hosting a 24/7 dedicated game server

Turbonium · Dec 13, 2021

I'm considering hosting a 24/7 dedicated server for an older Source-based game.

I figure I will need a static IP for this, and to advertise the IP somewhere on the Internet (presumably a community hub for the game in question), along with the port(s) that is/are being used (and to forward those ports if/where necessary, etc.). Is this correct?

And what sorts of security issues would I have to worry about? Is this even a relatively "safe" thing to do? The last thing I want is for any of my systems to become compromised in any way.

Note: I can't simply start a server and rely on the game clients to find it, as the "master server list" doesn't work with the game (it's an old and largely abandoned game, with licensing issues and such preventing the current developers from being able to modify the source code and fix issues, etc.; thus, advertising the IP online through other means is necessary).

Fallen Kell · Dec 14, 2021

Assume that the system will be automatically targeted by bots/scripts and that if you have any open vulnerabilities, you will get hacked. I suggest that anything such as running a game server be done in a virtual machine that has a checkpoint created before being brought online to the internet (or at the very least, before you turn on the game server). I also suggest (assuming linux) that you install/setup AIDE and create and keep a scan/database for the system and keep a copy of that offline which you can then test against the active system. This will flag any/all files that have been modified or permissions changed, and you can then quickly see if you got hacked with backdoors added and know what files the backdoors are in so that you can do some post hack analysis of those and possibly create a defense against them.

Turbonium · Dec 15, 2021

Fallen Kell said:
Assume that the system will be automatically targeted by bots/scripts and that if you have any open vulnerabilities, you will get hacked. I suggest that anything such as running a game server be done in a virtual machine that has a checkpoint created before being brought online to the internet (or at the very least, before you turn on the game server). I also suggest (assuming linux) that you install/setup AIDE and create and keep a scan/database for the system and keep a copy of that offline which you can then test against the active system. This will flag any/all files that have been modified or permissions changed, and you can then quickly see if you got hacked with backdoors added and know what files the backdoors are in so that you can do some post hack analysis of those and possibly create a defense against them.

Thnx for the input.

Current limitations with the game I want to host mean the server doesn't really run on Linux (and this may never change), meaning I'm probably going to have to run a Windows-based server. With this kept in mind, are you saying I can run Windows as a VM on a Linux-based system?

(I have very little to no experience with VMs, hence the question.)

Fallen Kell · Dec 15, 2021

Yes, you can run windows in a VM even from a linux based system. Note that you will have a slight performance hit (between 8-15%) for running as a VM vs on bare hardware, but the benefits typically outweigh the performance hit (especially for speed of recovery from a hack if you have proper checkpoints kept from the system). The same advice stands for a Windows VM, make a checkpoint before you bring it live. If you get hacked, attempt to determine the vulnerability that was used, possibly save game config/state data, and then roll back to the checkpoint, apply appropriate patch/mitigation, create another checkpoint, update game config/state data, checkpoint again, and then bring back online.

Always keep that first checkpoint, as you know it is clean/uncompromised. You have to be wary of the checkpoint after game data/state information is updated as that data came from a compromised system. It is possible it has a backdoor/vulnerability left behind by the original attack, however, the only other alternative is to restore that data from a known backup from before the hack occurred (not always possible).

Turbonium · Dec 15, 2021

Do you have any recommended reading/links?

I understand most of what you're describing, in concept. I just don't know how to go about doing certain things, or what tools to use to actually do them.

Also: what VM is best to use for my purposes, would you say? And what version of Linux? Assuming an emphasis on security, as opposed to performance or other things.

Fallen Kell · Dec 16, 2021

I don't have any good tutorials or reading to do. This is all from life experience of being a system administrator.

I have no real recommendation on what virtual machine hypervisor to use. I have personally used KVM, VMWare Player, VMWare ESX, Hyper-V, VirtualBox, and XPC-ng (XenServer fork). They all have their pros and cons, and it really just comes down to what you are trying to do and what you are already familiar with.

If you have a dedicated system that will run headless (meaning that you have minimal need to connect a keyboard/mouse/monitor to it) to host one or more virtual machines and want some nice GUI tools to manage from a remote system, XPC-ng is something I would look at. If you want to share the use of the system (i.e. it will do more than just host virtual machines), using CentOS linux and KVM hypervisor is probably something you should look into.

Hyper-V is probably the easiest to use if you are mainly a windows person, but you need Windows Server edition for the host as well as a windows 10/11 license for the virtual machine.

I am currently running multiple VMs on a XPC-ng setup on my home network, a FreeNAS instance for my storage, a CentOS linux VM, a Debian linux VM, and an Ubuntu linux VM. But all of these are behind my firewall and not exposing services to the internet.

