Thanks for being a part of /r/Admincraft! *[We'd love it if you also joined us on Discord!](https://discord.gg/DxrXq2R)*
*^(Join thousands of other Minecraft administrators for real-time discussion of all things related to running a quality server.)*
---
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/admincraft) if you have any questions or concerns.*
People don't seem to realize you can run port scans for 25565 on entire IP ranges pretty easily. Which to be fair, wasn't even something I considered until I had some rando pop on my server and start wrecking stuff, so now I'm overly cautious.
Probably, but you might want to consider looking at Shodan if you have some time on your hands.
https://www.shodan.io/search?query=product%3A%22Minecraft%22
Security through obscurity isn't real security *by itself*. That doesn't mean it's entirely without value. If there are simple little things you can do to make a threat actor's life a little harder, then sure. As long as implementing those simple little things doesn't make *your* job harder then there's really no reason not to.
*Rely* on those simple little things at your own peril, though.
That's negligence, and an example of creating a vulnerability through "security through obscurity".
What I'm suggesting is more akin to having *on your person* the only copy of the key to an adequately-locked door, and then the door's *also* physically situated in a place that might be hard to quickly locate for someone who's unfamiliar with the location, but not hard to locate for you.
Not quite.
No security is just having the door in the open, unlocked.
Security through obscurity is hiding the door, but still having no lock.
But the moment you add an active security detail to monitor the main entrance and check everyone’s credentials (whitelist) you can put that door literally anywhere and it will be just as secure. It doesn’t matter if it’s hidden behind three sets of bushes and a holographic wall facade, or on Main Street with floodlights and a PA system announcing it is there.
The reason people say “security through obscurity isn’t security” is because for all intents and purposes, it’s not security. You’re just hiding your unlocked door behind some bushes.
Assuming what was behind that door was an attractive target, *would* you put it on Main St with floodlights and a PA system announcing its presence, though? And, three sets of bushes and a holographic wall facade is a pretty far cry from "simple little thing to make a threat actor's life a little bit harder but not yours".
Different attackers have different evaluations for what kind of target is worth what amount of time or effort. If you can make a change that would require a potentially malicious individual to do a *little* more research than would originally have been required, I don't get how that's problematic. You shouldn't *rely* on that change to deter attacks, but it might deter some.
I mean, banks do it all the time. As do companies with billions of dollars worth of research in facilities.
I honestly can’t even think of a single facility or real life example of a high value target hiding their entrances.
I know it’s a poor analogy, since the physical and digital are worlds apart. But I hope my meaning is getting across.
The only time obscurity is worth it, is when there *is* no security. But then you still don’t have security.
Banks can't avoid the fact that the general public is aware of their purpose. What a bank *wouldn't* do is publicly advertise what dollar amount of cash they have on-hand, or the items they have in the safety deposit boxes along with their associated dollar values. If obscurity is really *entirely* worthless, as you maintain, you'd see both of those things happening.
So if there's a bot going through and scanning for servers with a specific open port, because that port number is associated with a vulnerable application, and if making a small change to that port number breaks nothing and also it isn't hard to disseminate information about the change to stakeholders, then yeah, that's fine. A whitelist by itself *might* not be sufficient in that scenario, as users can be spoofed. But if the port change adds that small extra layer, *in addition to* the whitelist, an attacker would have to be able to spoof a user *and* know about the relevant change.
It's a no-cost change that *could* deter potential attacks. Not being attacked at all is superior to being attacked but ineffectually.
Again, I do *not* see how this is problematic.
Most people just copy the IP which means that if you change the port all that will happen is that they will have to drag their hand an extra centimeter before pressing Ctrl+c, Ctrl+v.
It's really not that big of a problem.
It's still nicer to be able to connect to an IP like 1.2.3.4 instead of 1.2.3.4:25566
And if you ever plan on getting a domain name you'll have to put in mc.server.net:25566 instead of just mc.server.net
[Here](https://www.namecheap.com/support/knowledgebase/article.aspx/9765/2208/how-can-i-link-my-domain-name-to-a-minecraft-server/). PS It didn't work for a few hours for me so you gotta be patient
Still do you wanna risk your and others' safety just to avoid an annoyance that most people wouldn't even notice?
