ago, AngryBeaver said:

Also... please don't follow some guide that has you creating a useraccount named minecraft with some easy password. Have your dad help you setup a user account just for minecraft with a good password. Make sure to keep your OS and server up to date and you should be fine.

I'm not brand new by any means at system admin and running servers, so I get that.

I just wanted to see if he was being too paranoid or I was being too reckless.

[RushFan]

1 hour ago, Oshino Shinobu said:

True, but it doesn't hurt. Regardless of what you do, if someone really wants to get in, with the skills required, they will. 

Why would anyone target a server designed for a group of friends?

[RushFan]

Wouldn't they be able to at least make a connection no matter what their whitelist status was? That was my dad's main concern

[Oshino Shinobu]

Just now, RushFan said:

Why would anyone target a server designed for a group of friends?

Doubt anyone would target you specifically. Just that moving to an obscure port lowers the chances of an attack that's not specifically targeted. 

[RushFan]

Just now, Oshino Shinobu said:

Doubt anyone would target you specifically. Just that moving to an obscure port lowers the chances of an attack that's not specifically targeted. 

Okay, I'll try and find some really obscure and unused port when setting it up properly.

[Oshino Shinobu]

Just now, RushFan said:

Okay, I'll try and find some really obscure and unused port when setting it up properly.

Well known ports generally end at 1023, but there are still some that go over this. Things like 3389 for RDP and 8530/8531 for WSUS for example. 

 

Generally, I'd suggest a port from 20000 to 65535. Just pick a random one and check to see if you can find anything that uses it. 

[AngryBeaver]

1 hour ago, RushFan said:

Wouldn't they be able to at least make a connection no matter what their whitelist status was? That was my dad's main concern

Do you mean to your minecraft server? I mean what is the maximum risk of that? They troll the server and you have to roll back or wipe.

 

If connecting is your main concern then just password it. Share that with your friends and you are set.

 

If you are worried about them connecting to your computer via that port then unless there is a big vulnerability with minecraft it should deny or reset those connections. Yes, a dedicated actor could probably figure something out if given the time and desire, but again they don't have enough to gain for that possibility.

 

Your dad is just being much more paranoid than he should. Running a properly configured minecraft server has a very low risk... and of those risks the potential loss is just related to saved data for minecraft. The risks outside of that scope are unrealistic and trying to mitigate all or them would be more expensive than the total cost of a full breach.

 

I am not just talking either. I do this for a living. I am currently working for a company that is in the Fortune 10 list and has over 1.4 million end points to protect.

[RushFan]

18 hours ago, AngryBeaver said:

Do you mean to your minecraft server? I mean what is the maximum risk of that? They troll the server and you have to roll back or wipe.

I mean to the minecraft server cause they have to connect to it to see if they're whitelisted.

 

[AngryBeaver]

Just now, RushFan said:

I mean to the minecraft server cause they have to connect to it to see if they're whitelisted.

 

Then a whitelist would solve most of your problems given you lock down the other aspects of the router and machine.

[zentoro747]

you can use playit.gg it is safe