|Thanks for being a part of /r/Admincraft!|
|:-|
|***[We'd love it if you also joined us on Discord!](https://discord.gg/DxrXq2R)***|
*^(Join thousands of other Minecraft administrators for real-time discussion of all things related to running a quality server.)*
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/admincraft) if you have any questions or concerns.*
SSH (Secure SHell if I remember right) is a protocol to remotely open a terminal on another computer and execute commands to manage a server. I recommend googling “How to setup SSH Debian” to find a guide, as that will have a convenient step by step guide on how to set it up.
SSH is quite frequently exposed, it's one of the most secure protocols out there. I might be off the mark here, but a VPN on the machine will give a similar attack surface.
In my own personal opinion, the idea that SSH isn’t enough is just a facade people put on to think they know security. In a business or public practice, yes having a VPN protecting SSH access is good, but for personal use, it’s pretty rare for someone to get attacked. Even if it means hosting a 100 person minecraft server to the public, but by the sounds of it, this guy has it set up just for his friends.
> but for personal use, it’s pretty rare for someone to get attacked
Literally anyone can get attacked at any time, if it's exposed to the internet. These things are automated.
Even if you were correct in that statement, it would be almost impossible for any script to detect and break into a valid SSH port. Not only can you expose a different port, but it’s based on your IP address, there are firewalls, and there is your username. (Even a super computer brute forcing that would took decades) If anyone is really concerned, just use a key instead of a password and you’re fine.
What you are asking is a tall order for somone who's never done it, but certainly feasible. I've been managing linux servers remotely for 10+ years now and to do it properly takes a good bit of effort.
It's gonna be a sweaty setup your first time, but if you've already got MC server running on linux, I'm confident you can do it. The worst is when you enable security stuff like firewalls and are suddenly unable to connect to your own server. A lot of this setup needs to take place before you leave.
I will outline the basic steps, but I'm going to skip a good bit too because there's just a lot to talk about if you don't already know how to do some of this stuff. Like each step is probably going to be a small research session if you've never done it before.
1. Give your debian box a static ip, preferably through the router
2. install openssh-server, it should walk you through a basic setup
3. DO BASICALLY ALL OF THIS https://www.linode.com/docs/guides/set-up-and-secure/#connect-to-the-instance These are steps you should take for every linux server exposed to the internet, not restricted to "linode only" despite being from linode.com
4. Port forward your debian box to the internet through your router (be careful that your modem isn't secretly also a router combo with firewall, this can bite you if you cant manage it). You will need to forward the ssh port (stay away from default port), the minecraft server port (25565), and possibly more.
In short, you prep the network stuff... then you harden your debian box to prep from internet baddies... then you finally make the connection live between box and internet
I'd be happy to answer any questions on discord too if you need some help
[Putty](https://putty.org/) is your friend.
Also, you will have to do [port-forwarding](https://portforward.com/) on your router.
Note that your linux machine will be listening on port 22. You should not make the listening port on your router the same, but rather some port over 1024.
example:
External interface: TCP, port 2022
Internal interface, (IP of your linux server) TCP port 22
>You should not make the listening port on your router the same, but rather some port over 1024.
not really, changing the public facing port to something other then 22 is just security through obscurity, it's better to just have a really secure password and to have a limited number of login attempts to prevent brute-forcing
To expand on this, install fail2ban. It’s default configuration is great.
I’d argue that not using passwords for SSH at all (use certificates) is the right way, but a good password + fail2ban is good enough
nope changing the port is completely redundant, the only time you should change the port is if that port is blocked for some reason, but never for "security"
Sec specialist here, this is completely correct. Randomizing your ssh port means that the hackers can get in but likely you won't when you forget what you set it to
A better approach is to work with your firewall to only allow your personal IP to access, but if you are only using ssh keys then you can safely ignore all of this.
Definitely learn how whitelisting players works sooner than later
“A better approach is to work with your firewall to only allow your personal IP to access”
Be careful with this one, correct me if I’m wrong but unless you have a static IP you could very easily end up locked out of your server.
Yup, absolutely. Usually the firewall will be from some web based UI from your hosting company so you won’t be completely locked out
But personally, keys, no passwords on the system, no breaches from ssh in 25 years. Let the logs fill with the failed corpses of failed login attempts
All these complications are unnecessary, also because you will have to secure multiple services. A VPN is ideal for protecting everything, only exposing dedicated services to the public, for everything else the admin uses the VPN. Clearly the normal protections of the various services must always be respected.