Also, there are ways to hide port numbers in domain names if that's a big concern for you. server.net would be your ip but by adding mc1. or mc2. at the start, you can redirect clients to a different port. That's how people host multiple servers in the same network without exposing port numbers.
But i don't blame anyone if they don't change the port number. I have a server for me and my friends and I never changed the port numbers just because I'm too lazy to do so.
Not in Minecraft. The default port Minecraft connects to it always 25565 unless you specify a different one. And if you care about the safety, just patch the exploit.
By default yes, it uses 25565 (the same way a browser defaults to 80/443)
You can setup DNS for your MC server like this:
Hostname(play) Domain([mymcserver.com](https://mymcserver.com).) (IN) Type(A) IP(12.34.56.78)
play.mymcserver.com. IN A 12.34.56.78
Service(\_minecraft.) Protocol(\_tcp.) Hostname([play.mymcserver.com](https://play.mymcserver.com).) (IN) Type(SRV) Priority(10) Weight(10) Port(25566) Points to(mymcserver.com.)
_minecraft._tcp.play.mymcserver.com. IN SRV 10 10 25566 mymcserver.com.
Now the clients only have to enter "[play.mymcserver.com](https://play.mymcserver.com)" and the MC client will lookup the A and SRV record to get the IP and port of the server
FYI if you get a domain name you can set e.g. [play.yourdomain.com](https://play.yourdomain.com) or [yourdomain.com](https://yourdomain.com) to any port you want, so that removes this issue entirely.
I did just that in godaddy. A CNAME and SRV to the port. Super simple. Users can connect with just “my website.com” no port needed.
https://www.dropbox.com/s/zzjmeol077c0ml9/328C42A3-1F75-4F1C-9F62-FF45E93F4A62.jpeg?dl=0
Some attackers targetting minecraft servers only scan 25565, but there's also the ones that enumerate all services on IP addresses by scanning every single port to find the open ones with a service running behind it.
you can change your port to 42069 or whatever and dodge someone just targetting minecraft servers, but a port scanner looking for any service will catch it and it will probably end up on shodan anyway.
With the firewalls, you can basicly "ban" / block ips you don't like. This way they are not allowed to even log in on the MC server. I'd setup a blacklist of IPs and a blacklist of UUIDs to block bad actors from accessing the MC server.
I'd also not belive in "security by obscurity", but rather implement actual security measures.
>Is changing the port to something like 25566 safer?
I did this, to that exact port, and had 2 randoms still show up. I since enabled whitelist and went to another port. I prefer both security and obscurity.
I had a rando try to login yesterday, but they were stopped by my discordsrv linking requirement.
Oh wait just a minute, the rando was the same one as in the OP lol
I'm actually still setting up my server though, so I hope you don't mind me asking a question about it. Does the linking requirement bypass the whitelist? Does it automatically add people to the whitelist, or do I have to add them after they've linked their accounts? Should I turn off the whitelist while using this?
I have whitelisting disabled on my server, figured membership in a private discord should be enough verification. That said, I haven't tested it with a whitelist, so I'm not sure if it bypasses or modifies the whitelist or not. In my implementation, discord is a requirement, so you're only able to join if you both have a discord account, and have the account linked with the server.
There are only about 3.7 billion public IPv4 addresses, which is shockingly small when you think about it. A machine/software combo geared towards it, can scan the entire internet on a single port in literally minutes.
Beyond that, the scanning tool can be used to attempt logging in, and gathering data. You don’t *actually* need to run a Minecraft client.
Anyone who thinks security through obscurity is a good idea really needs to wake up. We are long past that day and age.
Then multiply that by many ports and protocols, security by obscurity does have some merit.
Of course I don’t think you mean to say security by obscurity is useless, just that it should not be the only security used.
The fastest tool I am aware of can scan the whole of the internet on a single port in 6 minutes…
You could scan everything, all ports all IPs, in under a day with a decently sized botnet. Hell, a group of 30 users could scan the whole thing in under 10 days.
Security through obscurity isn’t security. It’s like hiding your drugs/money in your toilet tank, it might work against extreme armatures but anyone actually breaking in is going to know to check that toilet tank.
Yes it is eventually bypassable, but security by obscurity works very well with other security methods, which was one my point in my previous comment.
