I just setup a minecraft server on an old laptop, but to make it acessible i needed to open up a port. Currently, these are the ufw rules i have. when my friends want to connect, i will have them find their public ip and ill whilelist only them. is this secure enough? thanks

`Status: active

To Action From


22/tcp ALLOW Anywhere Anywhere ALLOW my.pcs.local.ip`

also, minecraft is installed under a separate user, without root privlege

  • slazer2au@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    1
    ·
    3 months ago

    assuming they are not behind a CGN whitelisting your mates place should be OK. But I would also move SSH away from a well known port. In the event something happens to the whitelist, crawlers will not jump on you straight away.

      • ShortN0te@lemmy.ml
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        2
        ·
        3 months ago

        no. The default port is fine. Changing the default port does nothing for security. It only stops some basic crawler, when you are scared by crawler, then you should not host anything on the internet.

        • fahfahfahfah@lemmy.billiam.net
          link
          fedilink
          English
          arrow-up
          6
          arrow-down
          2
          ·
          3 months ago

          The volume on 22 will be a lot higher than a non default port. With 22 open my router was basically getting DDOS’d at times

          • teawrecks
            link
            fedilink
            English
            arrow-up
            5
            arrow-down
            1
            ·
            3 months ago

            Agreed. Anyone who thinks it’s ok to just expose ssh on 22 to the internet has never looked at their logs. The port will be found in minutes, and be hammered by thousands of login attempts by multiple bots 24/7. Sure you can block repeat failed logins, but that list will just always be growing.

          • ShortN0te@lemmy.ml
            link
            fedilink
            English
            arrow-up
            2
            ·
            3 months ago

            Then using something like fail2ban to block bad acting connections is far more effective and you even get a security benefit out of it.

            Also, when a few scripts try to connect via ssh DDOS your router then something is messed up. Either a shitty router from 20 years ago or you have a Bandwidth lower than 100kbps.

        • just_another_person@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          3 months ago

          It’s not fine. Easiest way to rack up utilization on your server is getting hits on all the default service ports. Change that port to any unprivileged port to avoid that somewhat. Not every bot crawler is doing port scans on random non-commercial and unidentified IP space.

          What you’re describing is security through obscurity, but switching from the default port has other benefits like the above.

          • ShortN0te@lemmy.ml
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            3 months ago

            Getting “hit” is nothing to worry about by automated scripts. All it does is keep your logs a little bit cleaner. Any attack you should actually worry does not care if your ssh is running on 22 or 7389.

      • slazer2au@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        3 months ago

        Might throw some off but that is NetBios and things will totally go for that because Windows is terrible for security.

        All my stuff avoids anything below 1000 or that ends in 22 because most people will just go 2222 or 1022. pick a random number between 1001 and 65000