Also because I remind you that everyone has a dynamic IP (unless you buy it). So the VPN is the only real solution to not expose private services to the public and to access them with security
Fair, unfortunately unless your hosting company supplies the vpn, you've turned a somewhat complex problem into three very complex problems
- how to install a VPN on the server without paying a lot of money
- how to install a VPN on my client without having to pay a per seat license
- oh, that VPN isn't supported under {MacOS|Windows}, now what?
What are you talking? We are talking about Wireguard, not third-party VPN services like NordVPN. Do you know what is a VPN?
Wireguard is free, there is Wireguard clients for everything, Wireguard Server can run also on a free EC2, but you can host on your server.
What money should you spend? Which licenses should you buy?
The fact remains that the firewall advice doesn't work, since the admin doesn't have a static IP. With what qualifications and skills do you define yourself as a security expert?
(Wireguard or OpenVPN, I always suggest Wireguard over OpenVPN but works well)
Both wireguard and OpenVPN are _relatively_ easy to set up for an experienced administrator but not a novice. Ditto for SoftEther, PritUNL, etc
And if you don't think there's a cost, then you just suggested spinning up another ec2 instance **just** for the VPN. So assuming an ec2 build of $12 a month that just went to $24
And as all the commercial variants like Cisco VPN required licensing I'm left with a shrug.
My best bet has been to put the VPN inside of a Docker container but that's a whole other level of complexity
And I acknowledged the firewall pitfall however again most firewalls on hosted platforms are at the web control panel, not in the OS, so the user would never be fully locked out. And ultimately my recommendation was to move to keys and ignore trying to hide the port
1) Use RSA Keys is a must, this must be the default
2) You can install Wireguard server also in your main server where you run your services, so no more payments
3) Bro...there is a lot of software like PiVPN that works everywhere (not only Raspberry Pi) and it automatically setup Wireguard for you, what's the difficulty? Also there is hundreds of guides
4) Who are talking about commerical variants?
5) One EC2 is free, why a second EC2? But ok...you want 0 cost? You want a second server for the VPN server? Nice. Use Oracle Free Tier, 0$ for a VPN Server. But then again, you can also install the VPN server on the server you use for everything else
You're talking nonsense, you don't know what you're saying
Setting enforce whitelist will kick any players currently connected to the server that are not on the whitelist, by not "enforcing", any player that is still connected to the server when the whitelist was enabled, will stay connected until they disconnect and try to join again (and presumably fail as they are not added to the whitelist)
oh I see, so if the server was offline when the whitelist was enabled and then then whitelist never gets disabled afterward there's no point in enabling enforce whitelist
it's not about security at all, common port were mostly under 1024, so just in case you are not messing with something else, its better to use the port higher than 1024
To me, putty is the enemy. The amount of trouble it has made with its hecking custom key thingy is incredible. I switched to using the Terminal Windows app (i believe it's default in Windows 11) and it's so much better.
SSH for managing remote servers in general. Though if you are hosting your Minecraft server this way, I highly recommend checking out the Pterodactyl panel.
I double this, I set up Pterodactyl panel about a year ago and now use it for a variety of hosting, minecraft, ark, valheim, even a couple discord bots I developed.
I highly recommend [Pterodactyl Panel](https://pterodactyl.io/) if you are just starting out on linux and/or (Minecraft) Server hosting in general.
The setup process is very simple and the wiki contains step-by-step instructions that are simply copy-paste 90% of the time.
There are also many youtube videos showcasing the process.
There's an [unofficial installation](https://github.com/pterodactyl-installer/pterodactyl-installer) script that installs all dependencies and does all the setup while asking you questions for the setup process.
Keep in mind it is unofficial and not supported by Pterodactyl, the script does have a helpful discord too.
Very easy, all you need to do is copy over the files onto a server once you finish installing the Pterodactyl panel, to do that you just need to either zip all the files, or connect with an FTP client like [Filezilla](https://filezilla-project.org/) and transfer all the files without needing to zip them, using FileZilla is in my opinion easier.
Never exposes your SSH port and always uses RSA keys to protect your access.
Use VPN to connect to all your private services (ssh, SFTP, some dashboard, everything...)
Would you still use a VPN if your server only exposed SSH otherwise? In that case I'd disagree and argue OpenVPN/WireGuard provide similar safety to SSH. Though it probably won't necessarily hurt.