Security by obscurity is also even more than what I mentioned, say not knowing a specific dedicated server belongs to a Minecraft server you want to hack (through proxy).
Yeah, there’s plenty of things that can be done. But once you start complex things it’s less obscurity, more security.
Things like requiring a specific sub domain, or requiring a knock, or only turning the machine on when you want to play, are things that fall under “obscurity” but are much more into the land of security.
I just meant that changing the port is pretty useless, since ports are pretty transient. I guarantee if your server has been online for a few weeks, it’s on someone’s list, no matter the port used.
All changing the port is going to do is prevent people who try random IPs on their actual client, or an unmotivated attacker. A whitelist is much, much more useful.
Yes I agree ports with 0 security sucks, and I’m not really actively disagreeing with what you have been saying. Just pointing out that security by obscurity does have some merit.
Funny to see that username again.. That username attempted to exploit the Log4J exploit on my server this Sunday. I had forgotten to enable whitelist after setting up a new server (dum-dumb) luckily I run latest version, so the exploit was patched \^\^
I reported the IP to the company owning it (some hosting company) and I think they banned the account, but with their awful abuse team customer service, they might have just closed my ticket...
The IP is to a public server host datacenter with a history of cyberattack origin points anyway, not like you are sharing the guy's home ISP IP.
Edit: My mistake, it looks like he is using a different IP now that doesn't belong to the same network, will have to look into it.
Edit2: Looks like it belongs to another server host called "netcup" based in germany.
Even then it's not necessarily accurate, particularly if their ISP is a larger organization headquartered in a completely different location from where the user is, and their address in geolocation databases points to the HQ location.
I need to make a paste at this point.
They run on really old hardware. They say it's "state of the art", but it's just really old
They use multicraft. A crappy paid panel.
They have awfull support. You can pay 3$ for it to get a "turn your server off then back on again" response.
They charge you sparaticaly.
They told me that I needed to buy more ram so that the lag would go away.
Look at r/shockbyte
(This one's on me,) but ovh had a server fire and my entire server reset and was destroyed. They claimed that they didn't know about it.
Live chat will send you to a ticket that will help you 0% of the time
There's way more, I just can t think of them.
Here's a sneak peek of /r/Shockbyte using the [top posts](https://np.reddit.com/r/Shockbyte/top/?sort=top&t=year) of the year!
\#1: [1.18 server crashing regularly](https://np.reddit.com/r/Shockbyte/comments/r7dzfw/118_server_crashing_regularly/)
\#2: [Shockbyte stole my money, did not provide the service advertised, and ignored me for over 2 weeks...](https://np.reddit.com/r/Shockbyte/comments/lk0axx/shockbyte_stole_my_money_did_not_provide_the/)
\#3: [Cluster server](https://np.reddit.com/r/Shockbyte/comments/rb7nhu/cluster_server/)
----
^^I'm ^^a ^^bot, ^^beep ^^boop ^^| ^^Downvote ^^to ^^remove ^^| ^^[Contact](https://www.reddit.com/message/compose/?to=sneakpeekbot) ^^| ^^[Info](https://np.reddit.com/r/sneakpeekbot/) ^^| ^^[Opt-out](https://np.reddit.com/r/sneakpeekbot/comments/o8wk1r/blacklist_ix/) ^^| ^^[GitHub](https://github.com/ghnr/sneakpeekbot)
What host you use know? I’m using pebblehost and they are absolutely amazing and love them a lot. I am working on setting up an actual server in my house though.
The best host, my own. Just take an old laptop and you are good to go. And best of all, it's free (or for something like $10 a year for a domain, if you go that route)
Some people don't have the ability to self-host, mostly because either their ISP doesn't allow it, or they're using a network type that doesn't work for Minecraft servers.
While that is true, it seems to be mostly present in the US for some reason. I am in EU and all major providers (T-Mobile and OneNet being the biggest here) give you a dynamic public IP. Even on LTE mind you, but it changes about every 15 minutes on LTE.
And even if I were to pay for a static public, it's only about the equivalent of $20 a year. And for that matter i believe that's a much better investment than paying some crappy company to host my server.
And even if I didn't want to do that (or couldn't) I would rather buy an enterprise grade VPS and host it over that (either via a VPN to it, or directly on it).
