Torrent Network A community-oriented Minecraft network.

OpSec

2025-04-07
JerichoTorrent
Security
     

JerichoTorrent’s Guide to OpSec

What is OpSec?
According to the Computer Security Research Center, Operations Security is a “systematic and proven process by which potential adversaries can be denied information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive activities. The process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures.”

OpSec

Why should I care?
In 2025, even if you are a techphobic neanderthal, regularly using online services without proper operations security is a foolish endeavor. We all have important secrets to keep from the general public. If you don’t think that’s true, then go ahead and leave your wallet sitting on a sidewalk. Leave your front door unlocked when you leave the house. You get the point; you don’t have to be a criminal to care about your security.

Passwords

The first and most important secret to protect is your passwords. Furthermore, your passwords are intimately tied to the accounts you use, so if you are the victim of a breach, and you re-use the same passwords in multiple accounts… you’re cooked. So what’s the solution? Use a password manager. A password manager is essential for managing and storing strong passwords that shouldn’t be easy to remember. If your password is password123, or my_dogs_name_123, that password can be cracked in seconds. Check Password Monster to see how insanely easy it is to crack your password. Solution? Use a password manager to both generate unique passwords never involved in a breach, and store those password details. Never write your password anywhere, especially not in a text file or somewhere like a Discord server.

I recommend Bitwarden. Bitwarden has never had a breach as of the time of this blog post. They have a great mobile app, desktop app, and browser extensions. Personally, I use my phone as a hardware passkey, and use 2 factor authentication to login to the mobile app. I also use the Bitwarden Firefox extension to automatically store new passwords when I register for accounts. Since moving to this system, all my passwords are strong passwords, uniquely generated and regularly checked against known password breaches. I can easily use the browser extension and/or the mobile app to fill in my password securely to any login field.

Bitwarden

Not only is this system super secure, but it ensures you don’t waste valuable time screwing around with trying to remember the 4 passwords you rotate through on every account, then realize you had to add one special character and can’t remember which one you used. You enter in every password you can think of, and you end up locked out of the account. Don’t do that, just use a password manager, copy and paste or autofill your password, and be done with it.

2FA

2 Factor Authentication is absolutely essential in 2025. Every account you create should use 2FA. What that means is that even if a hacker acquires your password and login information, they still need to have access to your authentication app, email link, hardware key, etc. Personally, I use FIDO2 if the site allows it. Some of my accounts use email notifications, and others use 2FA apps like Duo. If a site doesn’t allow 2FA, ensure your password is rock-solid, and check your email against https://haveibeenpwned.com/ to check for breaches. You should be regularly doing that anyway.

VPNs

A virtual private network is like a tunnel for your internet traffic, which encrypts your data and masks your IP address. When you connect to an application or website with a VPN enabled, the application will see your VPN IP, not your real one. This is useful to bypass region restrictions on websites like Netflix, which only show certain shows/movies depending on your region. What it’s NOT, is a completely foolproof method to hide your traffic. Don’t ever believe VPN companies that claim they don’t keep logs and your network traffic will never be revealed. VPN companies have data breaches all the time. Not only that, but there isn’t a VPN company on the planet that won’t comply with a subpoena from a law enforcement agency. If you’re up to some “risky” activities on the internet, and you think someone else will go to jail in your stead… they won’t.

So what is a VPN really good for? Anonymity is a plus. It’s nice to know that when you visit a website, they won’t get your real geolocation and IP address. However, to really encrypt and anonymize your traffic without completely relying on the safety and privacy of a VPN company, you could use Tailscale, which is a mesh VPN using point-to-point connections. I use this in many different circumstances. You can use a VPS or cloud server as an exit node, or use Tailscale to connect to servers to avoid brute force attacks from botnets. There are many different applications for a VPN; just don’t expect it to be a foolproof method to hide your network activity from the public.

Another option to remain as anonymous as possible is to use Mullvad, a cheap service where all you need to do is generate an account number. No email, phone number, or other personal information is required. You can then use OpenVPN to register the Mullvad account, and have nothing tying you specifically to your network traffic. Again, don’t expect this to be foolproof, but it’s better than just using NordVPN, which had a breach in 2018. Here’s the guide to route your traffic with Mullvad using OpenVPN: https://mullvad.net/en/help/windows-openvpn-installation

Contamination

Contaminating your private, secured accounts/operations with your personal information is a critical example of bad operations security. This is actually what gets most people in hot water when operating online. Let’s look at an example. You run a Minecraft server with 1,000 members. Your public Minecraft server gets hundreds of new players a month, and those players are from all over the world. At some point, you will come across bad actors: players that look for exploits or try to harm your server in some way. Through a quick search of your Discord, they find your real name and personal information. By checking your domain against https://who.is/, they find your contact registration information and get your home address, phone number, email, and a ton of other personal information. These bad actors post all your intimate details to your Discord server, spam it in chat, call the police in your area to report an active shooter in your home, and absolutely ruin your day.