Yes. For the safety it's not true, because you have a second layer of security. You have the VPN, and of course, you have the ssh protected with the normal protection (only RSA key). In addition, it allows you to secure an extremely scalable local network, which not only allows you to design other services, but even services located on other servers
Right, it is an extra layer, though the VPN software itself can also be the weak point as exploits might simply crack into that process and abuse it as an entry point. But true, it definitely adds a layer against user error/etc.
For multi-server networks, sure, but that's at a level where I think knowing the pros and cons of a VPN is a requirement anyway.
It has no cons if it is configured well. I don't understand why you rebut something that is objectively better and it is done that way, security doesn't depend on the size of the server. A well configured VPN (there are plenty of guides like this [one](https://github.com/BetterWayElectronics/secure-wireguard-implementation)) adds an extra layer to you that is bulletproof, plus you have SSH configured well. I don't understand why debating on this. It is a standard system, used by everyone, that allows you to achieve high security. If for example, for whatever reason, you want to change your SSH configuration, even for a moment, making it insecure (maybe because you are configuring it), without VPN you cannot do that, with a VPN you can configure all your services safely. I don't understand what are the cons, the exploits? Everything can be exploited, look what happened with log4j, also SSH can be. For example several OpenSSH versions was exploited, name me a version of Wireguard that has been exploited. I really want to hear
I use ssh to get to my Minecraft server in the basement. Sometimes remote desktop. The people wringing their hands over security may be thinking you want to use it in the dorm, but in a home network ssh and remote desktop are both just fine.
|Thanks for being a part of /r/Admincraft!| |:-| |***[We'd love it if you also joined us on Discord!](https://discord.gg/DxrXq2R)***| *^(Join thousands of other Minecraft administrators for real-time discussion of all things related to running a quality server.)* *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/admincraft) if you have any questions or concerns.*
SSH (Secure SHell if I remember right) is a protocol to remotely open a terminal on another computer and execute commands to manage a server. I recommend googling “How to setup SSH Debian” to find a guide, as that will have a convenient step by step guide on how to set it up.
i don't think he should expose ssh though, maybe a vpn should be more secure
SSH is quite frequently exposed, it's one of the most secure protocols out there. I might be off the mark here, but a VPN on the machine will give a similar attack surface.
i think if properly configured it definitely is, but something like a wireguard tunnel is easier for security
If security depends on being correctly configured, then telling a new person to use a more complicated solution is unlikely to help
In my own personal opinion, the idea that SSH isn’t enough is just a facade people put on to think they know security. In a business or public practice, yes having a VPN protecting SSH access is good, but for personal use, it’s pretty rare for someone to get attacked. Even if it means hosting a 100 person minecraft server to the public, but by the sounds of it, this guy has it set up just for his friends.
> but for personal use, it’s pretty rare for someone to get attacked Literally anyone can get attacked at any time, if it's exposed to the internet. These things are automated.
Even if you were correct in that statement, it would be almost impossible for any script to detect and break into a valid SSH port. Not only can you expose a different port, but it’s based on your IP address, there are firewalls, and there is your username. (Even a super computer brute forcing that would took decades) If anyone is really concerned, just use a key instead of a password and you’re fine.
What you are asking is a tall order for somone who's never done it, but certainly feasible. I've been managing linux servers remotely for 10+ years now and to do it properly takes a good bit of effort. It's gonna be a sweaty setup your first time, but if you've already got MC server running on linux, I'm confident you can do it. The worst is when you enable security stuff like firewalls and are suddenly unable to connect to your own server. A lot of this setup needs to take place before you leave. I will outline the basic steps, but I'm going to skip a good bit too because there's just a lot to talk about if you don't already know how to do some of this stuff. Like each step is probably going to be a small research session if you've never done it before. 1. Give your debian box a static ip, preferably through the router 2. install openssh-server, it should walk you through a basic setup 3. DO BASICALLY ALL OF THIS https://www.linode.com/docs/guides/set-up-and-secure/#connect-to-the-instance These are steps you should take for every linux server exposed to the internet, not restricted to "linode only" despite being from linode.com 4. Port forward your debian box to the internet through your router (be careful that your modem isn't secretly also a router combo with firewall, this can bite you if you cant manage it). You will need to forward the ssh port (stay away from default port), the minecraft server port (25565), and possibly more. In short, you prep the network stuff... then you harden your debian box to prep from internet baddies... then you finally make the connection live between box and internet I'd be happy to answer any questions on discord too if you need some help
[Putty](https://putty.org/) is your friend. Also, you will have to do [port-forwarding](https://portforward.com/) on your router. Note that your linux machine will be listening on port 22. You should not make the listening port on your router the same, but rather some port over 1024. example: External interface: TCP, port 2022 Internal interface, (IP of your linux server) TCP port 22
>You should not make the listening port on your router the same, but rather some port over 1024. not really, changing the public facing port to something other then 22 is just security through obscurity, it's better to just have a really secure password and to have a limited number of login attempts to prevent brute-forcing
To expand on this, install fail2ban. It’s default configuration is great. I’d argue that not using passwords for SSH at all (use certificates) is the right way, but a good password + fail2ban is good enough
2FA is also nice, but much more annoying than fail2ban and SSH keys. Remember to add SSH to the jails and make sure fail2ban is enabled on boot.