You should be able to use XPC-ng and setup your firewall to expose only the ports needed by the game-server in the windows VM, but block anything going to the physical system, as well as block anything originating from the windows VM to the rest of your network (only allow established/related, but deny new), ideally with the XPC-ng and window VM in a separate VLAN from the rest of your home network. This should help limit the damage of any hack.

Red Squirrel · Dec 18, 2021

If you're running it from home, make sure it's on a different vlan. If it does get compromised at least they are limited to that vlan. Of course ensure the proper rules for access between vlans are setup so that the server vlan is indeed restricted from rest of network. Pfsense makes all this really easy to setup.

I have a vlan I call "internet facing" and anything that has to listen on a port is on that vlan, and I treat the whole vlan the same as if each box was facing the internet directly. Ex: I'll have fail2ban setup on each one, root logon disabled, and so on.

Even things like torrent applications should be on such vlan, as you never know if there is some exploit that allows remote code execution. Basically anything that has to listen on a port and act as a server is a potential attack surface.

Some hacks these days are very sophisticated too. Recently had a Debian 11 box hacked and it hardly had anything running on it. I am wondering if one of the services I had running may have been using log4j as there is a vulnerability in that which just got discovered. Minecraft server is also vulnerable to that, I think they patched that in the last server update.

Turbonium · Dec 18, 2021

Red Squirrel said:
If you're running it from home, make sure it's on a different vlan. If it does get compromised at least they are limited to that vlan. Of course ensure the proper rules for access between vlans are setup so that the server vlan is indeed restricted from rest of network. Pfsense makes all this really easy to setup.

Is Pfsense installed on the machine acting as a server, or on a router that you mod?

(I'm new to this sort of thing.)

Red Squirrel · Dec 18, 2021

Turbonium said:
Is Pfsense installed on the machine acting as a server, or on a router that you mod?

(I'm new to this sort of thing.)

Pfsense would be the router but it's basically an OS you install on a computer/server to act as router. Does not have to be pfsense though, there are other routers that can also do vlans. I'm just not that familiar with any off top of my head.

The game server would be either a physical box or a VM. You do want to keep it separate from your main machine either way.

Turbonium · Dec 18, 2021

Fallen Kell said:
I don't have any good tutorials or reading to do. This is all from life experience of being a system administrator.

Red Squirrel said:
Pfsense would be the router but it's basically an OS you install on a computer/server to act as router. Does not have to be pfsense though, there are other routers that can also do vlans. I'm just not that familiar with any off top of my head.

The game server would be either a physical box or a VM. You do want to keep it separate from your main machine either way.

Does the following scheme make sense?:

Internet
- ISP/Internet connection (100/100)
  - consumer-grade router (assume no VLAN capability)
    - main rig (mission-critical)
    - dedicated game server rig (running Linux with a Windows VM to run the server and Pfsense/equivalent from within)

And what about this scheme?:

Internet
- ISP/Internet connection (100/100)
  - consumer-grade router (assume no VLAN capability)
    - main rig (mission-critical)
    - "router" rig (with Pfsense/equivalent installed)
      - dedicated game server rig (running Linux with a Windows VM to run the server from within)

I also have a consumer-grade switch at my disposal. Would it make any sense, from a security standpoint, to put it between the router and game server?

Red Squirrel · Dec 18, 2021

1st one does not really make sense, pfsense needs to be the router it can't just be a random rig on the network.

2nd sort of but if you do pfsense you can eliminate the consumer router completely. The pfsense box would uplink straight to the ISP via it's WAN port then the LAN port would go to a managed switch (they are fairly cheap used on Ebay) and then you can assign vlans to ports. The connection between router's LAN port and Switch would be called a trunk port as it carries all vlans. The router sees each vlan as a separate interface. (you need to configure these)

When dealing with VMs you also setup a trunking port to the vm server then the physical machine can assign a specific vlan to each VM. You can think of it as having a switch inside the physical machine.

All this can get complicated if you're not already familiar with vlans though.

Another way to do it if you rather not deal with vlans, is 2 consumer routers. This is not ideal or recommended but it will work.

You have 2 consumer grade routers, so we'll call it router1 and router2. Router1 is plugged into the ISP like normal, and the game server would plug to that router too. Then take router2, plug it into router1 the same way you'd plug into an ISP. Then your main rig etc is plugged into router2. This creates a double NAT and basically a 1 way isolation where anything plugged into router1 can't access things that are on router2. Stuff on router2 can access stuff on router1 though. (ex: you can get to game server but game server can't get to you) Make sure the IP ranges on both routers are different. Ex: 192.168.0.x and 192.168.1.x.

The pfsense way with vlans is prefered of course, but the double NAT is a very easy way to get some isolation.

Turbonium · Dec 18, 2021

Red Squirrel said:
1st one does not really make sense, pfsense needs to be the router it can't just be a random rig on the network.

