Trying to setup a minecraft paperspigot server using root server - webserver to install ptero?

  • What do people think of this guide?

    Externer Inhalt www.youtube.com
    Inhalte von externen Seiten werden ohne Ihre Zustimmung nicht automatisch geladen und angezeigt.
    Durch die Aktivierung der externen Inhalte erklären Sie sich damit einverstanden, dass personenbezogene Daten an Drittplattformen übermittelt werden. Mehr Informationen dazu haben wir in unserer Datenschutzerklärung zur Verfügung gestellt.

    I'm planning on using it to setup my server, the guy seems to be updated.


    My current obstacle is trying to install ptero using my webserver but my rDNS alone doesnt seem to be sufficient, do i need to buy a domain?

  • My current obstacle is trying to install ptero using my webserver but my rDNS alone doesnt seem to be sufficient, do i need to buy a domain?

    Yes, you have to buy a domain if youre server should be reachable with e.g. myminecraftserver.de

    Just read at wikipedia what rDNS really is --> https://en.wikipedia.org/wiki/…ame_System#Reverse_lookup


    But it seems that you do not have much experience in server administration. Are you aware of the possible legal consequences and risks (especially for uninvolved parties)?

    Maybe a direct Minecraft Server Hoster will fit better to you. Just think about the responsibilities that belongs of a root server.




    EDIT:

    So i got it wrong, the webserver means like apache2. Does netcup come with one of those? Or do i need to install one?

    Of course you have to install it. Man, thats a completely unmanaged server. Everything what you want, you have to do by yourself.

    Its also your task to harden and secure the operating system and also the applications which will run on the server.


    I'm pretty sure that you dont search for a unmanaged root server. What you need and should rent is a managed server, because it seems that you dont have any experience in server administration! --> https://www.netcup.de/professi…managed-privateserver.php

    "Denn der radikalste Zweifel ist der Vater der Erkenntnis."

    -Max Weber

  • I don't have any experience but i want to gain some. This server would start off as just being a one for friends/mostly me. Issue is im planning on running movecraft which needs high specs to run it well. I can't afford a 40 pound a month server. I'm hoping over the 3-6 months of me working on the server content i will be able to acquire the knowledge to run this server publically. I'm not sure on the legal consquences, im just hoping i can run a minecraft server, without using a copyrighted domain name.


    Thanks for your help so far, im dead new to linux which is the problem. i've hosted my own localhost server at home via windows and used managed server like serverprominer but they have horrible pricing for what i need.


    EDIT: i was hoping i could just go off the video tutorial for setting this up. for the near future it would just be accessed by me, it wouldnt be a public server.

  • I don't have any experience but i want to gain some. This server would start off as just being a one for friends/mostly me. Issue is im planning on running movecraft which needs high specs to run it well. I can't afford a 40 pound a month server. I'm hoping over the 3-6 months of me working on the server content i will be able to acquire the knowledge to run this server publically. I'm not sure on the legal consquences, im just hoping i can run a minecraft server, without using a copyrighted domain name.


    Thanks for your help so far, im dead new to linux which is the problem. i've hosted my own localhost server at home and used managed server like serverprominer but they have horrible pricing for what i need.


    EDIT: i was hoping i could just go off the video tutorial for setting this up. for the near future it would just be accessed by me, it wouldnt be a public server.

    The server is public because it is directly connected to the internet. If you want or not - it is. And so its reachable for nearly everybody in this world.


    Such a server is not the right way to learn or test. I'm pretty sure that you want to learn, and i'm also happy about that. But you have to choose a safe way, because such a server with 1 GBit/s Uplink could be a high risk in the internet. Just think about - if anybody hacks your server and run some attacks from it, you will go to jail for it, because its your server and it was your task to prevent your server from such misuse.


    I know that managed server are expensive like hell, but i am pretty sure that it is cheaper than the invoice of some lawyers...


    For testing and learning about hardening, securing and manage such a server, you can work in local machines at your home. Maybe you can also order a static IP address at your ISP and run your server at home.



    We would love to help you learning, but we also have to tell you about the risks of running a server at the internet.

    Sadly, the internet is not a peaceful place. There are so much hacker and script kiddies....

    "Denn der radikalste Zweifel ist der Vater der Erkenntnis."

    -Max Weber

  • Thanks for the advice. I'm not planning on giving out the address. I'm planning on going ahead and just not making it pulic. I've heard putting your ip through cloudflare can help with security. I mean it sounds like if i remote host/portforward from home something similar could happen. I really need the root servers' spec's for this project im working on.

    I've already got a lot to do working on this solo atm, perhaps il pay someone at a later point when it decide to make it go public to add DDOS protection and other stuff.