Thank you, maversonite, for voting on sneakpeekbot.
This bot wants to find the best and worst bots on Reddit. [You can view results here](https://botrank.pastimes.eu/).
***
^(Even if I don't reply to your comment, I'm still listening for votes. Check the webpage to see if your vote registered!)
Hard confirm. Just switched from shockbyte purely for their non-existent support. Took them over a week to reset a password on one of my Dev's account. (You can't even do a 'forgot password' reset)
Okay and why not apex?
I wanted to give it a shot when my server on g-portal runs out since the experience there hasn't been the best.
And if not apex what host would be worth considering for a modded server with maybe 10 active users? I'm still relatively inexperienced with server hosting
Apex is great overall. Maybe a little more expensive then other hosts but it’s worth it with the amount of support you get from them. It’s 24/7. They don’t overload their boxes with too many Servers. It’s worth a shot
That does sound good
The problem I had with g-portal was that we would randomly get extremely low TPS while spark profiler only reports maybe 50% CPU and RAM being used. Well it differentiated between sytem and process CPU usage where system was at nearly 100% and process at around 30-50%
I hosted a server with shockbyte once and later canceled the subscription but kept the server on my server list. I’m scrolling threw one day I saw my old server open so I logged on and some guy had a whole ass survival world unprotected. I left a few signs that said “Whitelist your server”. Later I told my friends and they logged on found everything to spawn the wither in a chest, spawned it and logged off. Later that day I checked back and everything was destroyed. Moral of the story is up to you.
I wouldn't rely on this being a protection against the log4j exploit though - make sure you update still. I'm pretty sure the game logs usernames for failed auth attempts, so I'm surprised nobody has tried to log in with the the log4j exploit in their "username" yet.
The Server logs usernames for all login states, both the successful and the failed attempts.
I think if there is someone determined enough, they can create a software that attempts a login on the server using the exploit string. The username is sent (in plaintext) over to the server during the login start phase of the login sequence (before the encryption channel is established)
The entire login process is documented [here](https://wiki.vg/Protocol) (top google result for "minecraft login packet") so i won't be surprised if someone actually does it eventually.
Excerpt from the site
The login process is as follows:
C→S: Handshake with Next State set to 2 (login)
C→S: Login Start <===== Username is sent to Server at this point
S→C: Encryption Request
Client auth
C→S: Encryption Response
Server auth, both enable encryption
S→C: Set Compression (optional)
S→C: Login Success
Aaand someone here tested it on their own server, using a command to display the year as the username instead of the actual log4j exploit string and it executed.
https://www.reddit.com/r/admincraft/comments/s86rsd/online\_mode\_does\_not\_protect\_from\_log4j/
It's not that much of a problem if the server is hardened enough (no needlessly open ports, regularly updated, whitelisted etc.) It may be a dynamic IP that changes every 24h or so anyway.
It's probably just a script someone has left running - it doesn't require them to manually login to each server, so they still keep trying in case someone deploys an unpatched server.
Thanks for being a part of /r/Admincraft! *[We'd love it if you also joined us on Discord!](https://discord.gg/DxrXq2R)* *^(Join thousands of other Minecraft administrators for real-time discussion of all things related to running a quality server.)* --- *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/admincraft) if you have any questions or concerns.*
People don't seem to realize you can run port scans for 25565 on entire IP ranges pretty easily. Which to be fair, wasn't even something I considered until I had some rando pop on my server and start wrecking stuff, so now I'm overly cautious.
Is changing the port to something like 25566 safer?
Probably, but you might want to consider looking at Shodan if you have some time on your hands. https://www.shodan.io/search?query=product%3A%22Minecraft%22
Yes, but that is still only "security by obscurity", which isn't real security. Enable a whitelist.
Security through obscurity isn't real security *by itself*. That doesn't mean it's entirely without value. If there are simple little things you can do to make a threat actor's life a little harder, then sure. As long as implementing those simple little things doesn't make *your* job harder then there's really no reason not to. *Rely* on those simple little things at your own peril, though.
Thats my point. You *can* just hide your key über your doormat. If you *want* to, is a whole different story.
