-1

I'm new to Linux/Ubuntu and I'm setting up a Minecraft server to play with friends online. However, I want to ensure my computer isn't exposed to potential security risks. Currently, I've followed these steps on my freshly installed Ubuntu 22.04:

$ sudo ufw allow OpenSSH
$ sudo ufw allow 25565
$ sudo ufw enable

I understand that allowing port 25565 is necessary for others to connect, but I'm concerned about security. Does this configuration leave my system vulnerable to malicious access, and how can I enhance its security?

Thank you!

stumblebee
  • 4,379
lucas ezequiel ovando
  • 9

3 Answers3

1

I have run Minecraft servers for years.

Before fretting about the firewall...

  • Whitelist your players to keep random vandals from joining.
  • Run the Minecraft server application from a user (non-sudo, non-root) account, so if compromised the damage will be limited.
  • SSH or individual accounts are not required by Minecraft players. Don't create them. If you use SSH to administer remotely, then use only key-based authentication (never mere passwords).
  • Use systemd properly to start, autostart, and stop the server securely and reliably. Don't haywire starting and stopping the server.
  • Regularly stop the server and back up your world file to a different machine, so a vandal or crash won't lose years of creation.
  • Use sudo ss -tulpn to see every application on your server that is listening on a port. Uninstall the applications you don't use. Ask about the applications you don't recognize.
  • Learn how to read your Minecraft logs and your system logs.

Now you are ready to set the firewall.

On a stock install of Ubuntu, there are a couple listening services, but none of them are vulnerable. That's why the default firewall setting is Accept for all packets. And that's why the firewall is the least important step.

So set the firewall any way you like to keep any packets in or out that you wish...but do everything else first because the firewall won't protect you at all if you didn't set up a whitelist or key-based SSH authentication.

user535733
  • 68,493
0

If you know the IP addresses of your friends (or IP address ranges), you can open up port 25565 but only to a certain range. If your friends have a static IP address then you would allow that single IP address (one for each of them). If they don't have a static one, then you will have to allow a range; they can ask their Internet Service Provider for the range.

See a page like this for an explanation of the command. See the section "Allow Incoming SSH from Specific IP Address or Subnet". Something like this:

sudo ufw allow from 203.0.113.0/24 proto tcp to any port 25565

Either way, once you open your computer to the world, there will be some risk of incoming traffic. You just need to accept it and besides setting up a firewall, you might want to backup, etc.

I don't play Minecraft -- I guess what it uses is port 25565. Why are you opening OpenSSH, too? Does Minecraft need it as well? If it doesn't need it, close it or limit the IP addresses that can connect to it. You can also change the the default port for ssh. See the discussion here. Note that changing the port just fools the people who will try port 22. And open port is still an open port.

Ray
  • 2,200
0

If you want to protect your server, limit access to ports that are open to the Internet. Otherwise it will be a bargain for snoopers

  1. If you want to configure a remote server, limit access to port 22 (best to authenticate via authorized key) https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server

  2. Limit access to port 25565. Because your ip address is dynamic, I think allowing by ip is not feasible. It requires you to configure it before each play. I suggest building an openvpn server, allow the vpn address on the server to port 25565, connect vpn and you can play safely. https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-ubuntu-20-04

ndth.org
  • 1