Security Lists for Minecraft

The Minecraft Server has been up and running for a little while now on my Oracle Cloud Infrastructure Always Free Tier. And it’s something that has become more valuable. The hours of crafting, building and mining is something that needs attention. I’ve experienced the situation when months of work has been wiped or worse hacked. It’s not a good feeling.

I’ve been using the Security Lists in Oracle Cloud Infrastructure to define specific ingress rules. What I’ve done now is make that easier.

I’ve setup the Minecraft Server on an Arm-based compute shape (VM.Standard.A1-Flex) and here’s some simple guidelines on getting it up and going on OCI (here).

To delve into the security lists more, here’s a quick overview. I’ve got a Virtual Cloud Network with a Public Subnet where the Compute instances are being hosted.

More specifically, I’ve applied ingress rules to specific IP addresses to access the Minecraft server needing both 25565/TCP and 25565/UDP made available to the Minecraft client installation.

If you need some help with how this works, this tutorial is a good place to start about getting the Virtual Cloud Network (VCN) sorted (here) as it helps you setup your VCN, create an Arm Instance using the VM.Standard.A1-Flex Compute Shape and configure the security lists and firewall. NB: Once the instance is up and running, refer back to the Minecraft blog (here) to continue configuring Minecraft itself.

This also assumes we are still running over public internet to access the Minecraft server.

Dynamic IPs Are Painful – OCI SDK Helps Out

We are locking these down to specific IP addresses (and not ranges either). This works well for services that have a static IP address. But not all service providers provide this in their plans where some provide dynamic IP addresses. If you do have a dynamic IP address, it means that periodically the IP address changes and hence invalidates the rule above (and potentially the IP address is reallocated to someone else).

Also, going into the console to change these every time can be painful. This can multiply if there are multiple users (friends) sharing the server together.

As such, I’ve built a couple of command lines scripts to help manage the security lists without needing to get into the console every time. It’s available (here). Here’s a brief introduction to get this started.

1. Install OCI Python SDK

Here is a git repository that you can download or clone.

git clone https://github.com/jlowe000/oci-mc-seclist

I wrote these scripts with python3 which uses the OCI Python SDK to automate the commands. If you need assistance in installing the SDK, the installation instructions are (here).

In this repository, I’ve included a requirements.txt that can help with the OCI Python SDK installation. You can run the following from the oci-mc-seclist directory.

pip3 install -r requirements.txt

2. Configure OCI SDK (with profiles)

The OCI SDK needs the OCI tenancy profiles which enables the SDK to automate as your identity. The understand more and follow the instructions, it’s documented (here).

I’ve taking the liberty to simplify this process with a command that can be run in the OCI Cloud Shell. You will need to login into the OCI Cloud Console, open the Cloud Shell. From there, you can run the following commands.

git clone https://github.com/jlowe000/oci-config-gen
cd oci-config-gen
chmod a+x user-api-key.sh
./user-api-key.sh

The output of this script are:

• A new set of API signing keys that can be used with the OCI SDK
• A new config file that refers to the new API signing keys
• A new zip file (in the home directory) that bundles these files

Through the OCI Cloud Shell Menu, you can download this zip file locally. Unzip this file into your home directory. On Windows, the home directory refers to %HOMEDRIVE%%HOMEPATH%\.oci (as documented here) which you can create using Powershell however unzipping this file will create this directory.

3. Test OCI Python SDK

The easiest way to test this works, is to list the users in the tenancy. Here is a sample of the python interactive code to invoke the OCI Python SDK with the OCI configuration.

$ python3
>>> import oci
>>> config = oci.config.from_file()
>>> identity = oci.identity.IdentityClient(config)
>>> compartment_id = config["tenancy"]
>>> response = identity.list_users(compartment_id)
>>> print(response.data)

You should get a JSON payload of the users. If you do have issues, reach out here or review the documentation to date.

4. Configure the Minecraft Security List configuration

In this repository, there is a template file called mc-config.properties.template in the src/jlo/mc/seclist directory. This file needs to be copied to mc-config.properties which is used by the scripts. Once this has been done, the properties can be updated. The properties file looks like this and the following items need to be updated.

[minecraft]
compartment.name=minecraft # the compartment name of where Minecraft VCN and Subnet exists
vcn.name=minecraft-vcn # the Minecraft VCN
subnet.name=Public Subnet-minecraft # the Minecraft Subnet
seclist.name=minecraft-seclist # leave as is or change accordingly

Note that the compartment structure assumes that the VCN and Subnet are both deployed and manageable through the one compartment. Let me know if you have issues with this structure and I can help.

5. Create Security List (and Attach to Subnet) if required

I assume here that we want to create a new security list to manage these updates. I’ve purposefully defined a new list separate from the default. If you are referring to an existing security list, that’s ok. We don’t need to run this step.

I assume that I run this script from the src/jlo/mc/seclist directory.

python3 create-seclist.py

The outcome of this is a new empty security list that is attached to the subnet.

6. Add new ingress rules for specific IP Address (or Update)

The next step is to add a new set of ingress rules for the specific IP address. To manage the pair of rules, I’ve used the description. I could have used the tags. That being said, the description is very visible in the OCI Console as it is a default field when displaying the Security List.

I assume that I run this script from the src/jlo/mc/seclist directory.

Note that the description is arbitrary to denote the set of ingress rules. It should refer to the user for convenience.

python3 update-seclist.py Home 192.168.0.2

The outcome of this is a new set of ingress rules in the security list (with Home as the description).

This command runs like an upsert. It will insert a new set if it doesn’t exist. However, if there is a match on the description, the rules will be updated with the new IP addresses.

7. Remove ingress rules if required

This command is there to remove an IP address from the security list. It uses the same script as above. However if you do not provide an IP address, it will remove that specific set from the security list.

I assume that I run this script from the src/jlo/mc/seclist directory.

python3 update-seclist.py Home

The outcome of this is an existing set of ingress rules in the security list (with the Home as the description) is removed.

---

Through this, we’ve implemented some additional security mechanisms for your Minecraft Server on OCI. And simplified the management using the OCI SDK.

If you want to try this out yourself or work on your own application, sign-up (here) for the free Oracle Cloud Trial. I’d be interested to hear your experiences and learn from others as well. Leave a comment or contact me at jason.lowe@oracle.com if you want to collaborate.