My nephews really enjoy Minecraft and so for Christmas, I want to give them a server for us all to play on (of course, self-hosted). The issue is that I’ve only got a vague idea about how one can safely self-host it, any ideas are greatly appreciated.

The more safe way that I’d personally do something like this would be to VPN into my homelab (Wireguard + DuckDNS) and access the server that way. For practical reasons that’s not going to fly… I’d like to connect to the game server from anywhere, with any account, and without a VPN. This will make it accessible to the kids.

When one adds a server in Minecraft, it seems like they specify a FQDN:Port (MySite.com:25565). I could punch port forwards in my firewall and call it a day, but this seems insecure. Going forward I’m not going to forward any ports without some layer of encryption or authentication on the other side (seems like the latest best practice).

Cloudflare Zero Trust sounded like the ideal solution, notably because it’s free, but also that it has intrinsic protection against DoS attacks. This isn’t self-hosted though, and to properly utilize this, I would need to purchase my own domain name (not opposed to that, just an extra cost).

How do you guys architect your services to be secure while also being broadly accessible on the Internet? I imagine it’s a similar tale for self-hosting a website, just in this case it’s a Minecraft server. Thanks much.

  • navigatron@beehaw.org
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 year ago

    In networking, you generally either have an authentication mechanism, or you don’t.

    It sounds like you don’t have “control” (can install a vpn) on the client devices. This makes authentication difficult. We need some aspect of the client that the server can use to make a decision.

    Without touching the client, there’s only really two details we can use - the source ip address of the client, and the port that they are connecting to.

    If a client wants to connect to the default minecraft port, it could be a scanner - but if it’s non-default, then the probability of being a scanner is much lower.

    A firewall to do geo-based ip blocking will also cut down significantly on noise.

    After that, minecraft’s built in authentication is pretty good.

    With all of the above, we would know that the connector is coming from an allowed location, knows to ask for your non-standard port number, and has a valid minecraft account - that sounds pretty good to me.

    And if you’re running a cracked server, there are other assorted tricks to avoid bots. I ran an open-to-the-world, default port, no auth server for some time; and probably ran into a single robot. Thankfully I shut things down before log4j

  • zfaB
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    1 year ago

    Seeing as you say port 25565 you’re using Minecraft Java, so i’d prob just do this:

    https://blogs.oracle.com/developers/post/how-to-set-up-and-run-a-really-powerful-free-minecraft-server-in-the-cloud

    Couple of points:

    1. Make your account PAYG to lessen likelihood of server being shutdown (will still be free)

    2. Take nightly backups just in case.

    You could stump up for a management console like AMP if you want to make things a bit easier.

    GL.

      • zfaB
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        1 year ago

        Lol, you’re gonna have you work cutout if you’re going around downvoting and saying that on every single comment that ever mentions a VPS.

        Hosting your own MC server, no matter where, is a perfectly fine ‘self-hosted’ counterpoint to using a Microsoft Realms subscription. What ridiculous gatekeeping, lol.

        • No_Dragonfruit_5882B
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          1 year ago

          You dont get the: this is a wendys joke do you?

          And i dont vote for shit. Neither positive nor negative

          • zfaB
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            1 year ago

            Nah, no idea what you’re on about. Must be a young man’s thing lol.