--- tags: security, discord, safety, discord setup, setup --- Checklist: - [ ] add name filter for joins - [ ] add human verification for joins - [ ] enable Discord Safety Setup - [ ] set up Automod (native and/or modbot) - [ ] restrict dangerous permissions - [ ] put server owner on "cold" account - [ ] educate and empower the community ![](https://hackmd.io/_uploads/HJsDpHjd3.png) # Setting up a new discord server securely (BoringSec outline) - discord has become an amazing tool for building live-chat communities on, but it can be a huge headache to administer properly, especially for those new to playing admin - there are just so many damn settings and things to watch out for - this article will walk you through securely setting up a new discord server and explain the guiding principles along the way - how and why ## PRINCIPLE OF LEAST PRIVILEGE Accounts (humans + bots) should have only the permissions they need to function, and no more. For example, almost all accounts (except mods) do not need to be able to ban other accounts, it's just too easily abused. That's an extreme example but the idea is the same, accounts should not have extra permissions. - your server can be less strict with permissions if it is harder to enter in the first place (like an invite-only server) - but public-access servers in web3 need to be locked down tight due to how many scams there are in the space ## how people join server join flow - get a discord invite - join (must not have naughty names) - "prove" humanity - talk - get more access - self-select roles - mod bots (carl, dyno, yag, etc.) - these can be abused though! https://twitter.com/Jon_HQ/status/1667552033480802304 - collab.land/guild/vulcan ### first barrier - join gate join gate (name filters - put team account names on the naughty list) - wick - hashbot ### 2nd barrier - human verification - captcha bot - pandez - wick - BUT, need to have some read-only channels so new comers can tell the difference between your legitimate server and fake impersonation servers ### more access as desired - maybe token gating for project holders - limited time roles from contests... etc. ## Safety tools ### Basic safety setup https://support.discord.com/hc/en-us/articles/10989121220631-How-to-Protect-Your-Server-from-Raids-101 - raid protection (what is a server raid?) - beemo helps! https://twitter.com/Collab_Land_/status/1651631819367026688?s=20 - mod 2fa - verification levels ### automod (native discord or mod bots) - native options include - set spam filter levels + auto punishments - customizable mod bots - good ones - carl - wick - dyno - yagpdb - red - do not use mee6! - https://twitter.com/mee6bot/status/1526901242521432065?s=20 - https://twitter.com/zachxbt/status/1625176253237018627?s=20 - make sure you're adding the legitimate bot! https://twitter.com/Jon_HQ/status/1564341463655124992 - link blocking - spam filtering - native https://support.discord.com/hc/en-us/articles/4421269296535-AutoMod-FAQ#h_01GV3GQSB85NVWN1KQJ8AKZYC8 - - panic/lockdown mode - carl - wick - autopunishments - muterole/timeout - native automod timeout - muterole/jail for mod bots to use - the more bots you have, the greater your risk of one of them being used against you - https://twitter.com/mee6bot/status/1526901242521432065?s=20 - again, least privilege -- not all bots need admin ## Understanding role permissions Discord server roles - the role hierarchy - role perms applied in order `server` > `category` > `channel` - 3 ways to set perms in discord, which is confusing as hell - Server perms (default access/abilities) - category overrides (change from default for all channels in that category) - channel overrides (change from default + category override for only that channel) - can be very confusing to moderate, try to never use channel overrides and use category overrides as few times as possible, the more changes you make, the harder it is to remember and find out who has perms for what in which channels - "view as role" is your ally to keep track of things ## What scammers want and how to protect against it --> Least Privilege scammers want to spread phishing links as quickly as they can, so assume they will compromise accounts in your server, remove dangerous perms from everyone (principle of least privilege) - Administrator - @everyone/here - webhooks - kick/ban - manage server - manage roles - manage channels - manage events - create invites (depending on how you want people finding your server) - https://twitter.com/Jon_HQ/status/1574775903824932865?s=20 ### member accounts Least privilege for all member accounts - use additive permissions, not subtractive (eg. higher tier roles get more access/perms AT THE SERVER LEVEL) - e.g. everyone -- view only read-only channels + human verif channel - verified human -- access to community spaces, can post/talk in voice, etc. - full community member -- now can post links/embed/images/etc. ### admin accounts Mod/admin accounts are the true prize, so lock them down tightly - enforce 2FA for mods - ASSUME any account will be compromised at any time - wick has reactive settings (does things *after* accounts take action) but you have to trust wick and fuck with a lot of settings - GK is very good solution, pre-emptive security - L2 security to allow mods to escalate perms as needed (they need to be able to @everyone for announcements, for example) - then removes perms after short time window, so *when* accounts are compromised, attacker still can't use dangerous perms bc they're behind another password/2fa with GK ### Special case - server owner Put server owner on a cold account, your day-to-day - so you will always have the highest level access on a secure account if you or other admins get compromised - https://twitter.com/Jon_HQ/status/1585744824333783040?s=20 ## Advanced security - Advanced can put a captcha in front of the discord invite even to make this harder if you want https://github.com/MiranDaniel/f1rewall - example from PoolTogether https://pooltogether.com/discord - protect your server vanity invite! if you lose boosts or a compromised account changes away from your vanity, then a fake server can use your vanity URL to phish members - `regex` filtering with native automod - regex pattern matching - filter out all links - filter specific types of spam - keep `gm` to a gm ## Extra Resources - Glossary of security terms https://twitter.com/Jon_HQ/status/1585744816494649344?s=20 - Bankless Academy security lesson https://twitter.com/iSpeak_Nerd/status/1621208493314416640?s=20 - BoringSec classes https://twitter.com/BoringSecDAO ### Arm your community with tools Give your community tools to help each other - community reporting - bots - shield_xyz - chainpatrol - boringsec/serverforge reporting - scam alert channel in your community - follow #scam-alert channels in BoringSec/serverforge - https://support.discord.com/hc/en-us/articles/360028384531-Channel-Following-FAQ - encourage using txn simulation extensions - https://twitter.com/iSpeak_Nerd/status/1621208481859780610?s=20 - https://twitter.com/iSpeak_Nerd/status/1621208484728688642?s=20 - pocketuni - stelo - revoke.cash - joinfire ### Arm your community with knowledge Educate your community about how to keep their accounts protected - basic security thread https://twitter.com/iSpeak_Nerd/status/1621208457138565120?s=20 - bookmarklet threats https://twitter.com/Collab_Land_/status/1651631802719825921?s=20 - QR code threats https://twitter.com/Collab_Land_/status/1641500275205869569?s=20 - OAuth lookalikes https://twitter.com/Jon_HQ/status/1564341463655124992 - scam type mindmap https://twitter.com/materwelon2002/status/1565823203909390336 --- # Setting up a new discord server securely (BoringSec article) **Setting up a new discord server securely (BoringSec article)** Setting up a new Discord server can be an exciting endeavor, but it can also be quite overwhelming, especially for those new to server administration. With numerous hacks, scams, and threats to consider in web3, ensuring the security and safety of your server becomes crucial. In this article, we will guide you through securely setting up a new Discord server while explaining the underlying principles along the way. The first guiding principle to keep in mind is the [Principle of Least Privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege). This principle emphasizes that all accounts, whether they belong to humans or bots, should have only the permissions they require to function, and no more. For example, unless they are moderators or admins, accounts on your server do not need the ability to ban other accounts. By strictly adhering to this principle, you can minimize the potential for abuse and unauthorized actions by bad actors. ![](https://hackmd.io/_uploads/Hyi_t4TD3.png) The level of strictness in permissions can vary depending on the nature of your server. If your entire server is invite-only, you can afford to be less strict with permissions because new entrants are already somewhat