Let's talk some security! What I'm about to point out is the single most severe security issue for BungeeCord networks. Luckily there are many ways to eliminate this issue. The issue that I'm talking about is accessible backend servers in a BungeeCord network. Since BungeeCord requires the servers to run in offline mode, they are a target for a variety of attacks and are super vulnerable. An attacker could for example set up their own bungee and pretend they are staff or do other bad things of similar nature. Technically speaking this is super easy and small mistakes in the setup of the network could make it actual childsplay. There are however easy ways to prevent this issue alltogether! Let me go over every one: Localhost/Local Network: This is by far the simplest method to get rid of this issue. However it requires that all servers (including the Bungee) run on the same machine or the same network (assuming you have your servers linked in a non public network). The trick is to make the backend servers not listen on the public IP but rather localhost/127.0.0.1 or the private network IP. The Bungee naturally needs to be configured to find the servers under the right addresses Firewall/IPTables: This is a more advanced topic, but some setups don't allow the first option. In this case you can try to setup a firewall that only the Bungee can communicate with the backend servers. This page explains it pretty well in detail. A small note is that if you run your servers inside Docker containers, you need to use the rule DOCKER_USER instead of INPUT. Verification Plugins: This option is not recommended, but I want to point out that there is a last resort, should all else fail. And that alternative is Verification Plugins. They make sure that the backend server the Bungee is connecting is the right one and that the Bungee is the right one connecting to the backend server. I sadly could only find these: BungeeGuard by Luck, and that plugin itself only works for BungeeCord and Paper. And IPWhitelist by roblabla, which is only for Spigot/Bukkit. There may be other options out there. You could also implement it yourself. A simple method I have used in the past is to verify the IP of the Bungee. Though you should definately prefer the above two solutions, as they are easier and more secure. Happy Networking
- BrainStone
0 Comments
|