[SOLVED] Security risks when port forwarding (minecraft server & vpn) ?

[ethan206]

Hi, I recently set up a VPN on my Raspberry Pi so I can access my files on the go anywhere. I port forwarded ports (UDP) 500 & 4500 on my Pi and installed a profile on my phone so that only my phone can connect through to the VPN (pistrong). I'm not too concerned about security there as it's tunneling through a VPN but I also was experimenting with setting up a Minecraft server for me and my friends on my Pi. I'm running the JVM through Docker and that would require me to port forward port 25565 on my Pi.

My question is how secure is this or does this pose any kind of security vulnerability? I know Minecraft servers aren't the most secure, to begin with (or heck, port forwarding, in general, isn't that recommended) but what are the chances someone with malicious intent could be able to hack through to my Pi? I'm not that educated on networking, but since I only exposed port 25565, would the person with malicious intent only have access to data being sent only through that port? Or would they be able to compromise my entire Pi (access other files beyond the mc server), or even other devices on my network?

 

[bill001g]

500 and 4500 are well known IPSEC vpn ports. Since VPN is designed for security the code tends to be rather well audited. Most this is very old code so it has been looked at many times. One of the huge advantages of using a open source platform.

Minecraft is a little more questionable. It is a end user application so security is not as much a concern. I have not run minecraft servers. Dose the server run as root/administrator level. If it is running as a user level process the risk is much less.

In theory any software that is accessible remotely could have a bug in it that could compromise stuff. This is why in a commerical install servers facing the internet are put in a real dmz. There is a firewall between the intenret and the server and the server and the internal network. There many times are firewall rules between servers inside the DMZ. This means if there was a application issue that allowed someone to take control of a server it could not attack other devices.

For a home user the risk is pretty minimal. In the end the professional hacker wants money. There is nothing to steal on a home user to make it worth the effort. Maybe they could convert the machine into a bit coin miner but again if you run it on a raspberry pi it is not like it is going to generate much before someone reinstalls everything because their server is running so slow.

 

[ethan206]

Ah I see, and I think it's running at the administrator level? I'm running the server through Docker and I would assume (correct me if I'm wrong) every container is ran at the admin level to ensure nothing goes wrong. I mean there was the whole Log4j Java exploit a couple of weeks ago that wreaked havoc everywhere so I was a little paranoid that something of the sort could come up. And speaking of which, where you mentioned hackers potentially mining bitcoin, there were a couple of instances where people were using log4j to inject miners into people's systems to mine crypto lol. (But Mojang/Minecraft seems to have patched Log4j for the most part so it should be safe)

I'm not that tech-savvy enough with networking, but there are options to configure DMZ settings on my router but I think a router DMZ network and a commercial DMZ network are very different. My understanding of it is (or at least from what I can gather from my router page settings) that I set up a device as a specific "DMZ" to handle all traffic through there which would open up every port on that device (as opposed to opening up every port on my router). However, I also heard it's best not to mess with setting up DMZ as you could potentially risk opening up every single port on your router.

 

[bill001g]

Yup they are very different.

Not sure why they called it that on consumer routers it does exactly what you say and is more something you use when you are troubleshooting or you have a application that uses random ports.

The DMZ used in commercial server installs is patterned after the military concept where you have extremely strong protections on both sides of the area in the middle.

When you have something as complex as a minecraft server you already run the risk of code mistakes especially in app code where security is not the number 1 design concern. You can to a point midigate that with firewall rules in the end device to prevent access to the lan. It is actually pretty easy to make a DMZ by placing a second router between the server and the actual lan. The NAT in the second router will prevent access and you can still get to the server from the lan using it local IP it got from the main router

 

[ethan206]

Yeah, it's branded as "DMZPlus" on my router but I think I'll avoid messing with that. You mentioned how I could connect my Pi to a 2nd router and that would act as a DMZ and I think I know what you're talking about but would it be possible to use something like a Wi-Fi extender? My guess is probably no, but since it sets up a Wi-Fi network/SSID separate from my router would that do anything?

 

[bill001g]

Nope a different SSID is just a different name for the same network .

It technically isn't even the "router" part that provides the protection. The boxes most home consumers have can't actually route between subnets. That is why you see them called "gateways". The let a single lan subnet share 1 WAN ip.

This is the NAT function that also in effect because it is so stupid provides the basic firewall ability. You would need to hook the WAN port of the second router to the "dmz" area. As you know no session can be initiated from the wan side of a router without port forwarding rules. The is the same as a firewall rule you commonly put in that only allows established sessions to return traffic.

 

[ethan206]

I see, I think I'll just avoid messing with setting up DMZ for now or maybe in the future lol. Don't wanna screw things up and need to do more research haha.

Also, I found out that after the first initialization/setup of the container/startup, the mc server docker container demotes to running as a non-root user, so that should make it harder for potential hackers and increase security right?

 

[bill001g]

Yes it means you can use some simple firewall rules on the server to basically only allow ports needed to run as a server. That prevents the app from using other ports to attack other machines. Since it can not become root it can't change/bypass the firewall settings.

 

[ethan206]

ah alright, thanks for the clarification.