Offline Mode Server Security
Offline Mode Server Security
If I run a server with offline-mode=false, hide-online-players=true and white-list=true, how easy would it be for an attacker to find out which names are whitelisted to join with a whitelisted name? Is it brute-force hard or does the server leak that info somewhere? How to secure an offline mode server against this?
2 comments
-
I’d recommend a separate authentication plugin independent of Mojang accounts. For example this one (didn’t test it myself).
-
Yes this is necessary for offline mode security. Most attacks come from the attacker joining as the operator and doing whatever, and a auth plugin can stop that. Additionally, make sure that you have a backup system set up, and confirm that the backups work.
-