50% of Minecraft servers do not use a whitelist - and that's a problem
KittyScan is a crawler of mine which searches the internet for Minecraft servers, with the goal of getting some interesting insights into the Minecraft ecosystem and how it evolves over time.
KittyScan gathers this data by scanning the public IPv4 range for Minecraft servers running on the default port (25565). Because of this behaviour most larger or complex server setups are not found. But since I want to focus on the smaller friend servers instead of the larger networks, this is not an issue. But it's something to keep in mind when reading the stats.
Disclaimer: Due to several restrictions no dataset will be perfect.
I will write some more about KittyScan and its findings later on. Today I want to focus on an issue that is bigger than I ever could imagine. Recently I started probing the subset of servers which run with "online mode" enabled and a vanilla-like software (Mojang, Spigot, Paper, ...) by automatically joining them with an online account to check whether I get kicked for whitelist reasons or am able to join without issues. By now I have reached a substantial sample size and a stark trend becomes obvious: More than 50% of Minecraft servers do not use a whitelist.
I could look at it in a positive light, that nearly 50% of servers use one. But that is just not enough. If I only look at the servers which have not been customized, so the ones most likely to be used by individuals and their friends, that number approaches 70%.
But why is that an issue? It's a game server after all, not something important. With a disabled whitelist, any player with an Minecraft account could join. And if there are no precautions against it, they can grief. There are near daily posts on Reddit from players that lost their world due to various griefing groups. Often there are no backups. But the way bigger issue is, that if there is any security flaw found in the future, especially one on the scale of the 2021 Log4J Remote Code Execution exploit (CVE-2021-44228), there are tens of thousands of Minecraft servers open to exploit.
The main issue I have with this is that Minecraft servers are delivered "simple by default". We have to accept that the average person hosting a Minecraft server themselves or via a provider, is more likely to be an amateur than someone hosting a PostgresDB. They are less likely to know some security best practices, they are less likely to know how to create backups. And I'd argue that that's fine. Everyone had to start somewhere. But I firmly believe that the software should be preconfigured with this in mind. It should be "secure by default".
But I think there is another component to the issue. A big chunk of the players starting up servers do so to play. They might not know anything about server administration. They might not know that there is a whitelist. A lot of players might feel nervous towards using commands. And nothing tells them how it works. They have to proactively search and learn about it.
Mojang and the developers of the various Bukkit forks cannot influence everything about the environment a server is installed in. But there is one crucial part: enable the whitelist by default. Besides having online mode enabled, an active whitelist is the second best protection the default server software can offer. This would be a breaking change. But the technically adept admins often already use prepared config files so they could also adapt for this change if it is clearly communicated. But for a player without prior knowledge this would be perfect.
Same thing for server providers: preconfigure them with the whitelist enabled by default, offer a small UI where your customers can add their friends with the click of a button. You might also add "Secure By Default - AI Supported Whitelist Management" to your selling points for all I care.
Instruct new admins to add players to the whitelist, give them example commands, take them by the hand. The option to disable the whitelist should not be explicitly mentioned. This would ensure that every new server has had a fair chance to be configured with a whitelist. And if the admin decides to disable it that's totally fine as long as it is an informed decision.
Mojang even links to this very useful setup guide on the server download page, sadly most players will just straight up ignore the link and download the server file, or more likely get their server executable from a source which is not minecraft.net.
I know that there are plugins which allow the whitelist to be managed by Discord verification and what not, but all of them are more complex to use than the default whitelist system for small friend servers
This is how I imagine the first startup of a fresh server to look like:
Starting net.minecraft.server.Main
[...]
[Server thread/INFO]: Time elapsed: 2295 ms
[Server thread/INFO]: Done (4.414s)! For help, type "help"
[Server thread/INFO]:
[Server thread/INFO]: The whitelist is enabled but does not yet contain any players.
[Server thread/INFO]: Add your first player by running "/whitelist add <playername>"
[Server thread/INFO]: Learn more about how to secure your server here: https://minecraft.wiki/w/Tutorial:Setting_up_a_Java_Edition_server#Security_recommendations
That where all thoughts about this that I have at the moment. It's just a very important issue for me, because it breaks my heart to read how some players just lose years of progress because of this. And I'd plead for the "heh should have used a whitelist and made backups 5head" finger pointing towards these players to stop. This kind of toxic behaviour helps no one. I also want to clarify that I do not blame Mojang or any Minecraft developer. These are just my two cents.
Anyway I'll continue procrastinating on building more stuff for the KittyScan website. Bye.