使用AWS保护您的Minecraft服务器免受DDOS攻击

谁践踏了优雅 2021-07-26 21:17 551阅读 0赞

![The Minecraft logo.][]

Want to run a Minecraft server from home without revealing your IP address? You can! Just set up a free proxy with Amazon Web Services to protect your server from denial-of-service attacks. We’ll show you how.

是否想在不显示IP地址的情况下在家运行Minecraft服务器？ 您可以！ 只需使用Amazon Web Services设置免费代理即可保护您的服务器免受拒绝服务攻击。 我们将向您展示如何。

This guide will work for any game server, not just Minecraft. All it does is proxy traffic on a specific port. You just have to change Minecraft’s port 25565 to whichever port your game server runs on.

本指南适用于任何游戏服务器，而不仅仅是Minecraft。 它所做的只是在特定端口上的代理流量。 您只需要将Minecraft的端口25565更改为运行游戏服务器的端口即可。

## 这是如何运作的？ **(**How Does This Work?**)** ##

Let’s say you want to host a Minecraft server and have it open to the internet. It’s not that hard to run one. They’re easy to install, only use one processing thread, and even the heavily modded servers don’t take more than 2 to 3 GB of RAM with a few players online. You could easily run a server on an old laptop or in the background on your desktop computer rather than paying someone else to host it for you.

假设您要托管一个Minecraft服务器，并将其开放给互联网。 运行一个并不难。 它们易于安装，仅使用一个处理线程，即使是经过大量改装的服务器也不会占用超过2到3 GB的RAM，并且只有几个播放器在线。 您可以轻松地在旧笔记本电脑上或台式计算机的后台运行服务器，而不用付钱给其他人托管。

But for people to connect to it, you have to give out your IP address. This presents a few problems. It’s a [major security risk][], especially if your router still has the default admin password. It also leaves you open to distributed [denial-of-service (DDOS) attacks][denial-of-service _DDOS_ attacks], which would not only stop your Minecraft server but could shut off your internet, as well, until the attack subsides.

但是，要让人们连接到它，您必须提供IP地址。 这带来了一些问题。 这是一个[重大的安全风险][major security risk] ，尤其是如果您的路由器仍具有默认的管理员密码时。 它还使您容易受到分布式[拒绝服务(DDOS)攻击的影响][denial-of-service _DDOS_ attacks] ，这不仅会停止Minecraft服务器，而且还可能关闭Internet，直到攻击消退。

You don’t have to allow people to connect directly to your router. Instead, you can rent a small Linux box from Amazon Web Services, [Google Cloud Platform][], or Microsoft Azure—all of which have free tiers. This server doesn’t have to be strong enough to host the Minecraft server—it just forwards the connection for you. This allows you to give out the IP address of the proxy server instead of your own.

您不必允许人们直接连接到路由器。 取而代之的是，您可以从Amazon Web Services， [Google Cloud Platform][]或Microsoft Azure租用一个小的Linux盒子，所有这些盒子都有免费套餐。 该服务器不必足够强大以托管Minecraft服务器，它只是为您转发连接。 这使您可以提供代理服务器的IP地址而不是您自己的IP地址。

Say someone wants to connect to your server, so she types the IP address of your AWS proxy into her Minecraft client. A packet is sent to the proxy on port 25565 (Minecraft’s default port). The proxy is configured to match port 25565 traffic and forward it to your home router. This happens behind the scenes—the person connecting doesn’t even know.

假设有人要连接到您的服务器，因此她在她的Minecraft客户端中键入了您的AWS代理的IP地址。 数据包通过端口25565(Minecraft的默认端口)发送到代理。 代理配置为匹配端口25565流量并将其转发到您的家庭路由器。 这是在幕后发生的，甚至连人都不知道。

Your home router must then be port-forwarded to forward the connection further to your actual PC. Your PC runs the server and responds to the client’s packet. It forwards it back to the proxy, and then the proxy rewrites the packet to make it look like the proxy is the one responding. The client has no idea this is happening and simply thinks the proxy is the system running the server.