2nd sort of but if you do pfsense you can eliminate the consumer router completely. The pfsense box would uplink straight to the ISP via it's WAN port then the LAN port would go to a managed switch (they are fairly cheap used on Ebay) and then you can assign vlans to ports. The connection between router's LAN port and Switch would be called a trunk port as it carries all vlans. The router sees each vlan as a separate interface. (you need to configure these)

When dealing with VMs you also setup a trunking port to the vm server then the physical machine can assign a specific vlan to each VM. You can think of it as having a switch inside the physical machine.

All this can get complicated if you're not already familiar with vlans though.

Another way to do it if you rather not deal with vlans, is 2 consumer routers. This is not ideal or recommended but it will work.

You have 2 consumer grade routers, so we'll call it router1 and router2. Router1 is plugged into the ISP like normal, and the game server would plug to that router too. Then take router2, plug it into router1 the same way you'd plug into an ISP. Then your main rig etc is plugged into router2. This creates a double NAT and basically a 1 way isolation where anything plugged into router1 can't access things that are on router2. Stuff on router2 can access stuff on router1 though. (ex: you can get to game server but game server can't get to you) Make sure the IP ranges on both routers are different. Ex: 192.168.0.x and 192.168.1.x.

The pfsense way with vlans is prefered of course, but the double NAT is a very easy way to get some isolation.

I like to do things "properly", even if it's a steeper learning curve, so I'd definitely not be using 2 routers.

Would this work (no Pfsense/equivalent used at all)?:

Internet
- ISP/Internet connection (100/100)
  - consumer-grade router (assume no VLAN capability)
    - main rig (mission-critical)
    - managed switch
      - dedicated game server rig (running Linux with a Windows VM to run the server from within)

And would a basic managed switch like the D-Link DGS-1100-05V2 work?

I realize I'm very new at this, but I don't mind learning.

Red Squirrel · Dec 18, 2021

It will work but it will not segregate the two machines, so it won't make a difference. Though I suppose what you COULD do, is do pfsense in a vm, put the game server VM behind the pfsense firewall (you can usually create virtual networks in the VM software for that). In the firewall, you can then put IP restrictions to ensure it can't access the rest of the network.

Turbonium · Dec 18, 2021

Red Squirrel said:
It will work but it will not segregate the two machines, so it won't make a difference. Though I suppose what you COULD do, is do pfsense in a vm, put the game server VM behind the pfsense firewall (you can usually create virtual networks in the VM software for that). In the firewall, you can then put IP restrictions to ensure it can't access the rest of the network.

Meaning my main rig from the server, correct?

Is what you're saying that I need to "split" the line "before" the router (in my schematic)?

Red Squirrel · Dec 18, 2021

Yeah basically it has to be split before. you want the packets to go through the router to get to either machines, that way you can configure the router to block access. If the packets never go through the router, they won't be blocked.

Though another option is to just setup firewall on PC to block the server's IP, but that's a bit dirty and non scalable, I always like doing this sort of thing at the network level if at all possible. But if you only have the two machines and don't plan to add more, it's a simpler way to go.

Turbonium · Dec 19, 2021

Red Squirrel said:
Yeah basically it has to be split before. you want the packets to go through the router to get to either machines, that way you can configure the router to block access. If the packets never go through the router, they won't be blocked.

Though another option is to just setup firewall on PC to block the server's IP, but that's a bit dirty and non scalable, I always like doing this sort of thing at the network level if at all possible. But if you only have the two machines and don't plan to add more, it's a simpler way to go.

Can you rephrase that bit? I'm not sure I understand.

And I don't mind if it's not scalable, so long as I'm not sacrificing security. My main concern here is I don't want my main rig to be compromised.

Red Squirrel · Dec 19, 2021

I guess the easiest way to explain it is you don't want the systems to be on the same network segment. Everything that is behind a router (typically) is considered as same network segment. Two PCs on same network segment do not have to go through router to talk to each other, which means the firewall won't help. So by using vlans or different routers you can split it up into different segments. Keep in mind I'm using the word router and firewall interchangeably in this case, while they are not the same thing, in this case they tend to be the same device doing both functions.

This might explain things better than I can: https://www.cisco.com/c/en/us/products/security/what-is-network-segmentation.html

The more I think of it though, in your case I think the simplest would be to setup a VM server, then setup a VM that runs pfsense, then setup a VM for game server. Configure the networking in the VM software so that it goes Pfsense VM -> game server. In pfsense, you can then setup restrictions on what the game server can access, that way if it gets compromised it's contained. The pfsense vm would have two network cards assigned to it, the WAN one would be bridged to your physical network, the other would go to a virtual network. The game server's network card would then be configured to the same virtual network. This way you also don't need to buy anything else like a managed switch.

