I just setup a minecraft server on an old laptop, but to make it acessible i needed to open up a port. Currently, these are the ufw rules i have. when my friends want to connect, i will have them find their public ip and ill whilelist only them. is this secure enough? thanks
`Status: active
To Action From
22/tcp ALLOW Anywhere Anywhere ALLOW my.pcs.local.ip`
also, minecraft is installed under a separate user, without root privlege
if I were you, I would do IP whitelisting at the firewall instead of or besides the Minecraft server
This might also become a hassle since basically all residential connections (likely of OPs friends) have dynamic IPs - if someone wants to join while OP is away, but their IP has changed since their last connection, now they have to wait on OP to update the firewall rules.
Apart from getting your MSA token stolen, there’s not really much that can get around server login (yet). All online-mode logins pass through Microsoft (part of the reason why Xbox service outages seem to affect Minecraft so much).
If your friends all individually seem to stay within some certain IP ranges (ex, first handful digits always stay the same, 12.34.56.xx), then I’d say go ahead with whitelisting them fully (ex, 12.34.56.xx --> 12.34.56.0/24, CIDR notation). If they jump around unpredictability, I would stick with the username-based whitelisting and online-mode-only.
This might also become a hassle since basically all residential connections (likely of OPs friends) have dynamic IPs - if someone wants to join while OP is away, but their IP has changed since their last connection, now they have to wait on OP to update the firewall rules.
Apart from getting your MSA token stolen, there’s not really much that can get around server login (yet). All online-mode logins pass through Microsoft (part of the reason why Xbox service outages seem to affect Minecraft so much).
If your friends all individually seem to stay within some certain IP ranges (ex, first handful digits always stay the same, 12.34.56.xx), then I’d say go ahead with whitelisting them fully (ex, 12.34.56.xx --> 12.34.56.0/24, CIDR notation). If they jump around unpredictability, I would stick with the username-based whitelisting and online-mode-only.
maybe a wireguard network is the way to go then, of course without being configured as the default destination for everything. there IPs are always fixed, but at that point you don’t even need a firewall