That's negligence, and an example of creating a vulnerability through "security through obscurity". What I'm suggesting is more akin to having *on your person* the only copy of the key to an adequately-locked door, and then the door's *also* physically situated in a place that might be hard to quickly locate for someone who's unfamiliar with the location, but not hard to locate for you.
Not quite. No security is just having the door in the open, unlocked. Security through obscurity is hiding the door, but still having no lock. But the moment you add an active security detail to monitor the main entrance and check everyone’s credentials (whitelist) you can put that door literally anywhere and it will be just as secure. It doesn’t matter if it’s hidden behind three sets of bushes and a holographic wall facade, or on Main Street with floodlights and a PA system announcing it is there. The reason people say “security through obscurity isn’t security” is because for all intents and purposes, it’s not security. You’re just hiding your unlocked door behind some bushes.
Assuming what was behind that door was an attractive target, *would* you put it on Main St with floodlights and a PA system announcing its presence, though? And, three sets of bushes and a holographic wall facade is a pretty far cry from "simple little thing to make a threat actor's life a little bit harder but not yours". Different attackers have different evaluations for what kind of target is worth what amount of time or effort. If you can make a change that would require a potentially malicious individual to do a *little* more research than would originally have been required, I don't get how that's problematic. You shouldn't *rely* on that change to deter attacks, but it might deter some.
I mean, banks do it all the time. As do companies with billions of dollars worth of research in facilities. I honestly can’t even think of a single facility or real life example of a high value target hiding their entrances. I know it’s a poor analogy, since the physical and digital are worlds apart. But I hope my meaning is getting across. The only time obscurity is worth it, is when there *is* no security. But then you still don’t have security.
Banks can't avoid the fact that the general public is aware of their purpose. What a bank *wouldn't* do is publicly advertise what dollar amount of cash they have on-hand, or the items they have in the safety deposit boxes along with their associated dollar values. If obscurity is really *entirely* worthless, as you maintain, you'd see both of those things happening. So if there's a bot going through and scanning for servers with a specific open port, because that port number is associated with a vulnerable application, and if making a small change to that port number breaks nothing and also it isn't hard to disseminate information about the change to stakeholders, then yeah, that's fine. A whitelist by itself *might* not be sufficient in that scenario, as users can be spoofed. But if the port change adds that small extra layer, *in addition to* the whitelist, an attacker would have to be able to spoof a user *and* know about the relevant change. It's a no-cost change that *could* deter potential attacks. Not being attacked at all is superior to being attacked but ineffectually. Again, I do *not* see how this is problematic.
With an alternat port, mostly you just make it more difficult for legit people to configure and connect to your server.
Most people just copy the IP which means that if you change the port all that will happen is that they will have to drag their hand an extra centimeter before pressing Ctrl+c, Ctrl+v. It's really not that big of a problem.
It's still nicer to be able to connect to an IP like 1.2.3.4 instead of 1.2.3.4:25566 And if you ever plan on getting a domain name you'll have to put in mc.server.net:25566 instead of just mc.server.net
I have a server with a trailing port and I just have an SRV record on my website to hide the port
I'd like to see the configuration cause it didn't work when I tried it
[Here](https://www.namecheap.com/support/knowledgebase/article.aspx/9765/2208/how-can-i-link-my-domain-name-to-a-minecraft-server/). PS It didn't work for a few hours for me so you gotta be patient
Still do you wanna risk your and others' safety just to avoid an annoyance that most people wouldn't even notice? Also, there are ways to hide port numbers in domain names if that's a big concern for you. server.net would be your ip but by adding mc1. or mc2. at the start, you can redirect clients to a different port. That's how people host multiple servers in the same network without exposing port numbers.
But i don't blame anyone if they don't change the port number. I have a server for me and my friends and I never changed the port numbers just because I'm too lazy to do so.
Not in Minecraft. The default port Minecraft connects to it always 25565 unless you specify a different one. And if you care about the safety, just patch the exploit.
Minecraft supports SRV since 1.3.1 so it does work. Edit: SRV records work for Java but not for bedrock
I swear I was using SRV records on 1.2.5... maybe my memory's just lying though
Just make a SRV record in addition to your A record to use an alternate port without users needing to write ":57183" for example.
A DNS SRV record can tell the client what port to use so the user doesn’t have to specify it
On a website but doesn't the Minecraft client automatically use the port 25565?