然后必须将家庭路由器转发端口，以将连接进一步转发到您的实际PC。 您的PC运行服务器并响应客户端的数据包。 它将其转发回代理，然后代理重写该数据包，以使其看起来像代理是响应的那个。 客户端不知道这种情况正在发生，只是认为代理是运行服务器的系统。

It’s like adding another router in front of the server the same way your home router protects your computer. This new router, though, runs on Amazon Web Services and gets the full transport-layer DDOS mitigation that comes free with every AWS service ([called AWS Shield][]). If an attack is detected, it’s mitigated automatically without bothering your server. If it *isn’t* stopped for some reason, you can always turn off the instance and cut the connection to your house.

这就像在服务器前面添加另一台路由器一样，就像家用路由器保护您的计算机一样。 但是，此新路由器在Amazon Web Services上运行，并获得了每个AWS服务( [称为AWS Shield][called AWS Shield] )免费提供的完整的传输层DDOS缓解措施。 如果检测到攻击，则会自动缓解攻击，而不会打扰您的服务器。 如果由于某种原因*未*停止运行，则始终可以关闭实例并断开与房屋的连接。

To handle the proxying, you use a utility called `sslh`. It’s intended for protocol multiplexing; if you wanted to run SSH (usually port 22) and HTTPS (port 443) on the same port, you’d run into issues. `sslh` sits in front and redirects ports to the intended applications, solving this problem. But it does this at the transport layer level, just like a router. This means we can match Minecraft traffic and forward it to your home server. `sslh` is, by default, nontransparent, which means it rewrites packets to hide your home IP address. This makes it impossible for anyone to sniff it out with something like [Wireshark][].

要处理代理，请使用名为`sslh`的实用程序。 它用于协议多路复用； 如果要在同一端口上运行SSH(通常是端口22)和HTTPS(端口443)，则会遇到问题。 `sslh`位于前面，将端口重定向到预期的应用程序，从而解决了此问题。 但是，它像路由器一样在传输层级别执行此操作。 这意味着我们可以匹配Minecraft流量并将其转发到您的家庭服务器。 `sslh`默认情况下`sslh` ，这意味着它会重写数据包以隐藏您的家庭IP地址。 这使得任何人都不可能使用[Wireshark][]嗅出它。

## 创建并连接到新的VPS **(**Create and Connect to a New VPS**)** ##

To get started, you have set up the proxy server. This is definitely easier to do if you have some Linux experience, but it isn’t required.

首先，您已经设置了代理服务器。 如果您有一些Linux经验，那么这样做绝对容易，但是不是必需的。

Head to [Amazon Web Services][] and create an account. You have to provide your debit or credit card info, but this is only to prevent people from making duplicate accounts; you aren’t charged for the instance you’re creating. The free tier does expire after a year, so make sure you turn it off after you’re finished with it. [Google Cloud Platform][] has an `f1-micro` instance available for free all the time if you’d rather use that. Google also offers a $300 credit for a year, which you could actually use to run a proper cloud server.

转到[Amazon Web Services][]并创建一个帐户。 您必须提供借记卡或信用卡信息，但这只是为了防止人们制作重复的帐户； 您无需为要创建的实例付费。 免费套餐会在一年后过期，因此请确保在使用完毕后将其关闭。 如果您愿意使用[Google Cloud Platform][]的`f1-micro`实例，则可以一直免费使用。 Google还会提供$ 300的信用额度(一年)，您可以实际用来运行一台合适的云服务器。

AWS does charge a bit for bandwidth. You get 1 GB free, but you’re taxed $0.09 per GB for anything over that. Realistically, you probably won’t go over this, but keep an eye on it if you see a 20-cent charge on your bill.