Heck if you really wanted to you can setup Virtualbox on your main machine and do it right on the main machine. Not ideal as it means you're rebooting the game server each time you reboot your machine though, but it is an option.

Hope this makes more sense.

Turbonium · Jan 2, 2022

I read somewhere that using a DMZ will "isolate" a given system/IP from the rest of the local network. Is this accurate?

If so, how can I use it (if at all) in such a situation?

(I realize this question is broad, but I'm doing my research on this matter as much as I can.)

Red Squirrel · Jan 4, 2022

Never played with that feature but I think it will basically do the same as a vlan. So it would be an option in your case I think.

Turbonium · Feb 2, 2022

So far, my setup is using a managed switch with port-based VLANs.

Would it also make sense (or even be possible) to use a VPN to further mask my IP?

(As mentioned earlier, I will need to advertise my IP publicly for people to join my server, which I'm not a fan of; I would much rather point them to a "dummy" IP/VPN, which would then connect to my server/actual IP; while this would introduce some higher latency, if it's possible, I'd prefer it).

Fallen Kell · Feb 2, 2022

If you are the host, a VPN will not help you as that is only good for the client side. At the end of the day, their client will need to reach your IP address and they will know what it is.

Going the from a client,a VPN can obscure the client's IP from the server, since the client's connection is relayed through the VPN proxy (in other words, on the client side, you connect to the VPN proxy, which keeps a record of your connection as it then forwards the request to the server that you are requesting to connect into. The end server then responds back to the VPN proxy, and from the server's side, it doesn't know that the data is then being forwarded by the VPN proxy to another system). That is how the VPN protects your identity as a client.

But as a server, ultimately the client needs to connect to your IP, especially if this is a game server developed by someone else, as the client needs to connect to your server. If the developer of the game server designed it so that the clients connect to some proxy server and that proxy handles sending and receiving the data to the real game server, well then you can protect your IP address if the game server from everyone but that proxy, but it sounds like it was not designed like that and uses the traditional server/client design, at which point the only way to protect your identity from the client is to not be a server in the first place.

Think of it this way, the client is initializing the connection to your server, not the server initializing the connection to the client. A VPN works because a client instead of directly initializing the connection to the server, first connects to the VPN proxy and instructs the VPN proxy to then connect to the server. How can that work in reverse? The server doesn't know who to try and talk to, so it can't talk to a proxy and tell it to go talk to an unknown client. A server by definition is waiting on a client to connect to it. Thus the client needs to know what to connect to. Sure, you can custom code things and then get what you are asking about, but it doesn't seem like you have control of that.

Turbonium · Feb 4, 2022

Fallen Kell said:
If you are the host, a VPN will not help you as that is only good for the client side. At the end of the day, their client will need to reach your IP address and they will know what it is.

Going the from a client,a VPN can obscure the client's IP from the server, since the client's connection is relayed through the VPN proxy (in other words, on the client side, you connect to the VPN proxy, which keeps a record of your connection as it then forwards the request to the server that you are requesting to connect into. The end server then responds back to the VPN proxy, and from the server's side, it doesn't know that the data is then being forwarded by the VPN proxy to another system). That is how the VPN protects your identity as a client.

But as a server, ultimately the client needs to connect to your IP, especially if this is a game server developed by someone else, as the client needs to connect to your server. If the developer of the game server designed it so that the clients connect to some proxy server and that proxy handles sending and receiving the data to the real game server, well then you can protect your IP address if the game server from everyone but that proxy, but it sounds like it was not designed like that and uses the traditional server/client design, at which point the only way to protect your identity from the client is to not be a server in the first place.

Think of it this way, the client is initializing the connection to your server, not the server initializing the connection to the client. A VPN works because a client instead of directly initializing the connection to the server, first connects to the VPN proxy and instructs the VPN proxy to then connect to the server. How can that work in reverse? The server doesn't know who to try and talk to, so it can't talk to a proxy and tell it to go talk to an unknown client. A server by definition is waiting on a client to connect to it. Thus the client needs to know what to connect to. Sure, you can custom code things and then get what you are asking about, but it doesn't seem like you have control of that.

Makes sense, thnx.

QuietDad · Feb 15, 2022

Break out an old PC your not using and spend an afternoon installing the following:

Wampserver Windows based web server

Free domain name and utilities to handle dynamic IP

Cloudflare to run behind so your home IP doesn't need to get published

Relatively easy, free and pretty good default security out of the box

hosting a 24/7 dedicated game server

Platinum Member

Diamond Member

Platinum Member

Diamond Member

Platinum Member

Diamond Member

No Lifer

Platinum Member

No Lifer

Platinum Member

No Lifer

Platinum Member

No Lifer

Platinum Member

No Lifer

Platinum Member

No Lifer

Platinum Member

No Lifer

Platinum Member

Diamond Member

Platinum Member

Senior member