Geyser-Minecraft-Exploit

I have stumbled across a bunch of login attempts on my Minecraft server located at Ltcraft.net so this is what I have done so far to solve the issues. This page here will be updated as I update my regexfailed filter for fail2ban.

My server is setup and running Bungeecord with Geyser and floodgate. We use the AMP panel to control mostly everything. UFW firewall for the firewall.

Here is a small sample of what console will look like when you come across the exploit.


[Geyser-BungeeCord] /103.88.35.132:50091 tried to connect!
[Geyser-BungeeCord] /103.88.35.132:50091 tried to connect!
[Geyser-BungeeCord] /103.88.35.132:50091 tried to connect!
[Geyser-BungeeCord] /103.88.35.132:50091 tried to connect!
[Geyser-BungeeCord] /103.88.35.132:38132 tried to connect!
[Geyser-BungeeCord] /103.88.35.132:38132 tried to connect!
[Geyser-BungeeCord] /103.88.35.132:38132 tried to connect!
WARNING04:57:29
[/103.88.35.132:38132] Sent too many packets per second
INFO04:57:29
[Geyser-BungeeCord] /103.88.35.132:38132 tried to connect!
04:57:34
[Geyser-BungeeCord] /103.88.35.132:3612 tried to connect!
[Geyser-BungeeCord] /103.88.35.132:3612 tried to connect!
[Geyser-BungeeCord] /103.88.35.132:3612 tried to connect!
[Geyser-BungeeCord] /103.88.35.132:3612 tried to connect!
04:57:37
[Geyser-BungeeCord] /103.88.35.132:49468 tried to connect!
[Geyser-BungeeCord] /103.88.35.132:49468 tried to connect!
[Geyser-BungeeCord] /103.88.35.132:49468 tried to connect!
[Geyser-BungeeCord] /103.88.35.132:49468 tried to connect!
04:57:40
Unblocked address /103.88.35.132
04:57:44
[Geyser-BungeeCord] /103.88.35.132:55179 tried to connect!
[Geyser-BungeeCord] /103.88.35.132:55179 tried to connect!
[Geyser-BungeeCord] /103.88.35.132:55179 tried to connect!
[Geyser-BungeeCord] /103.88.35.132:55179 tried to connect!
04:58:06
[/66.228.46.63:40342] <-> InitialHandler has pinged
04:58:15
[Geyser-BungeeCord] /101.71.125.88:63525 tried to connect!
[Geyser-BungeeCord] /101.71.125.88:63525 tried to connect!
[Geyser-BungeeCord] /101.71.125.88:63525 tried to connect!
[Geyser-BungeeCord] /101.71.125.88:63525 tried to connect!
04:58:16
[Geyser-BungeeCord] /101.71.125.88:3754 tried to connect!
[Geyser-BungeeCord] /101.71.125.88:3754 tried to connect!
[Geyser-BungeeCord] /101.71.125.88:3754 tried to connect!
[Geyser-BungeeCord] /101.71.125.88:3754 tried to connect!
04:58:21
[Geyser-BungeeCord] /101.71.125.88:2727 tried to connect!
[Geyser-BungeeCord] /101.71.125.88:2727 tried to connect!
[Geyser-BungeeCord] /101.71.125.88:2727 tried to connect!
[Geyser-BungeeCord] /101.71.125.88:2727 tried to connect!
04:58:23
[Geyser-BungeeCord] /101.71.125.88:17921 tried to connect!
[Geyser-BungeeCord] /101.71.125.88:17921 tried to connect!
[Geyser-BungeeCord] /101.71.125.88:17921 tried to connect!
[Geyser-BungeeCord] /101.71.125.88:17921 tried to connect!
04:58:25
[Geyser-BungeeCord] /101.71.125.88:53341 tried to connect!
[Geyser-BungeeCord] /101.71.125.88:53341 tried to connect!
04:58:26
[Geyser-BungeeCord] /101.71.125.88:53341 tried to connect!
[Geyser-BungeeCord] /101.71.125.88:53341 tried to connect!

How to limit the attack and slow the attackers down.

I installed both UFW and fail2ban on my machines in the UFW side I specifically rate limted the 25565 port and the 19132 port.

Rate limiting Port in UFW Java Minecraft Default

 ufw limit 25565/tcp

Rate Limiting port in ufw for Geyser Default

ufw limit 19132/udp

Now you will want to install fail2ban and setup fail2ban for both port 25565 and 19132 and point the file path directly to your Bungeecord server that is hosting minecraft.

Fail2ban jail.local add a new section at the bottom.

[minecraft-bungeecord]
enabled = true
port = 25565,19132
filter = minecraft-bungeecord
logpath = /home/amp/.ampdata/instances/Bungeecord/Minecraft/proxy.log.0
maxretry = 6
findtime = 300
bantime = 3600

Inside /etc/fail2ban/filter.d/ create config minecraft-bungeecord.conf

nano /etc/fail2ban/filter.d/minecraft-bungeecord.conf

What minecraft-bungeecord.conf looks like

[Definition]
failregex = \[Geyser-BungeeCord\] /<HOST>:\d+ tried to connect!
\[/<HOST>:\d+\] Sent too many packets per second
\[.*\] <-> InitialHandler - NativeIoException: recvAddress
\(..\) failed: Connection reset by peer \[/<HOST>:\d+\] <-> InitialHandler - read timed out



ignoreregex =
#\[/<HOST>:\d+\] <-> InitialHandler has pinged
#\[/<HOST>:\d+\] <-> InitialHandler has connected
#\[.*\] -> UpstreamBridge has disconnected

I hope this helps some one else struggling with attacks on there minecraft server.

Now let’s check and see if it’s doing anything.

root@vmi839174:~# fail2ban-client status minecraft-bungeecord
Status for the jail: minecraft-bungeecord
|- Filter
| |- Currently failed: 2
| |- Total failed: 3153
| - File list: /home/amp/.ampdata/instances/Bungeecord/Minecraft/proxy.log.0 - Actions
|- Currently banned: 25
|- Total banned: 35
`- Banned IP list: 103.19.232.10 103.88.35.132 101.71.125.88 45.125.46.246 115.236.153.239 45.125.46.244 223.26.61.223 115.236.153.236 43.248.100.166 43.248.100.139 115.236.153.235 110.42.2.215 115.236.153.233 115.236.153.243 43.248.187.127 115.236.153.228 43.249.192.144 101.71.125.80 101.71.125.66 122.228.86.140 79.127.227.30 122.226.223.86 61.183.41.189 122.226.223.90 115.236.153.227
root@vmi839174:~#

You can learn more about what is going on here on reddit via this thread. https://www.reddit.com/r/GeyserMC/comments/1bq0tow/random_ip_addresses_trying_to_connect_to_my_geyser/

And here on Github.

https://github.com/CloudburstMC/Network/security/advisories/GHSA-6h3m-c6fv-8hvh