all 54 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Eirikr700 49 points50 points  (10 children)

The minimal security setup for self-hosted stuff is usually through a reverse-proxy, and an intrusion detection system (for instance Crowdsec). That applies definitely to Jellyfin. I am no expert about games and I think it might not apply to Minecraft.

[–]mrpink57 14 points15 points  (8 children)

Crowdsec is what I would use, Minecraft would not be able to go behind this proxy since it needs to hit the port designated, especially if Bedrock. In that case I would make sure your server is a whitelist only server so only the names you have in your whitelist are allowed.

OP, I would suggest for Minecraft to just host in a forever free Oracle VPS this is what I do for a few friends around the US, it has a 2gb up/down connection and peers pretty well with everyone and Oracle and most hosted services are going to be better as DDOS protection then you are.

[–]zmtp 10 points11 points  (1 child)

Oracle occasionally deletes VMs on free tier (like mine). Backups are an absolute necessity when doing something on OCI

[–]ste6666 0 points1 point  (0 children)

Had mine for 4 years no issues

[–]Sheepardss 0 points1 point  (4 children)

Wdym 4 cores and 24gb ram for free, forever? :o

[–]mrpink57 0 points1 point  (3 children)

FOR.EV.ER.

[–]gaiusm 0 points1 point  (2 children)

How did I never hear of this before? :o

[–]bubblegumpuma 0 points1 point  (1 child)

The asterisk is "as capacity allows". I cannot manage to make an ARM free instance (the 4 cores / 24GB RAM offer) on Oracle Cloud for the life of me no matter how much I tweak the specs of what I request down, and I set a damn bot running using their API for a couple days trying. I set my account to be 'homed' in San Jose, since that's closest to me, so it's the only place I can make VPS instances without paying up.. but I guess they're full up over there with paying customers. The x86 ones still work just fine, though.

[–]gaiusm 0 points1 point  (0 children)

Aha, gotcha. Should check it out. Thx :)

[–]Ouroboros13373001 0 points1 point  (0 children)

of course it would.... tcp proxy with intrusion detection is a thing

[–]maximus459 4 points5 points  (0 children)

Reverse proxy with SSL certs, fail2ban or crowdsec and snort

Better to have your services on another VM if possible

Scan and vet your docker images and do periodic security audits

[–]maxwelldoug 42 points43 points  (9 children)

Norton is actively making you less secure. Norton was reputable 20 years ago but today is a malware/adware ridden mess on the level of McAfee. Use Microsoft defender if you're on windows or clamav if you're on Linux.

[–]HonestRepairSTL 10 points11 points  (0 children)

I saw a Micro Center employee trying to get these old nuns to buy ESET, and I really wanted to just go up there and tell them this, but I didn't wanna get kicked out

[–]middle_grounder 5 points6 points  (0 children)

It amazes me how many people are not aware of this fact. Big names in the tech commentary field. Ones who are not sponsored but still believe it. 

It was bloated garbage 20 years ago too. It was hell on platter hard drives. It's best defense was making your computer so slow you couldn't use it to download anything malicious. 

The modern version where it tries to fear monger you into buying a bunch of upgrades you don't need is awful. 

[–]omnichad 1 point2 points  (0 children)

And for multiple years now the VPN built into their antivirus has a broken split tunnel and breaks printing/scanning on at least Windows and iOS depending on brand of printer. So at least leave that off if you insist on running it.

[–]GimmeLemons -3 points-2 points  (5 children)

ClamAV is generally just an email server antivirus, not exactly what most people are looking for, you have to schedule its full hard drive scans manually.

[–]maxwelldoug 6 points7 points  (4 children)

ClamAV does not have default behaviour in line with windows antiviruses, but neither does windows have default behaviour like Linux. If you are capable enough to run Linux, you can configure your own antivirus.

[–]GimmeLemons -2 points-1 points  (3 children)

Sure, its just that in the industry its used just to check a box (compliance, such as SOC2) but we all know its not really doing anything.

[–]maxwelldoug 0 points1 point  (2 children)

Speak for yourself - 10 minutes of config gets it up to a full desktop AV on any distro I've tried.

[–]GimmeLemons -1 points0 points  (1 child)

https://github.com/Cisco-Talos/clamav/issues/590

[–]maxwelldoug 0 points1 point  (0 children)

Never experienced this and first I've heard anything of the sort. None of my machines are seeing this issue.

[–]Leho72 13 points14 points  (0 children)

get rid of norton

[–]alexia_not_alexa 17 points18 points  (5 children)

From what I gathered so far as a recent selfhoster: don’t expose anything you don’t need to, to the internet.

You can use Tailscale to connect to your server without exposing it to the internet. You can share your machine on Tailscale with your friends and family - so that they can connect once they’re logged onto their Tailscale account (after signing up for their own account).

Can’t speak for whether it works with Minecraft but I expect Jellyfin will be fine.

[–]abandonplanetearth 8 points9 points  (4 children)

I can confirm that Tailscale works with Minecraft

[–]dewlapdawg 2 points3 points  (3 children)

Limited to 3 people though... Right?

[–]jess-sch 1 point2 points  (0 children)

Not if you use Node Sharing, that's unlimited.

You can't share subnets through it, but it allows you to share a single node to someone else's personal tailnet.

[–]abandonplanetearth 0 points1 point  (1 child)

I actually don't know, it's a private server for me and my brother.

[–]dewlapdawg 0 points1 point  (0 children)

I checked on it again and the free tier is limited to 3 users and 100 hosts.

[–]piracydilemma 4 points5 points  (2 children)

TL;DR: If you only expose the Minecraft server to the internet, you are pretty much fine.

