Skip to content

A tutorial how to hide your minecraft server and secure it properly to prevent hackers\griefers

Notifications You must be signed in to change notification settings

TypicalModMaker/protect-your-minecraft-network

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 

Repository files navigation

How to hide your bungeecord properly

In this repository I will teach you how to hide your Minecraft server from griefers!
You might be asking, who is this guy and why does he want me to do stuff to my server?!
I am a retired griefer. This might happen if your server is not secure!: Video #1, or this Video #2, or even this! Gif #1, 80k IPS dumped with MD5 encrypted passwords

Now you probably think that I am a bad person and that I am not trustworthy! Well you are wrong! Over 30 people trust me with their server security! If you want to contact some of them on discord:

  1. Viremox
  2. tdvne, https://discord.esta.land
  3. xnajlex, https://discord.gg/tabmc and https://discord.gg/inkmc

⚠️WARNING⚠️
Every point flagged with 🟥 Requires a vps/vds/dedicated system. This means that these points wont work if you are using a Minecraft server hosting

Sections:

 1. Reverse TCP Proxy
   1.1. Choosing the best reverse proxy
 2. UUID Spoofing
   2.1. What is UUID Spoofing?
   2.2. What are the consequences for ignoring this problem
   2.3. On what servers does this design flaw work
   2.4. How to block it
     2.4.1. External: IPWhitelist
     2.4.2. External: BungeeGuard
     2.4.3. Using Velocity protection
     2.4.4. Firewalling 🟥
 3. Hide Bungeecord 🟥
 4. Hide Pterodactyl Panel | Any Pterodactyl Fork 🟥
   4.1. Blocking IOT Scanners 🟥
   4.2. Setting up CloudFlare 🟥
   4.3. Configuring WebServer 🟥
   4.4. Firewalling 🟥
 5. Block ICMP probes 🟥
   5.1. Firewalling 🟥
   5.2. Editing kernel parameters 🟥  6. Remove vulnerable plugins \

1. Reverse TCP Proxy:

 1.1 Choosing the best reverse proxy

  There are plenty of reverse proxies available on the internet, most popular ones are: TCPSHIELD, Infininity Filter and MC SHIELD.
 
  I recommend using NeoProtect, Its very powerful. It also has alot of features like AntiBot, AntiVPN and unlimited traffic! This is probably the best option you could pick. Check their site for more info.

2. UUID Spoofing:

   2.1. What is UUID Spoofing?

  UUID spoofing was first discovered in early 2013, and is now a well-known Bungeecord design flaw - mainly abused to grief servers. This exploit is one of the most used methods to gain administrator privileges on vulnerable Minecraft servers.

   2.2. What are the consequences for ignoring this problem

  Ignoring UUID spoofing will make your server vulnerable and exposed to everyone. This might result in all of your player's ip being leaked, your network getting completly destroyed or even your server being deleted! So you better check if your server is vulnerable ASAP.

   2.3. On what servers does this design flaw work

  This flaw works on every single bungeecord instance (including forks such as flamecord, waterfall) that are connected to Java Edition Servers.

   2.4. How to block it

    2.4.1 External: IPWhitelist

    IPWhitelist allows to filter out the connections at specific spigot server for specific IP Addresses https://www.spigotmc.org/resources/ipwhitelist.61/
    Configuration is pretty simple, check the spigot page for more info.

    2.4.2 External: Bungeeguard

    Bungeeguard allows to add a "token" system to your spigot and bungee server. https://github.com/lucko/BungeeGuard
    Configuration is pretty simple, check the spigot page for more info.

    2.4.3 External: Velocity Protection

    Works the same as BungeeGuard, provided in velocity config. https://docs.papermc.io/velocity/player-information-forwarding
    Configuration is pretty simple, check provided page for more info.

    2.4.3 Internal: Firewalling

    Firewalling is possible by using tool such as iptables/ufw on linux servers
    This is for more advanced people - if you don't know basic linux commands I recommend sticking to plugins, plugins are good but they dont provide maximum security.
    We have 2 tools we can use: IPTables | UFW
    UFW Steps:
     1. Install ufw with sudo apt-get update && sudo apt-get install ufw
     2. Allow ssh connections with sudo ufw allow 22
     3. Allow proxy connections with sudo ufw allow 25565 Change 25565 to your proxy port! ⚠️WARNING⚠️: Don't do this if you're using a reverse proxy, look at point 3.
    IPTables is more advanced (This article would be too long to explain, I manage iptables with ease), so instead of explaining every step I'll link a great spigotmc article
    https://www.spigotmc.org/wiki/firewall-guide/#firewalling-with-iptables

3. Hide Bungeecord:

  Hiding bungeecord can be done by using a reverse proxy from point 1. and firewalling your proxy to their IPs
   How to firewall with UFW:
    1. Install ufw with sudo apt-get update && sudo apt-get install ufw
    2. Allow proxy connections with sudo ufw allow from $IP proto tcp to any port 25565     Change 25565 to your proxy port and $IP to your revere proxy IP (this is different for every provider, contact them for their IPs!)
    3. Repeat step 2 with every reverse proxy ip, tcpshield ips: https://tcpshield.com/v4/ (Make sure you also use the subnets aka / and numbers after it)
   How to firewall with IPTables:
    SoonTM