AWS确实会收取一定的带宽费用。 您可以获得1 GB的免费空间，但超出此部分的价格为每GB $ 0.09。 实际上，您可能不会理会这件事，但是如果您看到帐单上有20美分的费用，请密切注意。

After you create your account, search for “EC2.” This is AWS’s virtual server platform. You might have to wait a bit for AWS to enable EC2 for your new account.

创建帐户后，搜索“ EC2”。 这是AWS的虚拟服务器平台。 您可能需要稍等片刻，AWS才能为新帐户启用EC2。

![Type "EC2" in the search bar on AWS's virtual server platform.][Type _EC2_ in the search bar on AWS_s virtual server platform.]

From the “Instances” tab, select “Launch Instance” to bring up the launch wizard.

从“实例”选项卡中，选择“启动实例”以启动启动向导。

![Click "Instances," and then select "Launch Instance."][Click _Instances_ and then select _Launch Instance.]

You can select the default “Amazon Linux 2 AMI” or “Ubuntu Server 18.04 LTS” as the OS. Click next, and you’re asked to select the instance type. Select `t2.micro`, which is the free tier instance. You can run this instance 24/7 under AWS’s free tier.

您可以选择默认的“ Amazon Linux 2 AMI”或“ Ubuntu Server 18.04 LTS”作为操作系统。 单击下一步，然后要求您选择实例类型。 选择`t2.micro` ，这是免费实例。 您可以在AWS的免费层下24/7运行此实例。

![Select "t2.micro."][Select _t2.micro.]

Select “Review and Launch.” On the next page, select “Launch,” and you see the dialog box below. Click “Create a New Key Pair,” and then click “Download Key Pair.” This is your access key to the instance, so don’t lose it—place it in your Documents folder for safekeeping. After it downloads, click “Launch Instances.”

选择“查看并启动”。 在下一页上，选择“启动”，然后您会看到下面的对话框。 单击“创建新的密钥对”，然后单击“下载密钥对”。 这是您对实例的访问密钥，因此请不要丢失它-将其放在“文档”文件夹中以进行保管。 下载完成后，单击“启动实例”。

![Click "Create a New Key Pair," and then click "Download Key Pair." After it downloads, click "Launch Instances."][Click _Create a New Key Pair_ and then click _Download Key Pair._ After it downloads_ click _Launch Instances.]

You’re brought back to the instances page. Look for your instance’s IPv4 Public IP, which is the address of the server. If you’d like, you can set up an AWS Elastic IP (which won’t change across reboots), or even a free domain name with [dot.tk][], if you don’t want to keep coming back to this page to find the address.

您将返回到实例页面。 查找实例的IPv4公用IP，即服务器的地址。 如果您愿意，可以设置一个AWS Elastic IP(在重启后不会更改)，或者甚至可以使用[dot.tk设置][dot.tk]一个免费域名(如果您不想继续返回此页面进行查找)地址。

![Look for your instance's IPv4 Public IP.][Look for your instance_s IPv4 Public IP.]

Save the address for later. First, you need to edit the instance’s firewall to open port 25565. From the Security Groups tab, select the group your instance is using (probably launch-wizard-1), and then click “Edit.”

保存地址以备后用。 首先，您需要编辑实例的防火墙以打开端口25565。从“安全组”选项卡中，选择您的实例正在使用的组(可能是launch-wizard-1)，然后单击“编辑”。

![Click the "Security Groups" tab, and then select the group (probably "Launch-Wizard-1") your instance is using.][Click the _Security Groups_ tab_ and then select the group _probably _Launch-Wizard-1_ your instance is using.]

Add a new Custom TCP rule and set the port range to 25565. The source should be set to “Anywhere,” or `0.0.0.0/0`.

添加新的自定义TCP规则，并将端口范围设置为25565。源应设置为“ Anywhere”或`0.0.0.0/0` 。

![Add a new Custom TCP rule and set the port range to 25565. The source should be set to 0.0.0.0/0 (or "Anywhere").][Add a new Custom TCP rule and set the port range to 25565. The source should be set to 0.0.0.0_0 _or _Anywhere_.]