socially vetted. However, for public-access servers in the web3 space, where scams are prevalent, you should have everything locked down tight. ## How People join Now, let's delve into how people join servers so we understand where we might put restrictions in place. Server join flow involves a new member getting a Discord invite from somewhere and joining the server. This invite might be from the project website or Twitter; it can come from an individual for invite-only servers. ### Filtering out Spammers and Scammers To maintain the security of the whole server, we can put some restrictions on the join process. Our first line of defense against spam accounts, scammers, and phishing is a Join Gate. A join gate is a bot with name filters to prevent accounts with inappropriate, suspicious, or impersonator names from entering the server. Use bots like [Hashbot](https://docs.hashbot.gg/) and [Wick](https://docs.wick.bot/intro/features/#join-gate) to prevent accounts with names like `Server Support`, `Team Admin`, and `Support Bot` from joining your server. The second barrier is [human verification](https://twitter.com/Jon_HQ/status/1585744883121147904), which helps ensure that only legitimate human users gain access to the server. Similar to captchas on websites, [captcha bots](https://twitter.com/Jon_HQ/status/1585744895603462144) such as [Pandez Guard](https://docs.pandezlabs.com/pandez-guard/what-is-pandez-guard), [Captcha Bot](https://docs.captcha.bot/introduction/getting-started), and [Wick](https://wickbot.com/) put a "proof of humanity" test in place. While you should prevent new joiners from posting until after they pass the join gate and human verification, be careful not to restrict access to read-only channels that prove your server is legitimate. Have some public, read-only channels that newcomers can read to distinguish your server from fake impersonation servers. #announcements, #about-the-project, and #safety-guide, for example. ![](https://hackmd.io/_uploads/BJrOpL6P3.png) Once users have joined the server, they can gain more access gradually. Users can choose specific roles for themselves via self-select `reaction roles`. Use moderation bots like Carl, Dyno, and YAGPDB to create [reaction roles](https://docs.dyno.gg/en/modules/reactionroles) and automate role assignments. However, it's crucial to be cautious when using mod bots, as [they can be abused](https://twitter.com/Jon_HQ/status/1667552033480802304) if attackers gain access and change the role configurations. ## Safety Tools ### Safety Setup To ensure the safety of your Discord server, it is important to implement [Discord's Safety Setup](https://support.discord.com/hc/en-us/articles/10989121220631-How-to-Protect-Your-Server-from-Raids-101) measures. You should: 1. Enable Raid Protection to defend against a large group of malicious accounts joining at the same time (Server Raid) 2. Enforce Two-Factor Authentication (2FA) for Moderator accounts to reduce likelihood of Moderator account takeovers 3. Set Verification Levels for new joiners to reduce spam and Server Raids Refer to the [Discord support article](https://support.discord.com/hc/en-us/articles/10989121220631-How-to-Protect-Your-Server-from-Raids-101) for details on how to set these three features up. If you want to be extra safe from raids, Beemo is a [great low-setup solution](https://twitter.com/Collab_Land_/status/1651631819367026688) for raid protection as well. ### Automating Moderation Automod is when you set bots to automatically assign punishments for breaking your server's rules. You can use native Discord Automod or customizable mod bots like Carl, Wick, Dyno, or YAGPDB to set up spam filters, link blocking, and other features. The easiest to set up is Discord Automod. Refer to the [Automod FAQ](https://support.discord.com/hc/en-us/articles/4421269296535-AutoMod-FAQ) for tutorials. ![](https://hackmd.io/_uploads/S1sD1BTDn.png) Beware that you will have to comprehend lots of bot documentation if you decide to use bots for Automod. Here are the documentation links for the bots referenced above: - [Carl](https://docs.carl.gg/#/config) - [Wick](https://docs.wick.bot/setup/) - [Dyno](https://docs.dyno.gg/en/home) - [YAGPDB](https://docs.yagpdb.xyz/) I prefer Carl, but all the bots mentioned above are good choices. However, avoid MEE6 due to its team's history of [hacked accounts](https://twitter.com/Jon_HQ/status/1527401369371455489) and failure to deliver [promised web3 features](https://twitter.com/zachxbt/status/1625176253237018627). For