search

mat-1 / matscan

silly minecraft server scanner
Other
198 stars 8 forks source link

Misleading advice given by matscan #6

Closed sfphoton closed 6 months ago

sfphoton commented 6 months ago

Hey Mat,

I'm a Minecraft server admin and just noticed Herobrine's messages in my server logs. These were the following chat messages:

<Herobrine> Hello. I'm a friendly bot that scans the internet for Minecraft servers.
<Herobrine> Your server is set as offline-mode, which means hackers/griefers can (and probably will) grief the server by joining as an opped account. You must do all of the following to secure your server:
<Herobrine> 1. Install a plugin such as AuthMe or enable online-mode in the server.properties file
<Herobrine> 2. Enable a whitelist to stop unauthorized usernames from joining
<Herobrine> 3. Enable backups to prevent permanent damage
<Herobrine> - mat | FAQ: https://matdoes.dev/matscan

In my experience, there are bots that monitor usernames that are regularly active on my server and periodically try to login with those usernames. This activity renders advice number 2 (whitelists) useless, and following this advice would give a false sense of security. The only solution that really works is an authentication plugin like AuthMe or online-mode, as correctly stated in advice number 1.

Thus, I strongly suggest removing advice number 2 from sent chat messages.

Thanks for your efforts!

P.s.: I would also figure that most Minecraft admins are teens and not experienced IT people. So, I would include some hint on how to download and install a plugin, or at least some encouragement to google it.

ActuallyRuben commented 6 months ago

Please note that the advice says “You must do all of the following to secure your server:” Advice number 1 will prevent players from impersonating an OPed account, but without a whitelist they can still join as a normal player, and still do a lot of damage. It takes them more effort, but it won't fully stop them.

Shrecknt commented 6 months ago

The only solution that really works is an authentication plugin like AuthMe or online-mode

AuthMe is not a sufficient replacement for online-mode. Offline-mode/cracked servers are inherently insecure, and AuthMe only fixes one of many issues involved with running and offline-mode server. You should probably just move to online mode.

sfphoton commented 6 months ago

Please note that the advice says “You must do all of the following to secure your server:”

@ActuallyRuben you are right, thank you, my bad.

mat-1 commented 6 months ago

Yeah the message does say to do all of the steps, but you are kind of right that it's not the best wording. Maybe something like this would be better?:

Your server is set as offline-mode, which means hackers/griefers can (and probably will) grief the server by joining as an opped account.
To secure your server, you must do ALL of the following:
1. Install a plugin such as AuthMe (or enable online-mode in the server.properties file, if possible)
2. Enable a whitelist to stop unauthorized usernames from joining, using the commands `/whitelist on` and `/whitelist add <player>`. Note that this step on its own is not sufficient, as whitelists can be bypassed by spoofing usernames.

I removed the suggestion to do backups since it makes the message even longer and is kind of out of scope for what I'm trying to prevent, and they're still mentioned on the FAQ page anyways. Might still be too long though, feel free to give suggestions.