I got my own minecraft server running at home, but the only way to connect to it is through a vpn server I got somewhere out there cost me $5 a month and I can keep playing while away and for some family members.
Are you sure your firewall is active and is blocking ssh? It’s not possible your getting 150 bans per day if ssh is actually being blocked. Unless your whitelisting it from your ip and you’ve got an attacker on your network this makes no sense.
as suggested, moving away from Port 22 will for sure reduce the noise
other advice: increase ban time to 1 week or even 1 month. helps keeping recurring scans away
I’ve never understood just leaving ssh open when not needed. Disable password logins, disable root ssh access, rotate your keys & passwords.
Use hetzner firewall rules to block ssh entirely until you actually need to access it, then whitelist only your IP address.
I don’t use Hetzner but on my VPS control panel I can enable ssh & whitelist my IP in about 30 seconds.
Another method is to use headscale (self hosted tailscale) so that you never have to open ssh.
Also block geo traffic for countries you know your minecraft users won’t be coming from. There will never be a situation where traffic to my Plex server, for example, will come from outside of north america, so everything is geo blocked.
Whitelist only is the way to go.
You have SSH enabled outside of a VPN? Well there’s your problem.
Agree with this. Disable root, login as user and either use su or sudo to get root permissions when needed.
Changing ssh port will reduce log noise but won’t improve security in any meaningful way.
Some kind of filtering based on repeated connections from the same IP can reduce log noise. I’ve used portsentry, fail2ban, sentry.pl and custom iptables rules. They all work, will reduce log noise, increase admin, slightly increase security, and be annoying from time to time.
route traffic through a hardware firewall layer if it gets too bad?
These ssh attacks happen on all servers. There simply bots out there looking for unsecure routers. If your server logs the details you’ll see 90% use the same default attempts to login. I do encourage people to change ssh ports though
I’m a noob. What does ufw limit 22 do?
Don’t use Tailscale. Just use WireGuard. Tailscale is a grift to give VCs access to your private networks.
How do you run tailscale on a xbox? Or better yet how do i get it installed and configured on my 10 year old son’s friend’s xbox?
Ip whitelisting doesn’t work with some providers, and on top of that, consumer Ips rotate. Even an improperly configured WG tunnel could bork the server install if it crashes and It’s the only whitelisted method.
For people not explicitly devops/cyber security, ssh key access is ENOUGH of a deterrent to never, ever, be hacked via that method.
Port 22 isn’t even considered a security risk at my company these days. Surfaces like apps or IAM/secret software have always, always been the biggest risk.
TLDR: Go through the vpn/whitelisting process if you must. Or you know… disable passwords, use keys, and move on, spending the time learning about docker security. That information will be so much more valuable than learning how to not brick your server with a VPN/whitelist setup.
It’s even simpler.
Disable passwords. Disable root login via SSH. Use Keys. Rate limiting.
5 minutes.
You’ll never, ever be hacked via that method. Better to spend the time learning docker security than how to not brick your server with improperly configured WG. Sure, it’s a rookie mistake. But It absolutely happens.
To add to this, OP could limit access to SSH with firewall, if they have a static IP. It was free for me so of course I got it. Static IP that is.
With nftables:
ip saddr tcp dport accept
And Drop everything else that doesn’t match your rules.
--*–
I think you can add more than one ip-address with:
{ ip-address1, ip-address2 }
Not sure how/if that works. I am new to nftables.
It sets a rate-limiting firewall rule on the SSH port.
If you don’t trust Tailscale then use HeadScale.
Unfortunately there is not a Tailscale Xbox app (to my knowledge). One option could be to build a mini travel router with Tailscale installed and then have your son’s friend’s parents install it at their house. As long as you have it set up correctly, all they would have to do is connect the Xbox to the router and they’d have access to the server. (Router should be under different user than admin for Tailscale so that ACLs can be used to only allow connections to the MC server)
Tailscale is a good option for that.
it is a fireguard based VPN that’s completely free and lets you access your stuff, only downside it you can’t access other devices on the same network unless you install Tailscale on it and go to its own ip within the admin console (ie: 127.0.0.1:8006:
I mean sure. But I’d either need to pay for a 5g connection for that or I’d need to walk the friends parents through connecting it to their wifi all so our kids can play Minecraft. I guess was my point is that tailscale is awesome and all, but it isn’t always the solution.
Similar thing for my mother and accessing things I’m hosting. I don’t really want to try and support that setup and troubleshoot if she’s trying to connect to wifi at the coffee shop and it isn’t working.
That is a great way to get around changing IP, yes.
But again, and I truly am saying this again, a crashed tailscale that doesn’t restart correctly CAN brick your server. Will it happen? Not likely. CAN it happen? Yes. I’ve witnessed it. That’s why firewall settings on ssh are not allowed in our prod setups that don’t have IAM/outside controls.
My whole argument is that VPN or firewall settings SPECIFICALLY to obscure ssh aren’t necessary. SSH keys, disabling root login via ssh, and rate limiting(aka, config stuff done in the first 5 minutes of a server) are enough, even for prod setups.
VPN, specifically for ssh, is a waste of time. Better to spend that knowledge learning other security measures. Per OP’s original post.
Can you do it? Absolutely. Is it worth wasting your time, and do those 150 attacks on port 22 really matter?
No. No they don’t. Learn almost anything else will be a better value.
P.S.
That isn’t to say tailscale sucks. It rocks. I have it in my homelab/on my vps and my configs/keychain are mostly set to internal IPS.
But I’m still raw dogging an ssh port open to the world. It has saved me more than once. Been doing this for 10 years now.