In this repository I will teach you how to hide your Minecraft server from griefers!
You might be asking, who is this guy and why does he want me to do stuff to my server?!
I am a retired griefer. This might happen if your server is not secure!: Video #1, or this Video #2, or even this! Gif #1, 80k IPS dumped with MD5 encrypted passwords
Now you probably think that I am a bad person and that I am not trustworthy! Well you are wrong! Over 30 people trust me with their server security! If you want to contact some of them on discord:
- Viremox
- tdvne, https://discord.esta.land
- xnajlex, https://discord.gg/tabmc and https://discord.gg/inkmc
Every point flagged with 🟥 Requires a vps/vds/dedicated system. This means that these points wont work if you are using a Minecraft server hosting
1. Reverse TCP Proxy
1.1. Choosing the best reverse proxy
2. UUID Spoofing
2.1. What is UUID Spoofing?
2.2. What are the consequences for ignoring this problem
2.3. On what servers does this design flaw work
2.4. How to block it
2.4.1. External: IPWhitelist
2.4.2. External: BungeeGuard
2.4.3. Using Velocity protection
2.4.4. Firewalling 🟥
3. Hide Bungeecord 🟥
4. Hide Pterodactyl Panel | Any Pterodactyl Fork 🟥
4.1. Blocking IOT Scanners 🟥
4.2. Setting up CloudFlare 🟥
4.3. Configuring WebServer 🟥
4.4. Firewalling 🟥
5. Block ICMP probes 🟥
5.1. Firewalling 🟥
5.2. Editing kernel parameters 🟥
6. Remove vulnerable plugins \
There are plenty of reverse proxies available on the internet, most popular ones are: TCPSHIELD, Infininity Filter and MC SHIELD.
I recommend using NeoProtect, Its very powerful. It also has alot of features like AntiBot, AntiVPN and unlimited traffic! This is probably the best option you could pick. Check their site for more info.
UUID spoofing was first discovered in early 2013, and is now a well-known Bungeecord design flaw - mainly abused to grief servers. This exploit is one of the most used methods to gain administrator privileges on vulnerable Minecraft servers.
Ignoring UUID spoofing will make your server vulnerable and exposed to everyone. This might result in all of your player's ip being leaked, your network getting completly destroyed or even your server being deleted! So you better check if your server is vulnerable ASAP.
This flaw works on every single bungeecord instance (including forks such as flamecord, waterfall) that are connected to Java Edition Servers.
IPWhitelist allows to filter out the connections at specific spigot server for specific IP Addresses https://www.spigotmc.org/resources/ipwhitelist.61/
Configuration is pretty simple, check the spigot page for more info.
Bungeeguard allows to add a "token" system to your spigot and bungee server. https://github.com/lucko/BungeeGuard
Configuration is pretty simple, check the spigot page for more info.
Works the same as BungeeGuard, provided in velocity config. https://docs.papermc.io/velocity/player-information-forwarding
Configuration is pretty simple, check provided page for more info.
Firewalling is possible by using tool such as iptables/ufw on linux servers
This is for more advanced people - if you don't know basic linux commands I recommend sticking to plugins, plugins are good but they dont provide maximum security.
We have 2 tools we can use: IPTables | UFW
UFW Steps:
1. Install ufw with sudo apt-get update && sudo apt-get install ufw
2. Allow ssh connections with sudo ufw allow 22
3. Allow proxy connections with sudo ufw allow 25565
Change 25565
to your proxy port!
IPTables is more advanced (This article would be too long to explain, I manage iptables with ease), so instead of explaining every step I'll link a great spigotmc article
https://www.spigotmc.org/wiki/firewall-guide/#firewalling-with-iptables
Hiding bungeecord can be done by using a reverse proxy from point 1. and firewalling your proxy to their IPs
How to firewall with UFW:
1. Install ufw with sudo apt-get update && sudo apt-get install ufw
2. Allow proxy connections with sudo ufw allow from $IP proto tcp to any port 25565
Change 25565
to your proxy port and $IP to your revere proxy IP (this is different for every provider, contact them for their IPs!)
3. Repeat step 2 with every reverse proxy ip, tcpshield ips: https://tcpshield.com/v4/ (Make sure you also use the subnets aka / and numbers after it)
How to firewall with IPTables:
SoonTM