emergencies or immediate security threats, shut down all server activity using [lockdown mode](https://docs.carl.gg/#/moderation?id=lockdown) from Carl [or Wick](https://docs.wick.bot/commands/moderation/lockdown/#panic-mode). These modes restrict posting and give your mods time to remove dangerous posts, administer punishments, and mitigate the risk to your server community. Finally, you can implement automated mute punishments using native [Automod Timeout](https://support.discord.com/hc/en-us/articles/4413305239191-Time-Out-FAQ) or mod bots' [Muterole](https://docs.carl.gg/#/config?id=setting-roles) features. While utilizing mod bots can enhance server management, it's important to remember that the more bots you have, the higher the risk of [any single bot](https://twitter.com/mee6bot/status/1526901242521432065) [getting compromised](https://twitter.com/NFTherder/status/1509821857821863936) and used against you. Therefore, it is crucial to follow the principle of Least Privilege and grant only the necessary permissions to each bot. ## Understanding Role Permissions Understanding [role permissions](https://support.discord.com/hc/en-us/articles/206029707-Setting-Up-Permissions-FAQ) within Discord is essential for effective moderation. Discord servers utilize a [role hierarchy](https://twitter.com/Jon_HQ/status/1585744855916953600) system to assign permissions effectively. Role Hierarchy: The order in which roles exist. The closer to the top the higher the role. Discord permissions and actions rely on role hierarchy to determine if an action can be done. For example, you cannot kick someone from the server who has a higher role than you in the hierarchy. Conversely, if a role has `Manage Roles` permission, it can change the settings for any role below it in the hierarchy and assign those lower roles to any account. ![](https://hackmd.io/_uploads/Sys_EBpvh.png) ### Permission Overrides Overrides are permission changes at the category and channel levels. WARNING: these [overrides](https://support.discord.com/hc/en-us/articles/206029707-Setting-Up-Permissions-FAQ#h_01FFTVZWZVQ3BZ0ZXRJ1QBCKY1) will change your default role permissions. In addition to the hierarchy, what order permissions and overrides are applied in matter too. The order of role permissions is as follows: `server` > `category` > `channel`. This means that server-level permissions are applied by default, followed by any overrides at the category level, then finally overrides at the channel level. We recommend not using channel-specific permission overrides and instead relying on category overrides as much as possible. Excessive overrides can complicate moderation and make it challenging to keep track of who has what permissions for which channels. The ["view as role" feature](https://support.discord.com/hc/en-us/articles/360055709773-View-as-Role-FAQ), or even reviewing the server with an alt account, can be a valuable ally for administrators to monitor and manage role permissions effectively. Here is a view of the initial onboarding flow as members gain more access through human verification in a server. ![](https://hackmd.io/_uploads/S1wpIHTwn.gif) ## Protecting Against Scammers: The Principle of Least Privilege ### Restrict Dangerous Permissions Scammers aim to spread phishing links quickly, often by compromising user accounts within your server. To protect against such threats, again, it is crucial to implement the principle of least privilege. This approach involves removing "dangerous" permissions from all users. Some of the "dangerous" permissions that should be carefully controlled and restricted include: - `Administrator` -- unlocks all permissions, including access to bot dashboards allowing attackers to weaponize your installed bots - `Mention @everyone, @here, and All Roles` -- allows attackers to quickly direct attention to their scam links when they do attack - Kick/Ban Members -- these two can be abused to remove your server's members or even ban your moderation team and prevent you from responding effectively to a server attack - `Manage Webhooks` -- exposed webhook endpoints allow attackers to post anything (including @everyone mentions) directly into your server, even if you manage to ban all of them - `Manage Server` -- allows attackers to invite or remove bots, change vanity URL to redirect new joiners to a fake server, change server name/icon - `Manage Roles` -- can grant roles to other users and even yourself, allowing for