Since I hear pretty frequently about security breaches or attacks, I decided to share my basic knowledge in cybersecurity and some practices to protect yourself. Take all of this with a grain of salt, there is a reason cybersecurity is its own university subject.
I'm trying to keep it short, if you discover any weaknesses while reading this thread, make sure to read up on the topic of your weakness to gain a broader understanding.
(God I wish EPVP would support Markdown, then I could structure this way nicer)
1. Access points
Access points are points in your system which, as the name says, can be accessed from outside. As an example, the native RDC (Remote Desktop Connection) or any similar software you try to connect to your root is one of those.
The less access to your main system you give, the better. Manage and decide if moderators or game masters really need access to your system, or if an API or a web-interface would be enough to do basic operations, e.g., sending a server message or editing something in the database.
Credentials and Group policies
First of all, Never under any circumstances share your admin account with others. If you wish to give others access to your root, create a new user account for them and add them to their respective groups, never give another user the admin group except yourself or system administrators you trust.
As for the credentials. Use long ones, as they are harder to crack. If you cannot remember long passwords, use something like KeePass to save them.
Do not use the standard username and passwords you see in tutorials. Always create custom ones. If I see one more .opt of a public server with the sa username, I'll go mental.
Create windows groups for each role your server supports. For example, one for developers, one for moderators, game masters and so on. Since a new group has pretty much no permissions, you have to add them yourself.
Software access
Do the same procedure for any software you use. Limit the access to the database only to the required users. If you use SQL Management tools, you can pair the approach with the windows group policies. This way, for example a group with the name "developer" automatically has access to the database, without the need to configure new users and their access.
Check if you use any other critical software that needs this approach.
This also applies to simple solutions like Discord or Teamspeak.
Web access
Here again, follow the same approach for any web access points. Maybe you run a site where any admin user has access to everything, or some users have FTP access to your web-server?
2. DDoS protection
To keep it short: Any paid solution is pretty much all you need.
BUT since the level many attacks operate in this sector is pretty low, you might be able to protect yourself with simple measures and oversight.
A DDoS (Distributed Denial of Service) attack is an attack where you have public access points which are accessed with a very high frequency until the service quits because of the amount of requests.
Ports
Any port which is not needed for the public should be blocked and any standard port should be blocked and rerouted. Either via a config file, or some internal rule.
Example: 22 is the ssh-port. This is widely used to access remote systems. With repeated accessing tries, you might be vulnerable here. Changing this port to something random, like 31022, blocks any request to port 22 but allows you to still access your system via 31022.
Packet type
There are many network protocols and each has its own purpose.
Everyone probably knows about pings, which have a very small package size but are multiplied easily. (Try ping -t google.com in your terminal)
Depending on what the attacker's target is, it makes sense to block the ICMP protocol and if you do not use the server for any mail traffic, you can block SMTP as well.
Third party requests
Third party means anything that indirectly sends a request. Maybe you have an REST-API which polls something from your system, or your homepage has an "active players" count which gets polled every time someone visits the page?
A repeated visiting/pinging the website or the API uses resources and slows down the system. In this case, do not let the user poll these APIs directly, but let the website do the polling and updating any views.
If you really, really need the user to use your views directly, code something that limits the number of concurrent requests.
That's it for now, maybe I'll update this again if I see any errors or you guys have some input/questions
