-
-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cybersecurity Section Addition #155
base: v3
Are you sure you want to change the base?
Changes from 5 commits
182a570
4acd7a3
eb5f3c9
efe8be6
169652a
8ea99ee
057b67b
858b864
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
--- | ||
description: Access Control | ||
title: Access Control | ||
slug: sec/accesscontrol | ||
--- | ||
|
||
### Access Control and Role-Based Access Control (RBAC) | ||
|
||
**Access Control** is a fundamental security concept that ensures only authorized users can access specific resources, systems, or data. By managing access, organizations can prevent unauthorized actions, such as data breaches, accidental deletions, or system compromises. | ||
|
||
**Role-Based Access Control (RBAC)** is a specific method of managing access by assigning permissions based on roles within an organization. Instead of giving permissions directly to users, roles are created (e.g., admin, user, guest), and users are assigned to these roles, simplifying permission management. | ||
|
||
Be sure to configure your system in a manner that allows those with access only to resources or data they will need for work. | ||
|
||
Recommended System Permission Guidelines: | ||
- System Operator: Full Access | ||
- System Administrator: Full Access | ||
- Senior Server Staff: MC Server Start/Stop Access | ||
- Server Developer: MC Server Files & Start/Stop Access | ||
|
||
--- |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
--- | ||
description: Backups for your System(s) | ||
title: Backups | ||
slug: sec/backups | ||
--- | ||
|
||
Backups provide a peace of mind during events where your files become corrupt or if you are attacked by malware/ransomware. | ||
|
||
Having a built incident response plan can make or break your ability to overcome issues in production. | ||
|
||
--- | ||
|
||
### Incident Response | ||
|
||
**What is *your* first step of recovering your system after a failure?** | ||
|
||
This question needs to be answered in detail in an incident response plan. Your plan should cover multiple different types of incidents like a security breach, file corruption, malware removal, and unauthorized access. | ||
|
||
If you are unsure of what you would do in any of these scenarios, keep reading. | ||
|
||
--- | ||
|
||
### What to Backup | ||
|
||
When configuring backups for your system(s), you need to gather a list of which directories hold your most important data. | ||
|
||
For businesses this would be client data, financials, and core services that your clients might use. | ||
|
||
In the sense of game servers and game server hosting, you would want to save your databases that addons or plugins might use, as well as information about your panel and the actual game server files. | ||
|
||
Having these backed up properly will expedite your ability to come back online when accidents happen. | ||
|
||
--- | ||
|
||
### How to Take Backups | ||
|
||
Follow the 3-2-1 rule for backing up your system(s). You should have: | ||
<ul class="pl-5 list-disc"> | ||
<li>3 Total Backups</li> | ||
<li>2 Local Backup on seperate machines</li> | ||
<li>1 Offsite Backup through a storage provider</li> | ||
</ul> | ||
|
||
There are many storage providers out there and FOSS backup tools you can install and use. We won't get into that here but a quick google search should bring you to where you need to be. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
--- | ||
description: Managing Your System(s) | ||
title: Basic Security | ||
slug: sec/basicsecurity | ||
--- | ||
|
||
### Malicious Actors | ||
|
||
As with any public server, your IP is exposed in some way to the public. | ||
|
||
Malicious Actors (Hackers) are constantly scanning networks around the world in the hopes to find a vulnerable system they can attack. | ||
|
||
Vulnerabilities come in many different shapes and sizes and chances are you may have of heard or seen them in the past. | ||
|
||
**Some Examples** | ||
<ul class="pl-5 list-disc"> | ||
<li>CVE-2021-44228 - Log4Shell (Log4J)</li> | ||
<li>CVE-2021-38003 - Google Chrome Vulnerability</li> | ||
<li>CVE-2022-21658 - RCE in Minecraft: Java Edition</li> | ||
<li>CVE-2023-29347 - Steam Client Vulnerability</li> | ||
</ul> | ||
|
||
|
||
--- | ||
|
||
### Strong Passwords | ||
|
||
Having a strong password and a secure password storage are both great ways to help safeguard your system(s). | ||
|
||
A strong password is the first line of defense against unauthorized access. A weak or commonly used password makes it easy for malicious actors to gain access to your account(s) or system(s). | ||
|
||
**Strong Password Guidelines** | ||
<ul class="pl-5 list-disc"> | ||
<li>12-16 Characters</li> | ||
<li>Includes a mix of uppercase and lowercase letters, numbers, and special characters (where applicable)</li> | ||
<li>Avoids common words, patterns, or easily guessable information</li> | ||
</ul> | ||
|
||
--- | ||
|
||
### Security Updates | ||
|
||
Software and Security updates often include multiple patches that fix vulnerabilities found either publicly through BugBounties or from the developers. | ||
|
||
**Outdated software can leave you exposed to attacks.** | ||
|
||
Always update your software when a new release has been sent out. At a minimum, you should be updating your system(s) once a week if updates are available. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
--- | ||
description: Firewalling and Protecting your System(s) | ||
title: Firewalling | ||
slug: sec/firewalls | ||
--- | ||
|
||
### Server Firewalling | ||
|
||
The concept of firewalling is to prohibit access to your system via the network, or allow access to specific services running on the system. | ||
|
||
**Why this is important** | ||
<ul class="pl-5 list-disc"> | ||
<li>Firewalls help block harmful or unwanted traffic, such as viruses or hackers attempting to access your network.</li> | ||
<li>You can configure a firewall to allow only trusted sources to access your network and services.</li> | ||
<li>Firewalls can separate parts of your network to reduce the spread of potential security breaches.</li> | ||
