this post was submitted on 24 Nov 2023
9 points (100.0% liked)

Self-Hosted Main

502 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS
communick@selfhosted.forum
9
Safely Self-Hosting a Minecraft server (alien.top)
submitted 10 months ago by SparkyGears@alien.top to c/main@selfhosted.forum
25 comments fedilink hide all child comments
 

My nephews really enjoy Minecraft and so for Christmas, I want to give them a server for us all to play on (of course, self-hosted). The issue is that I've only got a vague idea about how one can safely self-host it, any ideas are greatly appreciated.

The more safe way that I'd personally do something like this would be to VPN into my homelab (Wireguard + DuckDNS) and access the server that way. For practical reasons that's not going to fly... I'd like to connect to the game server from anywhere, with any account, and without a VPN. This will make it accessible to the kids.

When one adds a server in Minecraft, it seems like they specify a FQDN:Port (MySite.com:25565). I could punch port forwards in my firewall and call it a day, but this seems insecure. Going forward I'm not going to forward any ports without some layer of encryption or authentication on the other side (seems like the latest best practice).

Cloudflare Zero Trust sounded like the ideal solution, notably because it's free, but also that it has intrinsic protection against DoS attacks. This isn't self-hosted though, and to properly utilize this, I would need to purchase my own domain name (not opposed to that, just an extra cost).

How do you guys architect your services to be secure while also being broadly accessible on the Internet? I imagine it's a similar tale for self-hosting a website, just in this case it's a Minecraft server. Thanks much.

top 25 comments
sorted by: hot top controversial new old
[–] navigatron@beehaw.org 5 points 10 months ago

In networking, you generally either have an authentication mechanism, or you don’t.

It sounds like you don’t have “control” (can install a vpn) on the client devices. This makes authentication difficult. We need some aspect of the client that the server can use to make a decision.

Without touching the client, there’s only really two details we can use - the source ip address of the client, and the port that they are connecting to.

If a client wants to connect to the default minecraft port, it could be a scanner - but if it’s non-default, then the probability of being a scanner is much lower.

A firewall to do geo-based ip blocking will also cut down significantly on noise.

After that, minecraft’s built in authentication is pretty good.

With all of the above, we would know that the connector is coming from an allowed location, knows to ask for your non-standard port number, and has a valid minecraft account - that sounds pretty good to me.

And if you’re running a cracked server, there are other assorted tricks to avoid bots. I ran an open-to-the-world, default port, no auth server for some time; and probably ran into a single robot. Thankfully I shut things down before log4j

[–] zfa@alien.top 2 points 10 months ago (1 children)

Seeing as you say port 25565 you're using Minecraft Java, so i'd prob just do this:

https://blogs.oracle.com/developers/post/how-to-set-up-and-run-a-really-powerful-free-minecraft-server-in-the-cloud

Couple of points:

  1. Make your account PAYG to lessen likelihood of server being shutdown (will still be free)

  2. Take nightly backups just in case.

You could stump up for a management console like AMP if you want to make things a bit easier.

GL.

[–] No_Dragonfruit_5882@alien.top 1 points 10 months ago (1 children)

Sir, this is a selfhosted subreddit

[–] zfa@alien.top 1 points 10 months ago (1 children)

Lol, you're gonna have you work cutout if you're going around downvoting and saying that on every single comment that ever mentions a VPS.

Hosting your own MC server, no matter where, is a perfectly fine 'self-hosted' counterpoint to using a Microsoft Realms subscription. What ridiculous gatekeeping, lol.

[–] No_Dragonfruit_5882@alien.top 1 points 10 months ago (2 children)

You dont get the: this is a wendys joke do you?

And i dont vote for shit. Neither positive nor negative

[–] zfa@alien.top 1 points 10 months ago

Nah, no idea what you're on about. Must be a young man's thing lol.

[–] pnlrogue1@alien.top 1 points 10 months ago

I got the joke, it just fell flat

[–] Rajcri22@alien.top 1 points 10 months ago

If you are willing to put the extra effort in you can try and get aws or Oracle cloud free tier and open ports there and setup some sort of tunneling

[–] krysinello@alien.top 1 points 10 months ago

I just hosted it as a docker container, exposed the ports and setup a white list.