an attacker to escalate their permissions and access to other dangerous permissions - `Manage Channels` -- can be used to create fake announcement channels By limiting these permissions, you reduce the impact scammers can have within your community. Taking such precautions helps ensure that scammers have minimal opportunities to exploit compromised member accounts and spread malicious links. Think of the following Member/Admin/Owner sections as increasing permissions from 0, rather than the reverse. Additive, not subtractive permissions. ### Member Accounts When setting permissions for member accounts, it is crucial to apply the principle of least privilege. Instead of using subtractive permissions, where lower-tier roles have limitations, utilize additive permissions. This means that higher-tier roles gain additional access and permissions at the server level. Additive permissions are easier to moderate and simpler when dealing with category and channel overrides; click through the possible role combinations using the "View as role" feature to confirm permission settings. To apply the Least Privilege Principle, you can establish a tiered system for additive member permissions as follows, starting from the least access and increasing permissions: - `Everyone`: Lowest permissions, almost nothing. Has no permissions at the server level, has category override for view-only access in read-only channels like #announcements and #about-the-project, and can view the human verification channel. - `Verified Human`: Server-level view channels, read/write access to public community spaces, enable members to post and engage in voice channels. - `Full Community Member`: Server-level perms to post links, embed content, share images, and more. By implementing this tiered approach, you ensure that each member has access to the appropriate features while minimizing the potential for abuse by attackers and confusion for moderators. Additionally, web3 communities might use token-gating bots like [Collab.Land](https://docs.collab.land/help-docs/key-features/token-gate-communities) to grant Full Community Member roles based on wallet holdings. ### Admin Accounts Administrator and moderator accounts are valuable targets for scammers. These accounts have high-level permissions and often have access to the "dangerous permissions" described above. Compromising these accounts can give attackers access to scam the entire server if the server is not following Least Privilege principles. To protect these high-value accounts, several security measures should be in place: - Enforce two-factor authentication (2FA) for all moderator accounts. This is a setting in Discord's Safety Setup. - Assume that any account can become compromised at any time. Applying Least Privilege principles to restrict even moderator permissions protects everyone in your community from the actions of compromised accounts. - Consider utilizing automated security solutions like Wick or Good Knight. - Wick offers [reactive Quarantine settings](https://docs.wick.bot/commands/moderation/quarantine/) that respond to account actions but requires careful configuration and trust in the bot. - [Good Knight](https://docs.goodknightbot.com/) provides pre-emptive security measures by allowing mods to temporarily escalate permissions as needed. After a short time window, GK automatically removes dangerous permissions, ensuring that even compromised admin and mod accounts cannot use those dangerous permissions. Prevent scammers from exploiting permissions with GK's additional layer of password and 2FA protection. ![](https://hackmd.io/_uploads/rycpaHavn.png) ### Special Case: Server Owner Assigning the server owner role to a ["cold" account](https://twitter.com/Jon_HQ/status/1585744824333783040), separate from the day-to-day accounts for admins, is a wise practice. This setup ensures that the server owner always maintains the highest level of access on a secure account, even if other administrators' accounts are compromised. Use this precautionary measure to safeguard your server and maintain control of critical settings and permissions. Follow Discord's [instructional article](https://support.discord.com/hc/en-us/articles/216273938-How-do-I-transfer-server-ownership-) to transfer server ownership. ## Advanced Security Measures To bolster the security of your Discord server, consider implementing the following advanced security measures: - Protect your server's [vanity