Of course, this is a worst-case scenario type of situation, but you can see how simple it is to make a few small mistakes and totally cross-contaminate your online life with your personal one. Trust me, Discord and Minecraft have a TON of bad people who just want to tear others down.

According to US Congressman Andy Biggs:

The average American commits three felonies a day.

“But I don’t commit three felonies a day!” Yeah.. you probably do. Cite me the entire tax code from memory and I’ll eat my words. This is why it’s best to avoid cross-contanimation. Needlessly tying your personal details to all of your activites is like holding a sign above your head that says “scrutinize everything I do!”

Servers

Servers are a different beast entirely. I’ll be writing a full blog-post about running a secure and feature-complete Minecraft server network soon, but in general there are a few best practices to follow:

  • Close port 22! This is what Tailscale, Headscale, and other secure private mesh networks are for.
  • If you don’t want to use a mesh VPN, ensure you are actively rotating SSH private keys and never sharing them with anyone.
  • If you rent a VPS, make SURE you have 2FA enabled on your admin panel. I’ve personally seen a server get nuked because of this.
  • Use HTTPS. HTTP (Hypertext Transfer Protocol) is insecure. Your browser sends a request to a server, and the server responds with an HTTP response. This is completely unencrypted and man-in-the-middle attacks are common. Using HTTPS, your data is encrypted when transmitted between the client and the server. It’s like delivering your mail by courier in an opened box, vs. a box that is sealed by USPS and never opened until it gets to the destination.
  • Firewall rules: Don’t needlessly leave ports open. Use specific ingress and egress rules to lock down the traffic that you need to accept. On linux this is as simple as ufw enable.
  • Regular backups: Always ensure you have OFF-SITE backups of your applications and data. If God forbid your server gets nuked or you make some critical mistake, having an up-to-date off-site backup is absolutely essential.
  • Access Controls: Users should not have full access to your entire server. Using Access Control Lists, you can limit the level of access your users have, following the Principle of Least Privilege, which means a user should only have access to the privileges they need to execute a task; nothing more and nothing less.
  • Secure endpoints! API/backend endpoints such as file upload services and others should be secured by using JWT middleware, auth user context, and other methods to ensure someone can’t flood your endpoint or use it to get sensitive data.
  • DDoS protection: Distributed Denial of Service attacks are extremely common; as are brute force infiltration attacks from botnets. Always ensure your servers have adequate DDoS protection from a good provider.

Server security is a deep field. There’s a reason senior system administrators make a lot of money.

FTP vs. SFTP

File Transfer Protocol is an unsecured way to transfer files between remote/local servers. SFTP (Secure File Transfer Protocol) encrypts data files and auth information during transfer. FTP/SFTP attacks are common, so know what you’re doing when transfering files between servers.

SSL Certificates

When you spin up a webserver to serve files to users visiting your application, they will by default be able to see your files at http://your-application-domain. To use HTTPS to see the application, generate an SSL certificate on your origin server. These certificates encrypt information between client and server. My preferred way to do that is to use Cloudflare Zero Trust, which creates an extremely secure tunnel to your application without the need for generating long configuration files for your webserver.

Update Your Packages!

Everyday, new security vulnerabilites are found in commonly used packages, such as npm packages. Always ensure you are staying up-to-date, such as by using apt-get upgrade, which installs newer versions of the packages you have. Do the same for your Minecraft plugins, Windows applications, and any other services you use. Staying on an old, unsupported version of software almost guarantees you are going to run into unpatched security vulnerabilites.

Git

When using Git or Github and pushing your code to remote repositories, NEVER commit sensitive data! If you push sensitive data like login information, database credentials, or API keys, you could be opening yourself up to a world of hurt. To avoid committing sensitve data to your repo, create a .env file and store your sensitive details in there, then call your process.env variables in your code. Add your .env and private information to a .gitignore, and Github will ignore these files when you git add, git commit and git push to your repo. If you’ve accidentally leaked secret keys to your repo, follow this guide to revert it, and do it quickly!

Conclusion

Using current and proper operations security techniques is essential for all types of activites online and in your daily life. Always use a password manager to generate unique and secure passwords. Never click sketchy and malicious links from phishers or scammers. Regularly check your email accounts and services you use against known breaches. Secure your servers, applications, and other activites with encryption and firewall rules. When in doubt, just close the application and scan your PC/server. By following all these methods, you just might stay vigilant enough to never get pwned online. However, no one technique is enough to avoid getting pwned completely, so stay paranoid early. If you enjoyed this guide, maybe you’d also enjoy joining a community with an emphasis on privacy, security and user experience: https://discord.gg/torrent.

Anonymous User

Similar Posts

Previous Article New Torrent Website

Comments

Content