this post was submitted on 08 Sep 2024
84 points (96.7% liked)

Selfhosted

40173 readers
608 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I just setup a minecraft server on an old laptop, but to make it acessible i needed to open up a port. Currently, these are the ufw rules i have. when my friends want to connect, i will have them find their public ip and ill whilelist only them. is this secure enough? thanks

`Status: active

To Action From


22/tcp ALLOW Anywhere Anywhere ALLOW my.pcs.local.ip`

also, minecraft is installed under a separate user, without root privlege

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 5 points 2 months ago (11 children)

assuming they are not behind a CGN whitelisting your mates place should be OK. But I would also move SSH away from a well known port. In the event something happens to the whitelist, crawlers will not jump on you straight away.

[–] [email protected] 4 points 2 months ago (10 children)

so just change ssh to like 137/TCP?

22 isn't forwarded

[–] [email protected] 6 points 2 months ago (6 children)

no. The default port is fine. Changing the default port does nothing for security. It only stops some basic crawler, when you are scared by crawler, then you should not host anything on the internet.

[–] [email protected] 4 points 2 months ago (2 children)

The volume on 22 will be a lot higher than a non default port. With 22 open my router was basically getting DDOS’d at times

[–] [email protected] 4 points 2 months ago

Agreed. Anyone who thinks it's ok to just expose ssh on 22 to the internet has never looked at their logs. The port will be found in minutes, and be hammered by thousands of login attempts by multiple bots 24/7. Sure you can block repeat failed logins, but that list will just always be growing.

[–] [email protected] 2 points 2 months ago (1 children)

Then using something like fail2ban to block bad acting connections is far more effective and you even get a security benefit out of it.

Also, when a few scripts try to connect via ssh DDOS your router then something is messed up. Either a shitty router from 20 years ago or you have a Bandwidth lower than 100kbps.

[–] [email protected] 3 points 2 months ago

I have fail2ban running on the server itself, also it was a lot more than “a few scripts”

load more comments (3 replies)
load more comments (6 replies)
load more comments (6 replies)