How can I keep my forwarded port secure?

A port is not secure or insecure. The thing that can lead to security risks is the service that answers that port.

Use strong authentication and encryption on those services and keep them up to date.

You can add IPS to port to add some security checking, but yes, in general port is never secure or unsecure.

I would use something like wireguard, or another VPN service you can host yourself if your router supports it natively.

From the looks of it Minecraft servers seem to have dogshit authentication, so using some form of private network setup is going to be your best move.

You don't have to host the VPN on the router. You can also host it on a separate machine or the same one that's running the Minecraft server.
- Oh for sure. What I meant was "check router for a built in VPN and use it if it has one, otherwise use wireguard because it's the easiest".
  
  The specific VPN doesn't really matter so much. The built-in one would be the easiest, so checking for a solution that took a few clicks is worth it. :)

as long you are only forwarding Minecraft's 25565 port from your router to your server machine, it should be fine. Just make sure to keep Online mode on, use the whitelist, and get your plugins from trusted sources. Otherwise I wouldn't worry too much.

I see others recommending VPN solutions like zerotier for your friends to connect to; I don't personally feel like this is necessary, and (in my experience), making your friends do more technical setup than just connecting to the server is often a big turn-off.

Bonus: If you ever take a peek at your server logs while it's running (and exposed to the Internet, if you avoid said VPN solutions), you might notice a lot of weird connections from IPs and usernames you don't recognize. These are server scanners and threat scanners that look for vulnerable servers to connect to and exploit. This is normal and you'll be fine as long as you keep that whitelist and stay up-to-date on developments in the server admin space.

Why is port 22 open? Is this on your router as well or just the server?

This is SSH, which you should pretty much never have open (to the internet! Local is fine) MC is by default 25565. You will have every bot on the internet probing that port.

Having SSH open to the internet is normal. Don't use password authentication with weak passwords.
- Normal for who? I wouldn't expose SSH on 22 to the internet unless you have someone whose full time job is monitoring it for security and keeping it up to date. There are a whole lotta downsides and virtually no upsides given that more secure alternatives have almost zero overhead.
- Not for people who are asking questions about port forwarding
- If you have ssh open to the world then it’s better to disable root logins entirely and also disable passwords, relying on ssh keys instead.
- Permanently Deleted
- For public facing only use key based authentication. Passwords have too much risk associated for public facing ssh
- yeah no I should have considered that. didn't lick the most secure password. will change when I get home
ssh is local only. so I should change all ports from default then huh
- Your ssh rule says it's from anywhere. You want to change port 22 to 25565, and run /op username on your Minecraft server to whitelist your friends. Make sure your whitelist flag is turned on with your server config.
  
  Instead of allowing traffic over your port from anywhere, you can specify your friend's external IP.
- No, SSH is fairly vulnerable and not very secure at default, it’s a big target. For your Minecraft server you should be fine on the default port.
  
  I have run a pair of MC servers for about a decade with no issues, survival on port 25565, and creative on 25567.

More effort than I would consider. I'd just allow all traffic incoming on that port. I'd only consider whitelist if someone was giving me grief. Even then that would be after blacklisting an IP wasn't solving my problem.

Port 22 is the default SSH port and it receives a TON of malicious traffic any time it’s open to the whole internet. 20 years ago I saw a newly installed server with a weak root password get infected by an IP address in China less than an hour after being connected to the open internet.

With all the bots out there these days it would probably take a lot less time if we ran the same experiment again.
- Ha. That's my bad. I didn't even read the firewall rules listing 22/SSH. I agree on not opening 22 to the world. It just invites bots throwing passwords at it.
  
  I just read Minecraft in the original post which from reading runs from 25565 which I wouldn't worry about. If OP needs 22 for admission I'd either whitelist it or use a VPN/Tailscale.

if I were you, I would do IP whitelisting at the firewall instead of or besides the Minecraft server

This might also become a hassle since basically all residential connections (likely of OPs friends) have dynamic IPs - if someone wants to join while OP is away, but their IP has changed since their last connection, now they have to wait on OP to update the firewall rules.

Apart from getting your MSA token stolen, there's not really much that can get around server login (yet). All online-mode logins pass through Microsoft (part of the reason why Xbox service outages seem to affect Minecraft so much).

If your friends all individually seem to stay within some certain IP ranges (ex, first handful digits always stay the same, 12.34.56.xx), then I'd say go ahead with whitelisting them fully (ex, 12.34.56.xx --> 12.34.56.0/24, CIDR notation). If they jump around unpredictability, I would stick with the username-based whitelisting and online-mode-only.
- maybe a wireguard network is the way to go then, of course without being configured as the default destination for everything. there IPs are always fixed, but at that point you don't even need a firewall

IP white lists and firewall exceptions will help, but exposing ports on your home router is almost always a bad idea, especially for something as trivial as a game server.

I would highly recommend Tailscale. It's free for up to 3 users, and if you have more friends than that, I would have them all sign up with free accounts and then share your laptop device with their tailnets.

It's very easy to setup and use, costs nothing, and will be far more secure than opening ports and trying to set up IP white lists, protocol limitations, etc.

Tailscale creates something called an "overlay network" it's basically a virtual LAN that exists on top of your real network and can be extended to other people and devices over the internet. It's fully encrypted, fast, and like I said, very easy to set up.