  • I'm not planning on giving out the address. I'm planning on going ahead and just not making it pulic.

    That doesn't stop botnets from attacking your server - they just scan all available addresses. After all your IPv4 address is somewhere between 0.0.0.0 and 255.255.255.255



    I've heard putting your ip through cloudflare can help with security.

    Only with HTTP based services. Neither SSH nor Minecraft are HTTP based.



    I mean it sounds like if i remote host/portforward from home something similar could happen.

    If you put an Operating System behind a NAT, not every service is exposed to the internet. You probably won't forward the SSH port of your machine.

    In a default Linux setup where the machines are directly connected to the internet - more services are exposed to the internet, most of which an amateur is unaware of.


    You need to know what you are doing - and those are things you wouldn't learn from one YouTube video.

    Even if a machine in your homenetwork gets compromised, they'll usually have limited bandwidth and your home ISP's IP addresses are on certain block lists, so you can't send spam mails with them. On a real server this is different.


    I've already got a lot to do working on this solo atm, perhaps il pay someone at a later point when it decide to make it go public to add DDOS protection and other stuff.

    You have no idea what you are doing. (D)DoS is your smallest problem. Other stuff is the stuff that you have to do immediately after ordering a server. The botnets won't wait for you to setup at a later moment.

    When you want to pay someone: start with a dedicated minecraft hoster. Learn your stuff on a virtual machine on your private computer.

    As soon as you order a server - this server is public.


    How is it that 40€ is too expensive for you, yet you are offering to pay someone?

  • I'm not planning on giving out the address.

    You are thinking pretty easy. But this is bullshit. ^^

    Those guys dont need your address, the will find it by themself. If you dont believe, take a look to the tool masscan.


    DDoS aint that problem - especially not against you. Because it will in the worst case only slow down your server.

    What i am talking about is that your server is going to be hacked and is after that a part of a botnet. So you are not the destination of the DoS attack, you are the origin!


    Cloudflare is only snakeoil, it wont fix one of your problems in this situation. Its just privacy unfriendly as hell.

    Beyond that - netcup provides up to 2 TBit/s DDoS protection. Aint that enough? ^^


    What i am talking about is securing and hardening the server, its operating system and the applications on it.

    This means setting up a good firewall, configuring network, configuring and hardening the ssh server, regularly patching and rebooting if needed, creating backups with a emergency plan, setting up a good monitoring system.

    Then theres also the need of configuring and hardening your apache2 and maybe also interpreters like PHP, if you want to use those services.

    Same is going on with database services, game servers like minecraft and anything other.


    Are you really sure, that you are able to manage this with currently nearly no knowledge at these topic?

    What do you have already done to secure/harden your system? Did you at least setup a new OS to the server or are you using the old standard froxlor image with Debian Jessie?


    Man, thats no funny or easy topic. If your running a unmanaged server without the necessary knowledge... Just think about your server gets hacked and you are responsible for it. You will go to jail/have to pay the penalty, if someone hacks your server and makes damage at other servers in your name.

    A few days ago i explained this also to another community member - if your server gets hackend and attacks another server with a web shop of a company, that earns 10000€/hour with this shop. Lets say the shop has a downtime of 12 hours due to the attack of your server.

    Do you want to pay the 120000€ that the company has lost because of your negligence? Just think about it.


    I am not writing this for fun... :rolleyes:


    perhaps il pay someone at a later point when it decide to make it go public to add DDOS protection and other stuff.

    And you really think this guy will do it for less money than netcup with its managed servers? No. He wont. Pretty sure.

    "Denn der radikalste Zweifel ist der Vater der Erkenntnis."

    -Max Weber

  • How is it that 40€ is too expensive for you, yet you are offering to pay someone?

    40 euros a month adds up. 20 pounds odd payment or something to setup something wouldnt be bank breaking. I'm reading through your comments now. I mean i've got a live active server. Can i turn it off while i configure settings or something or are you advising me to literally delete the service.


    Any suggestions to where i'd go about starting on learning new stuff regarding this in terms of guides/wiki's?

  • Just out of concern that it could already be comprimised which i don't think it has. Do netcup servers come with NAT firewalls? and when you buy a server isnt it locked to only be conected from port 20 with the root access permission?

  • Do netcup servers come with NAT firewalls? and when you buy a server isnt it locked to only be conected from port 20 with the root access permission?

    No, they dont come with any firewall or NAT. You have to setup iptables/nftables on the OS.