Save the changes, and the firewall updates.

保存更改，然后防火墙更新。

We’re now going to SSH into the server to set up the proxy; if you’re on macOS/Linux, you can open up your terminal. If you’re on Windows, you have to use an SSH client, like [PuTTY][] or install the [Windows Subsystem for Linux][]. We recommend the latter, as it’s more consistent.

现在，我们将通过SSH进入服务器以设置代理。 如果您使用的是macOS / Linux，则可以打开终端。 如果您使用的是Windows，则必须使用SSH客户端(例如[PuTTY)][PuTTY]或安装[适用于Linux][Windows Subsystem for Linux]的[Windows子系统][Windows Subsystem for Linux] 。 我们建议使用后者，因为它更加一致。

The first thing you should do is `cd` to your documents folder where the keyfile is:

您应该做的第一件事是`cd`到您的文件文件夹，其中的密钥文件是：

cd ~/Documents/

If you’re using Windows Subsystem for Linux, your C drive is located at `/mnt/c/`, and you have to cd down to your documents folder:

如果您使用的是Windows Subsystem for Linux，则C驱动器位于`/mnt/c/` ，并且必须cd到documents文件夹：

cd /mnt/c/Users/username/Documents/

Use the `-i` flag to tell SSH you want to use the keyfile to connect. The file has a `.pem` extension, so you should include that:

使用`-i`标志告诉SSH您要使用密钥文件进行连接。 该文件的扩展名为`.pem` ，因此您应该包括：

ssh -i keyfile.pem ec2-user@0.0.0.0

Replace “`0.0.0.0`” with your IP address. If you made an Ubuntu server rather than AWS Linux, connect as user “ubuntu.”

用您的IP地址替换“ `0.0.0.0` ”。 如果您制作的是Ubuntu服务器而不是AWS Linux，请以“ ubuntu”用户身份进行连接。

You should be granted access and see your command prompt change to the server’s prompt.

您应该被授予访问权限，并看到命令提示符更改为服务器的提示符。

## 配置SSLH **(**Configure SSLH**)** ##

You want to install `sslh` from the package manager. For AWS Linux, that would be `yum`, for Ubuntu, you use `apt-get`. You might have to add the EPEL repository on AWS Linux:

您要从软件包管理器安装`sslh` 。 对于AWS Linux，将是`yum` ；对于Ubuntu，则使用`apt-get` 。 您可能必须在AWS Linux上添加EPEL存储库：

sudo yum install epel-release

sudo yum install sslh

Once it’s installed, open the config file with `nano`:

安装完成后，使用`nano`打开配置文件：

nano /etc/default/sslh

Change the `RUN=` parameter to “yes”:

将`RUN=`参数更改为“ yes”：

![A "RUN=yes" command in a terminal window.][A _RUN_yes_ command in a terminal window.]

Below the final `DAEMON` line, type the following:

在最后的`DAEMON`行下面，键入以下内容：

DAEMON_OPTS="--user sslh --listen 0.0.0.0:25565 --anyprot your_ip_address:25565 --pidfile /var/run/sslh/sslh.pid

Replace “`your_ip_address`” with your home IP address. If you don’t know your IP, search [“what is my IP address?”][what is my IP address] on Google—yes, seriously.

将“ `your_ip_address` ”替换为您的家庭IP地址。 如果您不知道自己的IP，请搜索[“我的IP地址是什么？”][what is my IP address] 在Google上-是的，很认真。

This configuration makes the `sslh` proxy listen on all network devices on port 25565. Replace this with a different port number if your Minecraft client uses something different, or you play a different game. Usually, with `sslh`, you match different protocols and route them to different places. For our purposes, though, we simply want to match all possible traffic and forward it to `your_ip_address:25565`.