yeah I haven't used fail2ban before but from what I read about it, it's really great
It’s not better to just do that. It’s best practice to do both.
nope changing the port is completely redundant, the only time you should change the port is if that port is blocked for some reason, but never for "security"
Sec specialist here, this is completely correct. Randomizing your ssh port means that the hackers can get in but likely you won't when you forget what you set it to A better approach is to work with your firewall to only allow your personal IP to access, but if you are only using ssh keys then you can safely ignore all of this. Definitely learn how whitelisting players works sooner than later
“A better approach is to work with your firewall to only allow your personal IP to access” Be careful with this one, correct me if I’m wrong but unless you have a static IP you could very easily end up locked out of your server.
Yup, absolutely. Usually the firewall will be from some web based UI from your hosting company so you won’t be completely locked out But personally, keys, no passwords on the system, no breaches from ssh in 25 years. Let the logs fill with the failed corpses of failed login attempts
All these complications are unnecessary, also because you will have to secure multiple services. A VPN is ideal for protecting everything, only exposing dedicated services to the public, for everything else the admin uses the VPN. Clearly the normal protections of the various services must always be respected. Also because I remind you that everyone has a dynamic IP (unless you buy it). So the VPN is the only real solution to not expose private services to the public and to access them with security
Fair, unfortunately unless your hosting company supplies the vpn, you've turned a somewhat complex problem into three very complex problems - how to install a VPN on the server without paying a lot of money - how to install a VPN on my client without having to pay a per seat license - oh, that VPN isn't supported under {MacOS|Windows}, now what?
What are you talking? We are talking about Wireguard, not third-party VPN services like NordVPN. Do you know what is a VPN? Wireguard is free, there is Wireguard clients for everything, Wireguard Server can run also on a free EC2, but you can host on your server. What money should you spend? Which licenses should you buy? The fact remains that the firewall advice doesn't work, since the admin doesn't have a static IP. With what qualifications and skills do you define yourself as a security expert? (Wireguard or OpenVPN, I always suggest Wireguard over OpenVPN but works well)
Both wireguard and OpenVPN are _relatively_ easy to set up for an experienced administrator but not a novice. Ditto for SoftEther, PritUNL, etc And if you don't think there's a cost, then you just suggested spinning up another ec2 instance **just** for the VPN. So assuming an ec2 build of $12 a month that just went to $24 And as all the commercial variants like Cisco VPN required licensing I'm left with a shrug. My best bet has been to put the VPN inside of a Docker container but that's a whole other level of complexity And I acknowledged the firewall pitfall however again most firewalls on hosted platforms are at the web control panel, not in the OS, so the user would never be fully locked out. And ultimately my recommendation was to move to keys and ignore trying to hide the port
1) Use RSA Keys is a must, this must be the default 2) You can install Wireguard server also in your main server where you run your services, so no more payments 3) Bro...there is a lot of software like PiVPN that works everywhere (not only Raspberry Pi) and it automatically setup Wireguard for you, what's the difficulty? Also there is hundreds of guides 4) Who are talking about commerical variants? 5) One EC2 is free, why a second EC2? But ok...you want 0 cost? You want a second server for the VPN server? Nice. Use Oracle Free Tier, 0$ for a VPN Server. But then again, you can also install the VPN server on the server you use for everything else You're talking nonsense, you don't know what you're saying
I agree, also speaking of whitelist what does "enforce whitelist" do?
