I just setup a minecraft server on an old laptop, but to make it acessible i needed to open up a port. Currently, these are the ufw rules i have. when my friends want to connect, i will have them find their public ip and ill whilelist only them. is this secure enough? thanks

`Status: active

To Action From


22/tcp ALLOW Anywhere Anywhere ALLOW my.pcs.local.ip`

also, minecraft is installed under a separate user, without root privlege

    • teawrecks@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      3
      ·
      2 months ago

      Normal for who? I wouldn’t expose SSH on 22 to the internet unless you have someone whose full time job is monitoring it for security and keeping it up to date. There are a whole lotta downsides and virtually no upsides given that more secure alternatives have almost zero overhead.

      • i_am_not_a_robot@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        11
        ·
        2 months ago

        Shodan reports that 35,780,216 hosts have SSH exposed to the internet.

        Moving SSH to ports other than 22 is not security. The bots trying port 22 on random addresses with random passwords don’t have a chance of getting in unless you’re using password authentication with weak passwords or your SSH is very old.

        SSH security updates are very infrequent and it takes practically no effort to keep SSH up to date. If you’re using a stable distribution, just enable automatic security updates.

        • lud@lemm.ee
          link
          fedilink
          English
          arrow-up
          5
          arrow-down
          2
          ·
          2 months ago

          Moving to another port isn’t a bad idea though. It gives you cleaner logs which is nice.

      • keyez@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        2 months ago

        I had it open for a web server for 2.5 years because I was lazy and my IP changed a lot and I traveled and didn’t have a VPN setup and never had any issues as far as I could tell. Disabled password and root auth but was also fine with wiping that server if there were issues. It’s certainly not recommended but isn’t immediately always going to be an issue

        • atzanteol@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          2 months ago

          ssh is one of the most secure servers you can run. The tailscale propaganda is crazy in this community.

    • IphtashuFitz@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 months ago

      If you have ssh open to the world then it’s better to disable root logins entirely and also disable passwords, relying on ssh keys instead.

    • Trainguyrom@reddthat.com
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      2 months ago

      For public facing only use key based authentication. Passwords have too much risk associated for public facing ssh

    • piccolo@ani.social
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 months ago

      I dont expose ssh to the internet. I expose wireguard. If you want ssh youll have to break my wiregaurd key and my ssh key.

    • strawberry@kbin.earthOP
      link
      fedilink
      arrow-up
      1
      ·
      2 months ago

      yeah no I should have considered that. didn’t lick the most secure password. will change when I get home

      • 2xsaiko@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        17
        ·
        2 months ago

        Don’t use passwords for public SSH in the first place. Disable password authentication and use pubkeys.

        • catloaf@lemm.ee
          link
          fedilink
          English
          arrow-up
          10
          arrow-down
          1
          ·
          2 months ago

          And disable ssh to root. Hell, just disable root login altogether and use sudo.