This community is like 90% tailscale shills.
- Fine, use Netbird or whatever else floats your boat.
- ?...It's a great tool that provides all the security of VPN access without having to struggle with the more technical aspects of spinning up your own VPN, and it's zero cost for personal use.
  
  You could also use Netbird if you wanted, but I have been using Tailscale extensively and it's awesome.
Yeah if this is for a small number of users, I would recommend wireguard or tailgate.

Port forwarding is asking for trouble.

are you sharing a server solely to play with friends?

You could consider using something like zerotier to create a private network

I also use Zerotier for such cases. Not sure if you can somehow limit the ports they see, but works great in general

In the old days, it used to be a problem because everyone just connect their windows 98 desktop with all their services directly exposed to the internet because they’re using dial up internet without the concept of a gateway that prevents internet from accessing internal resources. Now days, you’re most likely behind your ISP router that doesn’t forward ports by default, and you’re only exposing the things you’d actually want to expose.

For things you’d actually want to expose, having a service on the default port is fine, and reduces the chances of other systems interacting with it failing because they’d expect it on the default port. Moving them to a different port is just security through obscurity, and honestly doesn’t add too much value. You can port scan the entire public IPv4 space fairly quickly fairly cheaply. In fact, it is most likely that it’s already been mapped:

https://www.shodan.io/host/<your-ip-here>

Keeping the service up-to-date regularly and applying best practices around it would be much more important and beneficial. For SSH, make sure you’re using key based authentication, and have password based authentication disabled; add fail2ban to automatically ban those trying to brute force. For Minecraft, online mode and white listed only unless you’re running a public one for everyone.

assuming they are not behind a CGN whitelisting your mates place should be OK. But I would also move SSH away from a well known port. In the event something happens to the whitelist, crawlers will not jump on you straight away.

so just change ssh to like 137/TCP?

22 isn't forwarded
- no. The default port is fine. Changing the default port does nothing for security. It only stops some basic crawler, when you are scared by crawler, then you should not host anything on the internet.
- Might throw some off but that is NetBios and things will totally go for that because Windows is terrible for security.
  
  All my stuff avoids anything below 1000 or that ends in 22 because most people will just go 2222 or 1022. pick a random number between 1001 and 65000

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters	More Letters
DNS	Domain Name Service/System
IP	Internet Protocol
SSH	Secure Shell for remote terminal access
SSO	Single Sign-On
TCP	Transmission Control Protocol, most often over IP
VPN	Virtual Private Network
VPS	Virtual Private Server (opposed to shared hosting)

7 acronyms in this thread; the most compressed thread commented on today has 11 acronyms.

[Thread #959 for this sub, first seen 8th Sep 2024, 20:35] [FAQ] [Full list] [Contact] [Source code]

More or less. The biggest issue is if your or their IP address changes, it'll stop working.

I don't know what Minecraft's track record is on security, but I assume it's not great. Ideally, you'd also put public facing services in a DMZ, so that if they do get compromised, they can't reach anything else.

You cant. You can only do your best to make it as secure as possible, but given enough time, someone can break it.

Basic tips:

don't run any services on their defaults ports
don't allow password auth for any exposed service. Ever.
run intrusion detection (fail2ban for simple ssh / Crowdsec for something a little beefier)

For ssh specifically, lock down your sshd config, make sure only key-based auth is enabled, and maybe as an extra step, create a dedicated user, and jail it by only allowing it access for the commands you need to interact with.

Mind expanding on tip #2?
- Not sure I can expand on it a ton more in a way that will make sense if it already doesn't sound familiar.
  
  Basically, there are various methods to authenticate yourself to most services. Password is usually the weakest and most succeptible to brute-force and social engineering. There's certificates, key pairs, RBAC...etc. You can even setup TOTP/MFA really easily for anything that supports it these days. Just don't leave a service hanging out on the Internet to get brute-forced by password though.
  
  If you're unfamiliar with this, start with SSH and key pairs. It's probably the simplest intro and you can be up and running to try it out in seconds.

It is all about risk management. What you are doing now is pretty solid. It might be easier to have them use a mesh VPN like netbird or tailscale

Noob here can you please explain what the 2nd line does? Thanks!

The simplest way to do this, is to put the server on a private vpn (I use Tailscale, there are others) and expose ports only to the vpn. Then you share access to the vpn with your friends.

With Tailscale, this is as simple as sending them a share link for the host. They will need to have an account at Tailscale, and have the client running, but they will then be able to access the host with a static ip address.

As a general rule of thumb, nothing should be exposed to the public internet unless you want that service to be public access and then you need to keep it up to date. If a vulnerability doesn’t currently exist for the service, one will sooner rather than later. SSH, especially password only ssh, can be broken into fairly easily. If you must expose ssh to the public internet for whatever reason, you need to be using IP white lists, password protected keys, change the default port, and turn off service advertisements and ping responses. I’m probably missing something. When someone scans your server randomly, they should see nothing. And if they fail login they should be ip blocked.

SSH, especially password only ssh, can be broken into fairly easily.

WTF are you smoking? The tailscale propaganda is really getting crazy these days.
- Tobacco. You?
  
  https://auth0.com/blog/defending-against-password-cracking-understanding-the-math/