I see tons of posts dedicated to server specs, hosting, plugins/mods, server types, etc. It is rarely though that I see a real post on security. Not anti-griefing or anti-spam but real security. With many people advocating against a dedicated server because of that reason alone (I know there are other reasons too such as isp, bandwidth, etc). What type of security and on what OS would you recommend? With the anticipated release of sponge (In the very near future I hope), I am looking to do a complete wipe and reset of my little home server (Yes a server not a re-purposed desktop). Since I have learned much over the last couple of years about installing and maintaining a server, this time I would like to do it right (No more "root" everything lol). So, what are your opinions??
I love the amount of responses I have had already.I can see this community is going to be a good one. Hopefully I will see a few more. I have forced myself to learn Linux/unix over the last couple of years (Just enough the royally screw everything up. lol). The distro i have decided on is Ubuntu (Server edition, no more desktop on the wipe since I added a research station next to it for looking up info) 14.04. Although I can do port forwarding and such pretty easy (I tend to change default ports like mad lol) i used to “dmz” it a lot just to get it working (I know, bad idea), which will no longer be an issue after the wipe/upgrade (Going to Change from a maxed out t7400 to something a bit newer/beefier). What about ddos protection and such? I hear horror stories all the time (lately even on well know servers i.e: Xbox, playstation, etc.) and wonder if anyone else concerns themselves which such security measures? My home network and my server networks are already isolated so I am not worried about them getting my personal stuff, but I do care about all the hard work people put into my servers. Thoughts?
The main thing here is to run the OS flavour that you are most comfortable with. All the ones listed above are all using the Linux kernel - they will all function essentially the same no matter how you look at it. You are bound to make mistakes if you decide to go for a distribution that you are unfamiliar with - if you want to try something new, run that in a VM locally so you can get used to it and play about.
Personally, I like CentOS, but Debian based servers work just as well.
If you are running your server behind a home router and it has a decent firewall within it (most have), then as long as you don’t DMZ your server, you might not need a firewall on your server, as the router will do that job. That said there is no harm in running a firewall at all, as long as you don’t forget to open port 22 for SSH! You can use good old IPTables to do this, but there are easier to use front ends nowadays, Ubuntu comes with ufw which is quite nice!
And yes, you are right not to log into the server as root by default, I cringe every time I see that - if someone exploits a bug in the JVM when running under root, very bad things can happen. I would argue that Minecraft should be run using it’s own dedicated user, much like MySQL and Apache generally do, and not give that user access to sudo, but as long as you just don’t run it as root, that’s good enough!
What I do is block root on ssh. IP whitelist the phpmyadmin and multicraft. So the only thing they can do is play minecraft.
Who is intrested in hacking a minecraft server? Prob only the competition. And to see how the competition could be you have to look at yourself. How would you as a minecraft owner attack a server. Prob you don’t know a lot of way to get trough. So a basic security layer would be enough.
Who is interested in attacking a Minecraft server? Not many. However, gaining control of a generic server that just happens to run Minecraft? Much more lucrative. To most hackers, it doesn’t matter what it runs now, it’s what they can get it to run that interests them.
Edit: I just realised this would be a home hosted setup. Getting access to a machine that potentially has access to the rest of a home network is VERY lucrative to a malicious user. So yes, here security is paramount - but as I said, if you don’t DMZ the server and only forward the port(s) you need, you should, in theory, be OK. Following security best practices is always a good idea though…
Well, I dont make the rules here at home, my parents do (I’m 17) so I consider myself lucky to be allowed to have the setup below at home. It’s a Magalhães Laptop, which is basically a variant of the second version of the Intel Classmate PC.
It doesn’t run Minecraft, as you could suppose, but it can handle Apache, PHP, MySQL, etc. It is turned on 24/7. Never had a problem. Because this post is about security, let’s talk about it.
I run Windows. Not because the computer can’t run Linux, it can. Actually, it originally comes with a dual-boot of Windows 7 and Caixa Mágica (a Portuguese Linux distro). I run Windows because I feel safer with it, not because I think Windows is safer, but because I know what I’m doing on Windows better than on Linux and, because of that, I’m sure I won’t end up opening my Linux server to the whole world unknowingly.
So, in my opinion, the safest setup you can use is the setup you’re most used to, because if you know the OS, you know what to do in which situation, and you won’t be lost in the middle of sudos and snap-ins.
I’ll reply to this too… I love Debian or its children when I want a quick build to just work, without too much fiddling, but it’s pretty terrible for a barebones dedicated server. It has a lot of default packages that aren’t necessary in many cases. If you do run Debian, I recommend doing a manual net-install instead of installing a vanilla distro image.
That said, the big things I actually like about Debian are the default package manager, and the startup structure. Neither are permanent, and both can be installed on literally any other flavor. Keeping that in mind, I agree with other voices, that Arch or CentOS are the best, most lightweight starting platforms for a high performance server.
Full disclosure: my (usually) headless home server is running Ubuntu 14.04 Desktop edition. That’s a lot of bloat, so take my hypocrisy with a grain of salt.
The kernel is the same. Its all the linux kernel. The OS really makes the difference though. You can’t say that Debian or CentOS or Gentoo are the same. Literally the only thing they have in common is the linux kernel.
I prefer FreeBSD myself for ease of use and security. Anyone with a linux background can get the hang of freebsd pretty quickly. One of the key things I use the most are called jails, essentially it’s the equivalent of running a host machine with virtual machines isolated within, with the exception that it’s not virtualized. The host has a strict set of its own firewall rules which prevent the jails from reaching anything on the network they aren’t allowed to access, so even if an attacker takes over a jail the host still has the final say over what type of traffic is allowed out of the jail which means all my other jails and workstations are safe from attack in such an event. The other neat feature I use quite a bit with jails is that you can set specific directories (partitions technically, but the jail doesn’t “see” them as such) to be mounted in readonly and shared among each other reducing filespace usage and making it so system binaries cannot be changed even by a user with root level access. The key thing to keeping it secure is making sure the host is locked down and “invulnerable” and that has a safe set of firewall rules for the jails to prevent them from being able to attack each other or other devices, but in having a setup like this I can easily test new versions of software, try out snapshots of minecraft, test a new version of openJDK with it, etc and if anything goes wrong or breaks reverting is simply a matter of stopping the jail and starting up a backup
I’m sure Linux has something comparable to jails, but I’ve been freebsd user for the past 10 years and haven’t really looked around.
Not really. I could make Ubuntu run exactly the same as Fedora if I really wanted to. It’s a waste of time to do - but I could.
My point was that when it comes to securing the server, then the OP should be using the distribution that he is most comfortable with. They all run the same modules, they all can do the same stuff, they all use the same core, they all quack the same. I see it as the same OS - but I understand why you don’t. It’s semantics really - but I’ll quite happily agree to disagree on this.