此配置使`sslh`代理在端口25565上的所有网络设备上进行侦听。如果您的Minecraft客户端使用其他端口，或者您玩其他游戏，则将其替换为其他端口号。 通常，使用`sslh`可以匹配不同的协议，并将它们路由到不同的地方。 但是，出于我们的目的，我们只想匹配所有可能的流量并将其转发到`your_ip_address:25565` 。

Press Control+X, and then Y to save the file. Type the following to enable `sslh`:

按Control + X，然后按Y保存文件。 输入以下内容以启用`sslh` ：

sudo systemctl enable sslh

sudo systemctl start sslh

If `systemctl` isn’t available on your system, you might have to use the `service` command instead.

如果`systemctl`在您的系统上不可用，则可能必须使用`service`命令。

`sslh` should now be running. Make sure your home router is [port forwarding][] and sending 25565 traffic to your computer. You might want to give your computer a static IP address so this doesn’t change.

`sslh`现在应该正在运行。 确保家用路由器正在[端口转发][port forwarding]并向计算机发送25565流量。 您可能要为计算机提供一个静态IP地址，这样就不会更改。

To see if people can access your server, type the proxy’s IP address into an [online status checker][]. You can also type your proxy’s IP into your Minecraft client and try to join. If it doesn’t work, make sure the ports are open in your instance’s Security Groups.

要查看人们是否可以访问您的服务器，请在[在线状态检查器中][online status checker]键入代理的IP地址。 您也可以在Minecraft客户端中键入代理的IP，然后尝试加入。 如果不起作用，请确保在实例的安全组中打开了端口。

> 翻译自: [https://www.howtogeek.com/440752/protect-your-home-minecraft-server-from-ddos-attacks-with-aws/][https_www.howtogeek.com_440752_protect-your-home-minecraft-server-from-ddos-attacks-with-aws]

[The Minecraft logo.]: /images/20210726/a8f6fceb2c6249389930edd22b77c8b6.png
[major security risk]: https://www.howtogeek.com/393553/why-you-probably-shouldn%e2%80%99t-run-your-business-website-out-of-your-house/
[denial-of-service _DDOS_ attacks]: https://www.howtogeek.com/281707/what-are-denial-of-service-and-ddos-attacks/
[Google Cloud Platform]: https://cloud.google.com/
[called AWS Shield]: https://aws.amazon.com/shield/?tag=hotoge-20
[Wireshark]: https://www.wireshark.org/
[Amazon Web Services]: https://aws.amazon.com/?tag=hotoge-20
[Type _EC2_ in the search bar on AWS_s virtual server platform.]: /images/20210726/950c553e969d4fe2b3d3f72d8f1bf63f.png
[Click _Instances_ and then select _Launch Instance.]: /images/20210726/825346f7c3c1495e9dd1c269133c045f.png
[Select _t2.micro.]: /images/20210726/7c22182b55a244ac9f73cdc5684e9077.png
[Click _Create a New Key Pair_ and then click _Download Key Pair._ After it downloads_ click _Launch Instances.]: /images/20210726/6dfce557458e4fd6ac2486784a458d4f.png
[dot.tk]: http://www.dot.tk
[Look for your instance_s IPv4 Public IP.]: /images/20210726/19d84ae7f2004e0aacbbf6899ddd5c33.png
[Click the _Security Groups_ tab_ and then select the group _probably _Launch-Wizard-1_ your instance is using.]: /images/20210726/a049ddb4d0f74337aabaae7d854ed0ac.png
[Add a new Custom TCP rule and set the port range to 25565. The source should be set to 0.0.0.0_0 _or _Anywhere_.]: /images/20210726/a30dafe73c6e487dbcc72e2a85d997ce.png
[PuTTY]: https://www.chiark.greenend.org.uk/~sgtatham/putty/
[Windows Subsystem for Linux]: https://www.howtogeek.com/249966/how-to-install-and-use-the-linux-bash-shell-on-windows-10/
[A _RUN_yes_ command in a terminal window.]: /images/20210726/102f9ac532f7474794198d7d092203ce.png
[what is my IP address]: https://www.google.com/search?q=what+is+my+IP+address%3F
[port forwarding]: https://www.howtogeek.com/66214/how-to-forward-ports-on-your-router/
[online status checker]: https://mcsrvstat.us
[https_www.howtogeek.com_440752_protect-your-home-minecraft-server-from-ddos-attacks-with-aws]: https://www.howtogeek.com/440752/protect-your-home-minecraft-server-from-ddos-attacks-with-aws/

