⛏ Hosting A Minecraft Server Using CentOS

Historically I have always used Ubuntu to host my applications and game servers, but I was interested in checking out a more server and security focused distribution with the goal of expanding my knowledge and experience with different tools and distributions.

What really grabbed my attention was the promises of stability and support offered by CentOS.

To start off with I created a VPS that is running CentOS 8 using Digital Ocean. This can be done with a few simple clicks, so I will not be covering how to do that here.

🥽 Updating Packages

Before we get started make sure all of your packages are up to date by issuing the following command:

dnf update

👥 Creating Users

I always start a VPS by adding two users, one is a user with access to Sudo that will be used for server administration tasks, and the other is a user will as few privileges as possible to run the service in question.

useradd <Admin-name>
passwd <Admin-name>

useradd <service-account>
passwd <service-account>

👩‍💻 Applications

Two applications that we will need are vim and tmux, and screen.

Vim and tmux are easy to install:

dnf install vim tmux java-16-openjdk-devel

Installing screen requires epel (Extra Packages for Enterprise Linux), which can be installed like so:

dnf install epel-release

Then screen can be installed:

dnf install screen

🦺 SSH Permissions

One issue I ran into was in using ssh keys to login to those accounts. The key is to make sure that the permissions of the files related to ssh are correct:

Repeat this process for each user:

su <username>
chmod 0700 .

mkdir .ssh
chmod 0700 .ssh

# Paste the ssh key in this file
vim .ssh/authorized_keys

chmod 0600 .ssh/authorized_keys

🖥 Setting up the server

To get stated with creating the server we need the server.jar which you can get from Mincraft.net or from the Launcher itself (if your server is going to be using snapshots, or a version other than the most recent release, then you are going to want to go the launcher route).

🎈 Getting the Server File from the Official Launcher

1. Start by opening the launcher and clicking the installations tab on the top menu !![[Screenshot 2021-05-15 145451 2.png]]
2. Select the installation that you want to use to connect to your server (paying attention to the version number) ![[Screenshot 2021-05-15 145636.png]]
3. Click the download server jar button ![[Screenshot 2021-05-15 145751.png]]
4. This will open a URL in your web-browser. We do not want to download the file to our computer, but we want the URL so that we can download the server file to our CentOS Server. Copy the URL, then cancel the download (note that if you are not using Firefox as your default browser, things may look and operate differently) ![[Screenshot 2021-05-15 145854.png]]
5. I like to keep a copy of each and every jar file that I use for the server, so I start by creating a jars directory, this way it is easy to roll back to previous versions if need be.

mkdir -p server/jars
cd jars

# The following command will download Mincraft server version 1.16.5 to the current directory
curl https://launcher.mojang.com/v1/objects/1b557e7b033b583cd9f66746b7a9ab1ec1673ced/server.jar --output server-1.16.5.jar

# Create a symbolic link to the current jar file, to change which jar file the server will be using, you can modify which jar the current.jar link points to
ln -s server-1.16.5.jar current.jar

# Return to the main server directory
cd ..

1. The next thing we need to do is get the Minecraft server files and eula.txt files. We can do this with the following command:

java -jar jars/current.jar

1. Open the eula.txt read through the terms and conditions in the supplied URL, and then set eula=true to agree to them.
2. We can now modify our server.properties file. These settings are outside of the scope of this post, bu if you want to learn more about what each of these properties do you can read about them here.
3. Next we want to create our administration scripts: https://github.com/BrandonDusseau/minecraft-scripts

curl -O https://raw.githubusercontent.com/BrandonDusseau/minecraft-scripts/master/startmc.sh

curl -O https://raw.githubusercontent.com/BrandonDusseau/minecraft-scripts/master/backup.sh
10.

1. These files need to be modified to match out environment a little bit. Note that you need to use the non-privileged user in place of <mcserveruser> and use an amount of RAM that is appropriate for your server in the JVMARGS section (-Xmx/Xms)

# startmc.sh
    MCDIR="/home/<mcserveruser>/server"
    JVMARGS="-XmxM3072M -Xms3072M -d64"
    MCJAR="jars/current.jar"
    MCSCREENNAME="minecraft"

# backup.sh

    # File and directory configuration
    # Ensure these directories have correct permissions
    # Do not add trailing slashes
    MCDIR="/home/mcserveruser/server"
    BACKUPDIR="${MCDIR}/backups"

1. Next we need to make both of these scripts executable: chmod +x backup.sh startmc.sh
2. We can now start the server by entering the following commands:

./startmc.sh
./backups.sh

And that is it. You now have a Minecraft server up and running! Congratulations 🎉!

🏖 Optimizations and Improvements

This section covers going about improving the server itself in order to ensure that we are operating the Minecraft server securely and properly.

🐱‍👤 Securing CentOS

Below are a few of the steps that I use to secure CentOS. Most of these modifications came from the following blog post: https://www.linuxtechi.com/harden-secure-centos-8-rhel-8-server/

🐱‍💻 Change the port used by ssh

This prevents your server from being bombarded with ssh connection requests by bots that are scanning for default credentials being used on port 22 on all global IP addresses.

vim /etc/ssh/.sshd_config

# Find the line below
Port 22

# Chang it to something random, like
Port 5052

SELinux will prevent sshd from starting on any port other than 22, so we will need to do a few more things to make the change take effect.

semanage port -a -t ssh_port_t -p tcp 5052

systemctl restart sshd

🧱 Configuring the Firewall
Install and start firewalld:

dnf install firewalld

systemctl start firewalld
systemctl enable firewalld

Next we want to let tcp traffic through two ports:

1. The port we are using for ssh
2. The port we are using for Minecraft

# Let Minecraft through the firewall
firewall-cmd --add-port=25565/tcp --zone=public --permanent

# Let our ssh traffic through the firewall
firewall-cmd --add-port=5056/tcp --zone=public --permanent

🔒 Lock Down Critical Files
We want to lock down all files that we do not want accidentally deleted (such as the files containing our hashed passwords).

chattr +i /etc/passwd
chattr +i /etc/shadow

🕵️‍♀️ Install and Configure Fail2Ban

dnf install fail2ban

systemctl start fail2ban
systemctl enable fail2ban

# Configure by adding the following file

vim /etc/fail2ban/jail.local

# Add the following to the file mentioned above

[DEFAULT]
# Ban hosts for one hour:
bantime = 3600

# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport

[sshd]
enabled = true

# Restart the service
systemctl restart fail2ban