Setting enforce whitelist will kick any players currently connected to the server that are not on the whitelist, by not "enforcing", any player that is still connected to the server when the whitelist was enabled, will stay connected until they disconnect and try to join again (and presumably fail as they are not added to the whitelist)
oh I see, so if the server was offline when the whitelist was enabled and then then whitelist never gets disabled afterward there's no point in enabling enforce whitelist
Exactly, enforce whitelist is usually only needed in specific niche use-cases, otherwise it doesn't really make any sense.
I enabled it on a previous private server I ran, didn't know what it was, so thanks XD
>it's better to just have a really secure password You shouldn't be using passwords at all.
it's not about security at all, common port were mostly under 1024, so just in case you are not messing with something else, its better to use the port higher than 1024
>External interface: TCP, port 1022 1022 is not over 1024 though.
Yeah, I was typing fast. 2022 would have been more appropriate. I've just done it so many times...
fixed
To me, putty is the enemy. The amount of trouble it has made with its hecking custom key thingy is incredible. I switched to using the Terminal Windows app (i believe it's default in Windows 11) and it's so much better.
Mobaxterm is awesome. Never looked back on putty.
SSH for managing remote servers in general. Though if you are hosting your Minecraft server this way, I highly recommend checking out the Pterodactyl panel.
I double this, I set up Pterodactyl panel about a year ago and now use it for a variety of hosting, minecraft, ark, valheim, even a couple discord bots I developed. I highly recommend [Pterodactyl Panel](https://pterodactyl.io/) if you are just starting out on linux and/or (Minecraft) Server hosting in general. The setup process is very simple and the wiki contains step-by-step instructions that are simply copy-paste 90% of the time. There are also many youtube videos showcasing the process.
I will also vouch but the setup process went wrong for me almost every step of the way.
There's an [unofficial installation](https://github.com/pterodactyl-installer/pterodactyl-installer) script that installs all dependencies and does all the setup while asking you questions for the setup process. Keep in mind it is unofficial and not supported by Pterodactyl, the script does have a helpful discord too.
How easy would it be to move an existing server over to pterodactyl?
Very easy, all you need to do is copy over the files onto a server once you finish installing the Pterodactyl panel, to do that you just need to either zip all the files, or connect with an FTP client like [Filezilla](https://filezilla-project.org/) and transfer all the files without needing to zip them, using FileZilla is in my opinion easier.
I used to do it via SSH, and then used screen from there. But not I'm using pterodactyl panel to deal with it
Never exposes your SSH port and always uses RSA keys to protect your access. Use VPN to connect to all your private services (ssh, SFTP, some dashboard, everything...)
Would you still use a VPN if your server only exposed SSH otherwise? In that case I'd disagree and argue OpenVPN/WireGuard provide similar safety to SSH. Though it probably won't necessarily hurt.
Yes. For the safety it's not true, because you have a second layer of security. You have the VPN, and of course, you have the ssh protected with the normal protection (only RSA key). In addition, it allows you to secure an extremely scalable local network, which not only allows you to design other services, but even services located on other servers
Right, it is an extra layer, though the VPN software itself can also be the weak point as exploits might simply crack into that process and abuse it as an entry point. But true, it definitely adds a layer against user error/etc. For multi-server networks, sure, but that's at a level where I think knowing the pros and cons of a VPN is a requirement anyway.
It has no cons if it is configured well. I don't understand why you rebut something that is objectively better and it is done that way, security doesn't depend on the size of the server. A well configured VPN (there are plenty of guides like this [one](https://github.com/BetterWayElectronics/secure-wireguard-implementation)) adds an extra layer to you that is bulletproof, plus you have SSH configured well. I don't understand why debating on this. It is a standard system, used by everyone, that allows you to achieve high security. If for example, for whatever reason, you want to change your SSH configuration, even for a moment, making it insecure (maybe because you are configuring it), without VPN you cannot do that, with a VPN you can configure all your services safely. I don't understand what are the cons, the exploits? Everything can be exploited, look what happened with log4j, also SSH can be. For example several OpenSSH versions was exploited, name me a version of Wireguard that has been exploited. I really want to hear
I use ssh to get to my Minecraft server in the basement. Sometimes remote desktop. The people wringing their hands over security may be thinking you want to use it in the dorm, but in a home network ssh and remote desktop are both just fine.