    And yeah... theoretically it is, but thats the first security issue. ^^

    root login via SSH should be disabled. You should only use KeyPairs for logging in via SSH, no passwords as given by default. Its also not the best idea to run the ssh server on the default port, especially if you dont have fail2ban running on the server.


    Its also not advisable to use the standard OS. You should reinstall the server completely with a new OS. Netcup delivers the server with Debian 8 Jessie, which is really old and only gets security updates until june this year. I dont know why, but its a problem and we all have to deal with it.


    Can i turn it off while i configure settings or something or are you advising me to literally delete the service.

    Of course you can, first of all, you can shut it down at servercontrolpanel.de

    I think your server aint older than 30 days, so you have the option to return it at customercontrolpanel.de and get your money back.

    Any suggestions to where i'd go about starting on learning new stuff regarding this.

    Its a bit tricky. I learned much with learning by doing, but doing in a secure environment (--> at home in virtual machines). There you can test, build some setups and also can try to attack the setup you built by yourself.

    The internet has many tutorials and howtos. Some are good, some are bad - you will see it.


    A good begin would be the web server secure series by InfoSec Handbook. --> https://infosec-handbook.eu/as-wss/

    You can also audit your local setups with lynis. Its a good tool, but a little bit complex. But with a bit reading and studying you will understand it. --> https://cisofy.com/lynis/


    For the begin you can also try my small debsec script (its not as perfect as lynis, but may better for beginning) --> https://codeberg.org/wh0ami/debsec


    You can also try to port scan your systems using nmap - thats good for seeing, whether your firewall works.


    Another good recommendation is to try to make SSH etc. only accessible via VPN, i would recommend wireguard. ;)


    Thats a bit much for now, but just try some things step by step and you will get a feeling for this stuff.

    And if there are any problems or something while learning, feel free to ask us. We will try to explain it to you. :)


    PS: If you think you are ready, you can build your server as a local virtual machine, secure it, export it as qcow2 image, upload it to netcups ftp and directly import it. So the server is secured by the first second on the internet. :P

    "Denn der radikalste Zweifel ist der Vater der Erkenntnis."

    -Max Weber

  • If one was to only enable 25565 ports through a ufw firewall.. how safe would that make the server? Providing you have disabled the root user and made a new one with a unique pass world and denies all incoming connections. Enabled just ssh.

  • If one was to only enable 25565 ports through a ufw firewall.. how safe would that make the server? Providing you have disabled the root user and made a new one with a unique pass world and denies all incoming connections. Enabled just ssh.

    This would be a beginning, but just a small step to real security.


    Of course its a good idea, ufw can and will make firewalling easy for you.

    But you want to administrate the server, so you need additional to 25565/tcp also an open port for ssh. And just making a new user and disabling root login wont secure your server. I think those script kiddie guys will need one up to two days, then your server is hacked. And the funny thing is - you wont notice it.


    Okay. I will now give you some hints for the beginning without any warranty:

    - complete new setup, maybe with Debian 10 or CentOS 8 (CentOS is much safer, but you have to deal with SElinux - disabling SElinux will make it insecure)

    - /var/log should have a own logical volume

    - the app directory should have a own logical volume

    - network interface configuration should be static, dont use dhcp (please also take care to netcups IPv6 hints)

    - configuring the ssh server like given in infosec handbook (link already was already sent here) and changing the ssh port to above 10000

    - building a login notifier, maybe per E-Mail or Telegram Bot

    - firewalling the server, if you are a beginner, ufw or firewalld would be the tool of choice

    - creating regularly backups (or you will end up like this guy)

    - setting up a basic monitoring that is able to send alerts, especially for network throughput, server load and something


    You should also know something about the user and right management if you want to run a gameserver, because it would be very uncomfortable, that you secure your system and then the hacker come in over the gameserver applications.

    You also can always use lynis to check your system.


    If you want to run a webserver, you should really first read about how to harden it - thats not a easy topic at the beginning. Tools like Securityheaders, Qualys SSL Labs and Mozilla Observatory will help you.



    Last but not least - never forget: test and try in virtual machines at home. NOT on a server in the internet.

    Do such things on a server in the internet is like learn to drive a big truck on a highway - do you know what i mean?

    "Denn der radikalste Zweifel ist der Vater der Erkenntnis."

    -Max Weber

  • And addionally, plan in 10-15 hours of spare time each week for administrative tasks.


    That's about how much I spend on routine tasks (analyzing hack attempts, fine tuning spam detection, installing updates, etc.), more in case of an incident.

    CentOS 7 / nginx / php-fpm / postfix / rspamd / clamav / dovecot / nextcloud running on RS 1000 SSDx4 G8 / VPS 500 G8 / VPS 2000 G8 Plus