invite](https://twitter.com/Jon_HQ/status/1585744906533801984) `https://discord.gg/{fancy_name}`. Keep your server boosts topped up and restrict the `Manage Server` permission to prevent compromised accounts from swapping your vanity URL to a fake phishing URL. - Utilize regular expression ([regex](https://regexr.com/)) filtering with native Automod features. [Filter out specific types of spam](https://support.discord.com/hc/en-us/articles/4421269296535#h_01GV3GQSB85NVWN1KQJ8AKZYC8) and unwanted content while ensuring that genuine messages from the community are not affected using text pattern-matching. For example, this would allow you to keep excessive `gm`s to a #gm channel only. - Install tools like [f1rewall](https://github.com/MiranDaniel/f1rewall) to add another layer of security by implementing a CAPTCHA verification process before users can access the Discord invite to join your server. See f1rewall in action on the [PoolTogether website](https://pooltogether.com/discord). ## Equipping the Community with Tools and Knowledge To empower your community and enhance their ability to protect themselves, add the following features: - Provide reporting tools to enable community members to report suspicious activities or potential scams. Use Discord bots like [Shield](https://www.getshield.xyz/discord) or [ChainPatrol](https://chainpatrol.io/bot) for scam reporting and URL checking within Discord. - Create a #scam-alert channel within your community to keep everyone aware of ongoing scams and potential threats. - Use [Discord's Follow feature](https://support.discord.com/hc/en-us/articles/360028384531-Channel-Following-FAQ) to get alerts from established security communities like [Boring Security](https://twitter.com/BoringSecDAO) and [Server Forge](https://twitter.com/Server_Forge). ![](https://hackmd.io/_uploads/SkjCRB6D3.png) - Encourage everyone to use transaction simulation extensions to help community members verify the safety of transactions and avoid potential scams. We recommend tools like [Pocket Universe](https://twitter.com/PocketUniverseZ), [Wallet Guard](https://twitter.com/wallet_guard), [Revoke.cash](https://twitter.com/RevokeCash), [Stelo](https://twitter.com/stelolabs), and [JoinFire](https://twitter.com/_joinfire/status/1618366852710952960). - Educate your community about [basic security measures](https://twitter.com/iSpeak_Nerd/status/1621208457138565120) to keep their Discord accounts and personal information protected. - Share resources such as security threads and information on potential threats related to [socially-engineered FOMO](https://twitter.com/iSpeak_Nerd/status/1656737519571197952), [bookmarklets](https://twitter.com/Collab_Land_/status/1651631802719825921), and [QR codes](https://twitter.com/Collab_Land_/status/1641500275205869569). - Register your community for a Security 101 session with [Boring Security](https://boringsecurity.com/) by reaching out to an `@OG Safu` on the Boring Security discord! By arming your community with the necessary tools and knowledge, you create a culture of security and safety and reduce the risk of falling victim to scams or security breaches! ## Additional Resources For further information and resources related to Discord server security, consider exploring the following: - Glossary of security terms: A [comprehensive list of security terms](https://twitter.com/Jon_HQ/status/1585744816494649344) to familiarize yourself with - Bankless Academy security lesson: An [async security lesson](https://twitter.com/iSpeak_Nerd/status/1621208493314416640) provided by [Bankless Academy](https://twitter.com/banklessacademy) to enhance your understanding of web3 security - Boring Security classes: Free live classes and free resources [offered by Boring Security](https://twitter.com/BoringSecDAO) to deepen your knowledge of Discord server security - Watch out for scam [OAuth lookalikes](https://twitter.com/Jon_HQ/status/1564341463655124992) - [Mindmap of scam types](https://twitter.com/materwelon2002/status/1565823203909390336) and how they work - [Discord Security thread of threads](https://twitter.com/Jon_HQ/status/1512510288095940609) from Jon_hq By implementing these restricted role permissions and advanced security measures, you can create a more secure and enjoyable environment for your Discord server community. *Have any questions or want to learn more about web3 security and stay up to date on the most current security information, scams, and tactics? Join Boring Security in our discord at https://discord.gg/boringsecurity*