发表评论取消回复

表情：

评论列表（有 0 条评论，551人围观）

还没有评论，来说两句吧...

相关阅读

相关 PHP安全策略：保护您的应用免受攻击

在开发和部署PHP应用程序时，确保应用程序的安全性至关重要。通过采取适当的安全策略和实施最佳实践，可以有效地保护您的应用免受各种攻击，如跨站脚本攻击（XSS）、SQL注入、跨站

Bertha 。/ 2024年02月28日 07:43/ 0 赞/ 75 阅读

相关内容安全策略（CSP）：保护你的网页免受恶意攻击

1.前言随着网络应用的复杂性增加，恶意攻击也变得更加普遍和具有破坏性。Web页面的构建和渲染涉及各种资源的加载，包括JavaScript、CSS、图片、字体等。然而，攻

ゝ一纸荒年。/ 2024年02月05日 22:35/ 0 赞/ 40 阅读

相关中间人攻击：保护您的网络安全

中间人攻击：保护您的网络安全文章目录中间人攻击：保护您的网络安全引言中间人攻击的类型中间人攻击的实施方式

短命女/ 2023年10月14日 20:28/ 0 赞/ 94 阅读

相关保护你的网站免受CSRF和XSS攻击

保护你的网站免受CSRF和XSS攻击文章目录保护你的网站免受CSRF和XSS攻击 1. 引言 2. CSRF攻击

喜欢ヅ旅行/ 2023年10月14日 20:23/ 0 赞/ 162 阅读

相关中间人攻击：保护您的数据安全

中间人攻击：保护您的数据安全文章目录中间人攻击：保护您的数据安全引言中间人攻击的常见形式中间人攻击的危害和后

傷城~/ 2023年10月14日 15:54/ 0 赞/ 36 阅读

相关如何保护 Linux 数据库免受 SQL 注入攻击？

SQL 注入是一种常见的网络攻击类型，它利用应用程序对用户输入的不充分验证和过滤，导致恶意用户可以通过注入恶意的 SQL 代码来执行未授权的数据库操作。为了保护 Linux 系

本是古典何须时尚/ 2023年10月12日 17:14/ 0 赞/ 76 阅读

相关 wordpress 黑客_保护WordPress免受黑客和DDoS攻击

wordpress 黑客 There’s no disputing the popularity of WordPress, which powers more than 7

拼搏现实的明天。/ 2022年12月03日 09:59/ 0 赞/ 236 阅读

相关 DDOS攻击

DoS攻击、DDoS攻击和DRDoS攻击相信大家已经早有耳闻了吧!DoS是Denial of Service的简写，就是拒绝服务，而DDoS就是Distributed Deni

迈不过友情╰/ 2022年04月11日 09:55/ 0 赞/ 401 阅读

相关 DDos攻击

DDos攻击原理攻击方式防御方式原理分布式拒绝服务（DDos），拒绝服务指我们的应用被恶意攻击，无法给正常的用户提供服

ゝ一世哀愁。/ 2021年08月13日 14:05/ 0 赞/ 613 阅读

相关使用AWS保护您的Minecraft服务器免受DDOS攻击

![The Minecraft logo.][] Want to run a Minecraft server from home without revealing you

谁践踏了优雅/ 2021年07月26日 21:17/ 0 赞/ 552 阅读