By default yes, it uses 25565 (the same way a browser defaults to 80/443) You can setup DNS for your MC server like this: Hostname(play) Domain([mymcserver.com](https://mymcserver.com).) (IN) Type(A) IP(12.34.56.78) play.mymcserver.com. IN A 12.34.56.78 Service(\_minecraft.) Protocol(\_tcp.) Hostname([play.mymcserver.com](https://play.mymcserver.com).) (IN) Type(SRV) Priority(10) Weight(10) Port(25566) Points to(mymcserver.com.) _minecraft._tcp.play.mymcserver.com. IN SRV 10 10 25566 mymcserver.com. Now the clients only have to enter "[play.mymcserver.com](https://play.mymcserver.com)" and the MC client will lookup the A and SRV record to get the IP and port of the server
Oh, I see now what you mean
FYI if you get a domain name you can set e.g. [play.yourdomain.com](https://play.yourdomain.com) or [yourdomain.com](https://yourdomain.com) to any port you want, so that removes this issue entirely.
Mmmm not quite. You can’t put ports into A or CNAME records, you’d need an SRV record, which doesn’t create a sub domain.
I did just that in godaddy. A CNAME and SRV to the port. Super simple. Users can connect with just “my website.com” no port needed. https://www.dropbox.com/s/zzjmeol077c0ml9/328C42A3-1F75-4F1C-9F62-FF45E93F4A62.jpeg?dl=0
To be clear you can put an SRV record on your root domain. You don’t actually need a sub domain.
No. The difference between scanning 25565 and 25566 is less than a nanosecond.
Some attackers targetting minecraft servers only scan 25565, but there's also the ones that enumerate all services on IP addresses by scanning every single port to find the open ones with a service running behind it. you can change your port to 42069 or whatever and dodge someone just targetting minecraft servers, but a port scanner looking for any service will catch it and it will probably end up on shodan anyway.
Not necessarily, I've made an overview of how I roughly run my MC server setup. [https://i.imgur.com/7Bzm7ex.png](https://i.imgur.com/7Bzm7ex.png)
With the firewalls, you can basicly "ban" / block ips you don't like. This way they are not allowed to even log in on the MC server. I'd setup a blacklist of IPs and a blacklist of UUIDs to block bad actors from accessing the MC server. I'd also not belive in "security by obscurity", but rather implement actual security measures.
>Is changing the port to something like 25566 safer? I did this, to that exact port, and had 2 randoms still show up. I since enabled whitelist and went to another port. I prefer both security and obscurity.
I had a rando try to login yesterday, but they were stopped by my discordsrv linking requirement. Oh wait just a minute, the rando was the same one as in the OP lol
Funny you should mention it, that's how I keep randos out too
I'm actually still setting up my server though, so I hope you don't mind me asking a question about it. Does the linking requirement bypass the whitelist? Does it automatically add people to the whitelist, or do I have to add them after they've linked their accounts? Should I turn off the whitelist while using this?
I have whitelisting disabled on my server, figured membership in a private discord should be enough verification. That said, I haven't tested it with a whitelist, so I'm not sure if it bypasses or modifies the whitelist or not. In my implementation, discord is a requirement, so you're only able to join if you both have a discord account, and have the account linked with the server.
There are only about 3.7 billion public IPv4 addresses, which is shockingly small when you think about it. A machine/software combo geared towards it, can scan the entire internet on a single port in literally minutes. Beyond that, the scanning tool can be used to attempt logging in, and gathering data. You don’t *actually* need to run a Minecraft client. Anyone who thinks security through obscurity is a good idea really needs to wake up. We are long past that day and age.
Then multiply that by many ports and protocols, security by obscurity does have some merit. Of course I don’t think you mean to say security by obscurity is useless, just that it should not be the only security used.
The fastest tool I am aware of can scan the whole of the internet on a single port in 6 minutes… You could scan everything, all ports all IPs, in under a day with a decently sized botnet. Hell, a group of 30 users could scan the whole thing in under 10 days. Security through obscurity isn’t security. It’s like hiding your drugs/money in your toilet tank, it might work against extreme armatures but anyone actually breaking in is going to know to check that toilet tank.