<li>Firewalls can mitigate Distributed Denial of Service (DDoS) attacks by controlling traffic flow and blocking malicious requests.</li> | ||
</ul> | ||
|
||
Depending on your host, your system has some sort of firewall already installed. If not, your host may offer a firewall panel to access and configure a hardware absed firewall, like a switch or a router. | ||
|
||
When configuring your firewall, always remember that the top-most rule is the first that will be run. | ||
|
||
For a basic, secure firewall setup on Linux, you could use something like UFW (UncomplicatedFirewall) | ||
|
||
For Example: | ||
`ufw allow 22 # Allows traffic to the default SSH port` | ||
`ufw allow 25565 # Allows traffic to the default Minecraft port` | ||
`ufw deny 3306 # Denies all traffic to MySQL/MariaDB` | ||
|
||
*You would not want to use these rules in a production setup, this is just an example of using UFW.* | ||
|
||
For Windows, you have the option of using "Windows Defender Firewall with Advanced Security" | ||
This does not follow the traditional rule of top-down routines for firewalls, but it will help you secure your system. | ||
|
||
--- | ||
|
||
### UFW Basics | ||
|
||
A basic firewall setup on linux for a Minecraft server running Pterodactyl would look like this: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Would be good to note here that docker by default bypasses ufw There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. added! |
||
`ufw allow from {Your Home IP}` # Allows your home IP to access the server entirely | ||
`ufw allow from 172.18.0.0/8` # Allows the Pterodactyl Subnet access to the server's services | ||
`ufw allow from {Your Server IP}` # Allows your server to access itself via the public IP | ||
`ufw deny 3306` # Denies outside access to your Databases | ||
`ufw deny 22` # Denies outside access to SSH | ||
`ufw allow 25565` # Allows outside access to your Minecraft Server | ||
|
||
If you wanted to allow a staff member SSH access: | ||
`ufw allow from {Their IP} to any port 22` # Allows their home IP to access port 22 | ||
|
||
You can find many tutorials online about the use of UFW. If you wanted a more advanced approach with more control, you can look into using IPTables. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. iirc UFW sometimes does not automatically start after reboot, make sure the service is enabled on startup There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
|
||
--- | ||
|
||
### ICMP | ||
|
||
We're going to take a look into ICMP, a protocol enabled by default on most systems. | ||
|
||
ICMP is mainly used for diagnostics and error-reporting in networks. It helps your system send error messages or information about the network it's on. The most common ICMP message is the `ping`. | ||
|
||
Malicious Actors can use ICMP to aid with Network Reconnaissance. | ||
<ul class="pl-5 list-disc"> | ||
<li>Attackers send ICMP Echo Requests (pings) to a range of IPs to see which hosts are active. This is the first step in identifying targets on a network</li> | ||
<li>While ICMP itself doesn't scan ports, attackers combine it with other tools (like nmap) to check for open ports after discovering live hosts. ICMP can give clues about the network setup and potential services to attack</li> | ||
<li>Attackers may use ICMP to covertly send data (ICMP tunneling) through firewalls that allow ICMP traffic, essentially creating a backdoor communication channel.</li> | ||
</ul> | ||
|
||
While it may make full sense to disable ICMP on your network, there are also some implications to this. | ||
|
||
**Trade-Offs** | ||
|
||
Pros | ||
<ul class="pl-5 list-disc"> | ||
<li>If your server doesn’t respond to ICMP requests, it makes it harder for malicious actors to know if your server is live or responsive</li> | ||
<li>Blocking ICMP responses (like pings) can prevent attackers from easily identifying active hosts in your network</li> | ||
</ul> | ||
|
||
Cons | ||
<ul class="pl-5 list-disc"> | ||
<li>ICMP is used for troubleshooting; disabling it means no ping replies, making it difficult to diagnose network issues like connectivity problems</li> | ||
<li>Some applications rely on ICMP for network monitoring or load balancing. Disabling it may cause them to malfunction, especially if they use ICMP to check the health of connections</li> | ||
<li>Some network protocols use ICMP messages (like "Destination Unreachable" or "Time Exceeded") to properly route traffic or avoid routing loops. Disabling ICMP can lead to inefficient routing and slower network performance</li> | ||
</ul> | ||
|
||
Keep this in mind when setting up your firewall. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
--- | ||
description: Helpful Resources for Security | ||
title: Resources | ||
slug: sec/resources | ||
--- | ||
|
||
If you are running a large server or have little-to-no experience in Cybersecurity or System Administration, there are a ton of people willing to help you. | ||
|
||
For a DIY approach, most tutorials on [DigitalOcean](https://www.digitalocean.com/community/tutorials) should suffice. They go over basic and advanced System Administration techniques to include firewalling, RSA Keys, and other Linux basics. | ||
|
||
If you would rather pay experienced System Administrators to manage your system for you on a one-off or recurring basis, you can look at the following: | ||
***Try to avoid Service Teams. They will hire anyone to do the work, with or without certifications*** | ||
|
||
| Name | Website | Discord | | ||
|----------|----------|----------| | ||
| InfraCharm Inc. | [Link](https://infracharm.com) | [Link](https://infracharm.com) | | ||
| Jasmeow.Systems | [Link](https://jasmeow.me/jhq) | [Link](https://discord.com/invite/Vs7Pm8UgNK) | | ||
| CraftSupport | [Link](https://www.craftsupport.net/) | [Link](https://discord.com/invite/SP87wwm6DU) | | ||
| Rejsik | None | [Link](https://dsc.gg/rsas) | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct. I've removed them. Thank you.
Not sure where I got that info from, I think NVD.