helpimnotdrowning.net (eternally unfinished)

  • 2 Posts
  • 35 Comments
Joined 1 year ago
cake
Cake day: June 9th, 2023

help-circle


  • yes, it’s mostly things like games or software

    though, I have seen more & more reports of people finding malicious disguised LNK files in their downloads and torrents, which will run some arbitrary command if you open that: Windows does not ever show the LNK extension, so a file could be named “<whatever>.mkv.lnk”, and you would only know if you checked the “file type” column in Explorer (which would read “Shortcut” instead of something like “Matryoshka file”), or when you see the cmd.exe window flicker open and close.

    bonus edit: LNK is the native file extension that Windows uses to link app shortcuts, such as the shortcuts on your desktop.



  • This might also become a hassle since basically all residential connections (likely of OPs friends) have dynamic IPs - if someone wants to join while OP is away, but their IP has changed since their last connection, now they have to wait on OP to update the firewall rules.

    Apart from getting your MSA token stolen, there’s not really much that can get around server login (yet). All online-mode logins pass through Microsoft (part of the reason why Xbox service outages seem to affect Minecraft so much).

    If your friends all individually seem to stay within some certain IP ranges (ex, first handful digits always stay the same, 12.34.56.xx), then I’d say go ahead with whitelisting them fully (ex, 12.34.56.xx --> 12.34.56.0/24, CIDR notation). If they jump around unpredictability, I would stick with the username-based whitelisting and online-mode-only.



  • as long you are only forwarding Minecraft’s 25565 port from your router to your server machine, it should be fine. Just make sure to keep Online mode on, use the whitelist, and get your plugins from trusted sources. Otherwise I wouldn’t worry too much.

    I see others recommending VPN solutions like zerotier for your friends to connect to; I don’t personally feel like this is necessary, and (in my experience), making your friends do more technical setup than just connecting to the server is often a big turn-off.

    Bonus: If you ever take a peek at your server logs while it’s running (and exposed to the Internet, if you avoid said VPN solutions), you might notice a lot of weird connections from IPs and usernames you don’t recognize. These are server scanners and threat scanners that look for vulnerable servers to connect to and exploit. This is normal and you’ll be fine as long as you keep that whitelist and stay up-to-date on developments in the server admin space.


  • I’ve acknowledged that, while convenient, my (small) setup is still a burden that I would be asking someone to take. If your friends don’t already share your passion or knowledge for Linux/Docker/the intricacies of <whatever you may be running>, I doubt they’d be willing to take on what you leave them.

    My friends had a family member who had a giant setup of Raspberry Pi’s that did Pi-hole, Home Assistant, F@H, among many other services and machines (there were like 6 Pi s!). They passed some time ago, and there’s just no one in the family who was willing to take on the responsibility to learn how to manage everything that was going on—services have been slowly degrading/going down since then.

    Those who rely on your services will just go back to using Google Drive, watch-anime-free.org.ru, and pressing “Open LAN world” in the Minecraft client. I don’t think it’s okay, but if you’re out of the game, you won’t be there to object.


    That is to say, if you DO have friends that are knowing and willing, you need to leave plenty of good documentation. I haven’t been one to write much of anything, and I’ve already fucked up my shell profiles again because of no documentation, but I can give some general pointers:

    • What runs where?
    • Why are things configured in certain ways? (ie “$GameServer gets 4gb because going over creates GC stutters”, “$IP is blocked because of telemetry”, “$File is symlinked to /dev/null to effectively delete/override a rule from $SomewhereElse”)
    • List rules and their exceptions. (ie “Service ports are numbered this way because it looks nice”, “Except $Port because it conflicts with $SystemService”)
    • List things even if they’re from personal preference (ie “Service ports are numbered this way because it looks nice”, tells user that these are effectively meaningless and things shouldn’t break by changing these, barring common sense)

    Basically, leave meaningful comments that explain why something is the way that it is. You should be able to use this documentation yourself as reference material. Keep this documentation updated regularly, as frequently quoted “bad documentation is worse than no documentation” (or something like that)

    (sorry if this last section in particular doesn’t make much sense, I haven’t slept in $hours. feel free to ask for clarification!)











  • TLDR; No

    It hasn’t been necessary in a long time, unless you’re a developer who frequently needs to type in filenames in everywhere (since the command line needs extra protection against spaces and other symbols)

    The OS (Windows, Mac, Android, etc) handles thar all for you so you don’t have to worry about it (unless you happen to use a badly-written program that doesn’t understand spaces, but this is super rare to begin with, and more protected against as time goes on)




  • Basically, the idea is that a server can refuse to serve you (or degrade your experience with captchas/heavier restrictions) unless you (your device) complete a “challenge”. This could be something like the browser (through a system API) checking some device details like

    • root/admin
    • unlocked bootloader
    • extensions (either bad extensions or something like an Adblock)
    • VPN (potentially “if you have nothing to hide you have nothing to fear”)
    • installed apps (Adblock via DNS like blokada,
    • device emulation
    • TPM (generate secure key to make sure device is “real”)
    • OS state (heavily modified?, untrusted OS?)

    etc. Basically making sure the “environment” is clean and not tampered with (trusted).

    The problem is with what defines a “trusted” environment. It could start at just making sure the device isn’t rooted (like Android’s Safetynet/Play Integrity check; most people don’t root their device & don’t/won’t care, also easily justifiable since it can be a security vulnerability because the device is “wide open”).

    Then, like the article mentions, the device makers (Google (phones, chromebooks), Microsoft (Windows, Xbox), Apple (macOS, iOS, visionOS, etc), Meta/Facebook (Oculus), etc) could change their terms for attestation and deny approval on stricter, potentially anti-consumer criteria such as device age (forcing you to buy more things).