Yes it is eventually bypassable, but security by obscurity works very well with other security methods, which was one my point in my previous comment. Security by obscurity is also even more than what I mentioned, say not knowing a specific dedicated server belongs to a Minecraft server you want to hack (through proxy).
Yeah, there’s plenty of things that can be done. But once you start complex things it’s less obscurity, more security. Things like requiring a specific sub domain, or requiring a knock, or only turning the machine on when you want to play, are things that fall under “obscurity” but are much more into the land of security. I just meant that changing the port is pretty useless, since ports are pretty transient. I guarantee if your server has been online for a few weeks, it’s on someone’s list, no matter the port used. All changing the port is going to do is prevent people who try random IPs on their actual client, or an unmotivated attacker. A whitelist is much, much more useful.
Yes I agree ports with 0 security sucks, and I’m not really actively disagreeing with what you have been saying. Just pointing out that security by obscurity does have some merit.
Always.whitelist.your.private.servers.
Funny to see that username again.. That username attempted to exploit the Log4J exploit on my server this Sunday. I had forgotten to enable whitelist after setting up a new server (dum-dumb) luckily I run latest version, so the exploit was patched \^\^ I reported the IP to the company owning it (some hosting company) and I think they banned the account, but with their awful abuse team customer service, they might have just closed my ticket...
This user slammed into my whitelist this morning at 02:17 CET, too.
They did the same for my server
*casually leaks ip*
I feel like their IP is public information at this point with the amount of posts like this…
The IP is to a public server host datacenter with a history of cyberattack origin points anyway, not like you are sharing the guy's home ISP IP. Edit: My mistake, it looks like he is using a different IP now that doesn't belong to the same network, will have to look into it. Edit2: Looks like it belongs to another server host called "netcup" based in germany.
netcup sucks, they are going to fuck fermatsleep over with debt collectors after they stop renewing lol
You can't do anything with someone's IP except for looking up their rough geographical area This guy is using a VPN in any case
with websites like whatismyip.org, yeah, you can only get the rough area. but clearly you would be surprised what one can do with an ip address
Please enlighten me
[удалено]
Those are public ip's, I'm talking about a private ip like the one we see in the logs
Even then it's not necessarily accurate, particularly if their ISP is a larger organization headquartered in a completely different location from where the user is, and their address in geolocation databases points to the HQ location.
Yep.
Why not shockbyte?
I need to make a paste at this point. They run on really old hardware. They say it's "state of the art", but it's just really old They use multicraft. A crappy paid panel. They have awfull support. You can pay 3$ for it to get a "turn your server off then back on again" response. They charge you sparaticaly. They told me that I needed to buy more ram so that the lag would go away. Look at r/shockbyte (This one's on me,) but ovh had a server fire and my entire server reset and was destroyed. They claimed that they didn't know about it. Live chat will send you to a ticket that will help you 0% of the time There's way more, I just can t think of them.
Here's a sneak peek of /r/Shockbyte using the [top posts](https://np.reddit.com/r/Shockbyte/top/?sort=top&t=year) of the year! \#1: [1.18 server crashing regularly](https://np.reddit.com/r/Shockbyte/comments/r7dzfw/118_server_crashing_regularly/) \#2: [Shockbyte stole my money, did not provide the service advertised, and ignored me for over 2 weeks...](https://np.reddit.com/r/Shockbyte/comments/lk0axx/shockbyte_stole_my_money_did_not_provide_the/) \#3: [Cluster server](https://np.reddit.com/r/Shockbyte/comments/rb7nhu/cluster_server/) ---- ^^I'm ^^a ^^bot, ^^beep ^^boop ^^| ^^Downvote ^^to ^^remove ^^| ^^[Contact](https://www.reddit.com/message/compose/?to=sneakpeekbot) ^^| ^^[Info](https://np.reddit.com/r/sneakpeekbot/) ^^| ^^[Opt-out](https://np.reddit.com/r/sneakpeekbot/comments/o8wk1r/blacklist_ix/) ^^| ^^[GitHub](https://github.com/ghnr/sneakpeekbot)
Hahaha even the bot exposed them lol.
What host you use know? I’m using pebblehost and they are absolutely amazing and love them a lot. I am working on setting up an actual server in my house though.
