Security Recommendations


Here you can find a list of suggestions for improving the security of your installation. Please be aware that allowing the upload or installation of unchecked JAR files can allow the user to gain shell access as the Minecraft server user. This is not usually a problem but you need to make sure that no sensitive files are accessible by every user (i.e. there can be no access for "others" on any sensitive file)..

Make sure the "protected" directory is not accessible through the webserver

The "protected" folder contains a .htaccess file that will usually tell the webserver to prevent all access to this folder. On some systems this functionality is disabled and the .htaccess file has no effect.

You can check whether this applies to you by visiting your panel and replacing "index.php" with "protected/data/panel/schema.mysql.sql". For example:
http://example.com/multicraft/index.php
becomes
http://example.com/multicraft/protected/data/panel/schema.mysql.sql

If this downloads a file or shows some SQL statements then you must do either a) or b) until it doesn't display anything anymore.

Suggested solutions:
a) [Recommended] Enable the webserver to use the .htaccess file. This is usually done in your main Apache config file (/etc/apache2/apache2.conf) or in the config file of your website (/etc/apache2/sites-enabled/000-default). Look for the <Directory> declaration for your web files (/var/www) and change "AllowOverride None" to "AllowOverride All". That part of the configuration should then look like this:
<Directory /var/www>
    Options -Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    allow from all
</Directory>

A restart/reload of Apache is required after this (service apache2 reload).
For users of other webservers a different method might apply, please consult your webserver documentation for this. For example, with Nginx, adding the following code to the configuration should work:
location /protected {
    deny all;
    return 404;
}

b) [Advanced] Move the "protected" folder outside of the web accessible directories and change all paths in your index.php and api.php accordingly so the application still runs as usual.


Restrict or disable API access

If you don't use the Multicraft API you should disable it under Settings->Panel Configuration.
If you use the API you should allow access to it from certain IPs only, you can configure the list of allowed IPs under Settings->Panel Configuration.


Restrict Superuser access

If you only use superuser access to the panel from a defined set of IPs you can restrict superuser access to the panel to these IPs only under Settings->Panel Configuration.


Restrict Daemon connections

You should make sure that only your panel(s) can connect to your daemons by setting the "allowedIps" setting in your multicraft.conf.


Separate Daemon and Panel databases

The daemon and the panel database are meant to be kept separated from each other. The daemons should not have any kind of access to the panel database.
You can further restrict the table access of the daemons to the daemon database by allowing SELECT only queries on all but the following tables:
Table 'daemon', requires INSERT, DELETE
Table 'player', optionally requires INSERT, UPDATE (without these privileges some player information is not recorded)
Table 'schedule', requires UPDATE

This can be further improved by using a separate MySQL user for each daemon so revoking access for individual daemons becomes possible.


Run the Daemon in multiuser mode

Multiuser mode is designed to protect the server files from access through other server owners. Make sure the "multiuser" setting is "true" in your multicraft.conf and the "user" setting is not "root".


Secure the admin password(s)

Make sure the admin password is very strong and change it regularly to mitigate any kind of brute force attack on that.


Use a dedicated MySQL installation

You should not use the same MySQL installation you use for the panel/daemon database to host databases of other applications (i.e. WHMCS) or even user databases. A defect in any one of the other applications can compromise your installation.


Make backups and keep them secure

As with any system you should also make regular backups of at least your daemon/panel databases as well as the "servers" directory of your daemons. The backup data must never be accessible from the machines running the actual installation, otherwise you may lose the backup data as well during an incident.


Keep the installation size manageable

Multicraft can handle any number of Minecraft servers on a single panel. At a certain point the bottleneck is usually the central MySQL database server. This can be worked around by clustering MySQL and applying common optimizations. Distributing your servers over multiple panel installations will improve both security and performance.


Keep Multicraft updated

Multicraft should always run at the latest version. Mixing versions is possible but not recommended as the whole system will only be as strong as the weakest link, which might be a daemon running an old version.


Advanced: Enable the Java Security Manager

You can enable the Java Security Manager by passing "-Djava.security.manager" as a parameter on server startup. You can then use a policy file to define what actions the Java process is allowed to perform. Please note that we do not provide support for setting up this feature. More information about this Java feature can be found in Online resources.


Disable JAR Uploads and Disable Plugin Installations

Allowing the upload or installation of unchecked JAR files can allow the user to gain shell access as the Minecraft server user. This is not usually a problem if you are running in multiuser mode but you need to make sure that no sensitive files are accessible by these users (i.e. there can be no access for "others" on any sensitive file).
JAR access is disabled by default through the "forbiddenFiles" setting in the multicraft.conf as well as having the BukGet browser disabled by default. You can revert these settings to go back to the default behavior.


Protect Sensitive System Files

Allowing the upload or installation of unchecked JAR files can allow the user to gain shell access as the Minecraft server user. This is not usually a problem if you are running in multiuser mode but you need to make sure that no sensitive files are accessible by these users (i.e. there can be no access for "others" on any sensitive file).
Non-exhaustive list of typical points to address:
  • Ensure that files in /etc/ cannot be modified by normal system users
  • Ensure that normal users do not have read access to configuration files containing sensitive information. This includes your multicraft.conf file and all files in your front end directory (/var/www by default).
  • Set reasonable resource limits for users with "ulimit" where applicable
  • Setup system logging, preferably to a remote location, to make sure that the system can be properly monitored
  • Backup all relevant files regularly to a remote location
  • Make sure other installed software is in a safe configuration. Some software products come with permissive or insecure default configurations
  • Keep all installed software up to date


Use Docker containers

Multicraft comes with built-in support for running each server in a separate Docker container. This feature is highly customizable in the multicraft.conf file in the [docker] section. You can also override the settings in that file through the individual .jar.conf file giving you the ability to customize Docker usage based on the server type.


Use Linux security features

Depending on the distribution used you will have other means of securing your installation. SELinux and Apparmor are examples of such features that can be used to further restrict what individual server processes are allowed to do. For help with configuring these features please refer to the documentation of your distribution.