Never had an issue with it. I have a domain already for other stuff i host, so just created a play..com which can be used behind non proxied cloudflare. I have the docker restrictions pretty limited though so just enough for it to run basically and running from a non root user. I think in most cases this would be fine. White list will stop randoms from joining unless that persons account gets compromised. I also run backups as well just in case something does happen, that role based on activity. All of these are easily done and available in docker making supporting it easy, as well as utilities like Rcon etc, these obviously I don't expose.

[–] massimog1@alien.top 1 points 10 months ago

I'm running it inside a podman container with 16 G of RAM, with a velocity proxy etc. Should be ideal

[–] Drumdevil86@alien.top 1 points 10 months ago

When hosting stuff for friends specifically, I got a firewall rule in place that only allows their duckDNS addresses to connect to whatever I'm hosting, and don't want publicly accessible.

Much safer than a Minecraft whitelist.

[–] alienwaren@alien.top 1 points 10 months ago

How about using ZeroTier? You could omit exposing the server?

[–] TamSchnow@alien.top 1 points 10 months ago

I built a Tailnet and gave them access to my VM running the Server.

[–] IllegalD@alien.top 1 points 10 months ago (1 children)

Just make sure you whitelist your server, as there are "groups" out there that scan the entire internet for Minecraft servers running on default/common ports, and grief the shit out of whatever they can.

[–] spanky_rockets@alien.top 1 points 9 months ago (1 children)

This happened to my server last winter, got scanned and some random tried to join the server, luckily I had whitelist enabled.

Changed ports from default and haven’t had a problem since.

[–] IllegalD@alien.top 1 points 9 months ago

Yeah they're pesky, but I appreciate the ingenuity. They've got custom scanning tools and reporting infrastructure on Discord, one day some of them will make bank away from grieving Minecraft servers heh.

[–] Lasercow5@alien.top 1 points 10 months ago

https://youtu.be/JJzv4G9SytU?si=x2coqqhPx6IgXrzx

[–] PhilipLGriffiths88@alien.top 1 points 10 months ago (1 children)

A colleague wrote this - https://blog.openziti.io/set-up-a-secure-multiplayer-minecraft-server

[–] doweactuallycare@alien.top 1 points 9 months ago

Now, if I want to invite friends I just ask them to download the Ziti Desktop Edge, create an identity token for them, making sure they have the attribute #${DEVICE_NAME}.clients so they are authorized, and send it their way.

Wow, so quick and convenient!

Definitely not immediately awkward and dumb.

Dude is spending incredibly large amounts of time and effort when what they wanted was a whitelist and SRV record.

[–] Tim7Prime@alien.top 1 points 10 months ago

I've used tailscale in the past, it's worked great.

If you ever need to remote in to help them set up or configure something, dwservice.net is wonderful and free too

[–] cfarence@alien.top 1 points 10 months ago

I have a custom portal where players login and tell it to whitelist their IP address. This then feeds into a pfsense dynamic list to allow the traffic through the perimeter firewall.

Works fairly well and it’s semi easy for players to login. This allows me to have it “open” to the internet and not have it hammered from all over the internet. It doesn’t handle dynamic IPs but players public IPs don’t change too regularly most of the time.

[–] SnooOpinions9543@alien.top 1 points 10 months ago

Mine is forwarded via caddy through a Google domain. Whitelist for friends and family

[–] kevdogger@alien.top 1 points 10 months ago

Latency is a real issue. I've run Minecraft servers at home and through digital ocean. Latency is real particularly with a lot of players. I kind of have up after my son kind of graduated out of Minecraft phase. I did an inordinate amount of tweaking. Looking back..I probaby would not do it again

[–] foefyre@alien.top 1 points 10 months ago

I have my servers port forwarded but sitting in their own vlan

[–] MasterGlassMagic@alien.top 0 points 10 months ago

There is no such thing. Minecraft hackers are brilliant. Dmz that thing, maybe use a vps, run backups constantly, vet your server plug-ins. Backdoors on Minecraft servers are downright routine.