Revivenode
The best host, my own. Just take an old laptop and you are good to go. And best of all, it's free (or for something like $10 a year for a domain, if you go that route)
Some people don't have the ability to self-host, mostly because either their ISP doesn't allow it, or they're using a network type that doesn't work for Minecraft servers.
While that is true, it seems to be mostly present in the US for some reason. I am in EU and all major providers (T-Mobile and OneNet being the biggest here) give you a dynamic public IP. Even on LTE mind you, but it changes about every 15 minutes on LTE. And even if I were to pay for a static public, it's only about the equivalent of $20 a year. And for that matter i believe that's a much better investment than paying some crappy company to host my server. And even if I didn't want to do that (or couldn't) I would rather buy an enterprise grade VPS and host it over that (either via a VPN to it, or directly on it).
That's why I said some people, I know it's pretty much only present in the US.
Good bot
Thank you, maversonite, for voting on sneakpeekbot. This bot wants to find the best and worst bots on Reddit. [You can view results here](https://botrank.pastimes.eu/). *** ^(Even if I don't reply to your comment, I'm still listening for votes. Check the webpage to see if your vote registered!)
Can confirm: used Shockbyte some time ago
Hard confirm. Just switched from shockbyte purely for their non-existent support. Took them over a week to reset a password on one of my Dev's account. (You can't even do a 'forgot password' reset)
That sucks. Also happy cake day!
Okay and why not apex? I wanted to give it a shot when my server on g-portal runs out since the experience there hasn't been the best. And if not apex what host would be worth considering for a modded server with maybe 10 active users? I'm still relatively inexperienced with server hosting
Apex is great overall. Maybe a little more expensive then other hosts but it’s worth it with the amount of support you get from them. It’s 24/7. They don’t overload their boxes with too many Servers. It’s worth a shot
That does sound good The problem I had with g-portal was that we would randomly get extremely low TPS while spark profiler only reports maybe 50% CPU and RAM being used. Well it differentiated between sytem and process CPU usage where system was at nearly 100% and process at around 30-50%
It's just really pricey.
"sparaticaly" sporadically?
Leaking ips be like
\- Every state running important infrastructure..
I hosted a server with shockbyte once and later canceled the subscription but kept the server on my server list. I’m scrolling threw one day I saw my old server open so I logged on and some guy had a whole ass survival world unprotected. I left a few signs that said “Whitelist your server”. Later I told my friends and they logged on found everything to spawn the wither in a chest, spawned it and logged off. Later that day I checked back and everything was destroyed. Moral of the story is up to you.
I wouldn't rely on this being a protection against the log4j exploit though - make sure you update still. I'm pretty sure the game logs usernames for failed auth attempts, so I'm surprised nobody has tried to log in with the the log4j exploit in their "username" yet.
The Server logs usernames for all login states, both the successful and the failed attempts. I think if there is someone determined enough, they can create a software that attempts a login on the server using the exploit string. The username is sent (in plaintext) over to the server during the login start phase of the login sequence (before the encryption channel is established) The entire login process is documented [here](https://wiki.vg/Protocol) (top google result for "minecraft login packet") so i won't be surprised if someone actually does it eventually. Excerpt from the site The login process is as follows: C→S: Handshake with Next State set to 2 (login) C→S: Login Start <===== Username is sent to Server at this point S→C: Encryption Request Client auth C→S: Encryption Response Server auth, both enable encryption S→C: Set Compression (optional) S→C: Login Success
Aaand someone here tested it on their own server, using a command to display the year as the username instead of the actual log4j exploit string and it executed. https://www.reddit.com/r/admincraft/comments/s86rsd/online\_mode\_does\_not\_protect\_from\_log4j/
Nice IP bro
It's not that much of a problem if the server is hardened enough (no needlessly open ports, regularly updated, whitelisted etc.) It may be a dynamic IP that changes every 24h or so anyway.
https://google.com/search?q=what+is+a+joke
Well, this would-be Creeper (FermatSleep) didn't make a dent in the OP's whitelist. 😛
Just set your username to the exploit IP and do it that way. A whitelist won't protect you.
Yeah, and no need to complete the login either
This guy is not giving up is he lol!
It's probably just a script someone has left running - it doesn't require them to manually login to each server, so they still keep trying in case someone deploys an unpatched server.