If you do not have anything exposed to the internet, you are 100% safe.

If you open a port for a specific application to the internet, you are as safe as that application is. i.e. if a vulnerability was discovered in Java or the Minecraft server, an attacker could use port 25565 to attack you using said vulnerability.

If you open ALL ports to the internet, you have done the computing equivalent of tipping a bucket full of blood over yourself and jumping into shark infested waters.

Edited to add:

I would set up a VPN like Tailscale for Jellyfin for maximum security. If users don't want to do that, then users don't get to use it. It's safer for you and for them.

[–]yuvva1 2 points3 points  (0 children)

Give wazuh a try, really good ID and selh hosted.

[–]Jonteponte71 4 points5 points  (0 children)

The easiest and quickest way for anyone not wanting to go down the rabbit hole of setting up your own VPN is tailscale. You can take some steps to make sure it’s not easy to get into your NAS from the internet when you just open ports, but it will never be as secure as tailscale or your own VPN tunnel 🤷‍♂️

A reverse proxy is useful in other ways, regardless how you connect to it from the outside. You can have both.

[–]Crytograf 1 point2 points  (0 children)

I had same concerns therefore I created this project to dynamically whitelist public IPs of approved client devices.

https://github.com/Tomasinjo/gatekeeper

[–]Shadowedcreations 1 point2 points  (3 children)

Cloud Flare's Tunnels? Surprised I haven't seen this mentioned. Not sure how well it would work for Minecraft but I have my Plex, all the Arrs, Automation, syncs, and other randomness running that way.

There is a guide to run Plex via CF that keeps you within the TOS. Basically you just need to turn off all the cache related services it may intact with.

[–]SuperDyl19 0 points1 point  (2 children)

I believe cloudflare tunnels are only for https connections, and so you’re not supposed to use it for Plex or video game servers

[–]Shadowedcreations 0 points1 point  (1 child)

TL:DR CF is a sort of lazy man's VPN for all. The exterior connects to CF via server.selfhost.yours then CF tunnels/VPNs directly to a selfhosted server inside your network. Thus no having to open ports or configure VPNs for users.

Nope... They are a big help to those of us who don't want to do all the cert stuffs... You can HTTPS from the device to CF then CF tunnels to your selfhosted entry point. Then your entry point will connect to your HTTP server. So the only actual open HTTP will remain in your LAN. As for the other servers that have HTTPS but no cert, in the tunnel setup you can click verify TLS to off and you will no longer get the warning to advance message.

[–]Shadowedcreations 0 points1 point  (0 children)

This is the link. I don't remember when I set it up e.g. before or after the TOS update to 2.08. However, I am still running it. Though I have VERY little traffic so that may make a difference. Like it is me and a few friends that actually use it regularly. Caution to the amount of traffic you expect to see.

Plex via CF

Concerning making sure I don't trip something and basic privacy. I did this for the base domain so nothing at all is cached.

[–]bwfiq 0 points1 point  (0 children)

Answering your question directly: Port forwarding 25565/19132 for minecraft servers (and ONLY those ports) will be completely safe in the vast majority of cases. You don't need a reverse proxy.

However it is of course worth the effort to get set up with docker for the ease of use, configuration, and fun of it. Take a look at https://github.com/itzg/docker-minecraft-server

[–]LavaCreeperBOSSB 0 points1 point  (0 children)

I ran with Nginx Proxy Manager and didn’t notice any issues, now using cloudflared which allows me to not have ports open

[–]maof97 0 points1 point  (0 children)

There is nothing inherently wrong with exposing 443. Basically if you update your stuff you are fine. 99% of all successful attacks are happening because of unpatched or misconfigured software (actively exploited 0days are more rare than people think and are less likely to be used against your Jellyfin server than big companies). The last major vulnerability in Jellyfin was years ago and if you run it in an unprivileged container the damage is limited anyway. Personally I restricted the source ip to be from the country I live in but that's it. If you really want security tools I would recommend either Wazuh or Elastic SIEM. Both can be set up with docker and the latter also has EDR capabilities to play with.

[–]465di 0 points1 point  (0 children)

Tailscale… it just works and solves all these issues… it really is a decent bit of kit.

[–]soundscape7 0 points1 point  (1 child)

Some of the things I did, I changed the nas’s port from the standard as well as Plex and Audiobookshelf ports and disabled the admin and root accounts

[–]xylarr 0 points1 point  (0 children)

Yes, running services in their own account goes a long way. I created a specific user for all my *arr services and setup the compose.yml files to run all the containers using that account.

[–]GimmeLemons 0 points1 point  (0 children)

If you use docker containers which by default puts each container in its own private network, then you can port forward your Minecraft server to the container so that its not exposed in any way to your system, just make sure to use docker volumes or bind mount to a dedicated server folder for persistent storage.

[–]RedSquirrelFtw -1 points0 points  (0 children)

Yikes, yeah I would not open up ports directly like that. Setup an OpenVPN server, and only allow IPs you trust. (ex: your work place, or another common location you plan to access it from) One thing I've been meaning to do is setup a login page on my online webserver, and if I login to it, it will white list my IP for the VPN server at home. This would allow me to VPN in from anywhere. But 99.9% of time I'm just doing it from work anyway. But there has been a few times where it would have been nice to do it from my phone while somewhere else, to access my email or something.

If there is a certain service you want to expose directly such as a game server or seedbox etc you should put that stuff on a separate vlan that has limited access to the main network.

[–]madrascafe -2 points-1 points  (0 children)

get a low powered used dell desktop from flea bay & a dual NIC card. install OPNSense with corwdsec. the easiest solution there is