Securely Set up a Discord Server

Setting up a new Discord server can be an exciting endeavor, but it can also be quite overwhelming, especially for those new to server administration. With numerous hacks, scams, and threats to consider in web3, ensuring the security and safety of your server becomes crucial. In this article, we will guide you through securely setting up a new Discord server while explaining the underlying principles along the way.

The first guiding principle to keep in mind is the Principle of Least Privilege. This principle emphasizes that all accounts, whether they belong to humans or bots, should have only the permissions they require to function, and no more. For example, unless they are moderators or admins, accounts on your server do not need the ability to ban other accounts. By strictly adhering to this principle, you can minimize the potential for abuse and unauthorized actions by bad actors.

The level of strictness in permissions can vary depending on the nature of your server. If your entire server is invite-only, you can afford to be less strict with permissions because new entrants are already somewhat socially vetted. However, for public-access servers in the web3 space, where scams are prevalent, you should have everything locked down tight. In this article, we’ll walk through the general process of joining discord servers and how we can add security features to that process, how to empower your mods with automatic monitoring and moderation, and, finally, how to protect your community from dangerous permissions using the Principle of Least Privilege.

How People Join

Now, let’s delve into how people join servers so we understand where we might put restrictions in place. Server join flow involves a new member getting a Discord invite from somewhere and joining the server. This invite might be from the project website or Twitter; it can come from an individual for invite-only servers.

Filtering out Spammers and Scammers

To maintain the security of the whole server, we can put some restrictions on the join process.

Our first line of defense against spam accounts, scammers, and phishing is a Join Gate. A join gate is a bot with name filters to prevent accounts with inappropriate, suspicious, or impersonator names from entering the server. Use bots like Hashbot and Wick to prevent accounts with names like Server Support, Team Admin, and Support Bot from joining your server.

The second barrier is human verification, which helps ensure that only legitimate human users gain access to the server. Similar to captchas on websites, captcha bots such as Pandez Guard, Captcha Bot, and Wick put a “proof of humanity” test in place.

Whatever bot you choose to use, do not use QR code verification and do not require DMs or redirects to external websites. All interactions should happen in the public channel; an inline captcha is the best method for secure web3 servers.

While you should prevent new joiners from posting until after they pass the join gate and human verification, be careful not to restrict access to read-only channels that prove your server is legitimate. Have some public, read-only channels that newcomers can read to distinguish your server from fake impersonation servers. #announcements, #about-the-project, and #safety-guide, for example.

Once users have joined the server, they can gain more access gradually. Users can choose specific roles for themselves via self-select reaction roles. Use moderation bots like Carl, Dyno, and YAGPDB to create reaction roles and automate role assignments. However, it’s crucial to be cautious when using mod bots, as they can be abused if attackers gain access and change the role configurations.

Safety Tools

Safety Setup

To ensure the safety of your Discord server, it is important to implement Discord’s Safety Setup measures. You should:

1. Enable Raid Protection to defend against a large group of malicious accounts joining at the same time (Server Raid)
2. Enforce Two-Factor Authentication (2FA) for Moderator accounts to reduce likelihood of Moderator account takeovers
3. Set Verification Levels for new joiners to reduce spam and Server Raids

Refer to the Discord support article for details on how to set these three features up. If you want to be extra safe from raids, Beemo is a great low-setup solution for raid protection as well.

Automating Moderation

Automod is when you set bots to automatically assign punishments for breaking your server’s rules. You can use native Discord Automod or customizable mod bots like Carl, Wick, Dyno, or YAGPDB to set up spam filters, link blocking, and other features.

The easiest to set up is Discord Automod. Refer to the Automod FAQ for tutorials.

Beware that you will have to comprehend lots of bot documentation if you decide to use bots for Automod.

Here are the documentation links for the bots referenced above:

• Carl
• Wick
• Dyno
• YAGPDB

I prefer Carl, but all the bots mentioned above are good choices. However, avoid MEE6 due to its team’s history of hacked accounts and failure to deliver promised web3 features.

For emergencies or immediate security threats, shut down all server activity using lockdown mode from Carl or Wick. These modes restrict posting and give your mods time to remove dangerous posts, administer punishments, and mitigate the risk to your server community.

Finally, you can implement automated mute punishments using native Automod Timeout or mod bots’ Muterole features.

While utilizing mod bots can enhance server management, it’s important to remember that the more bots you have, the higher the risk of any single bot getting compromised and used against you. Therefore, it is crucial to follow the principle of Least Privilege and grant only the necessary permissions to each bot. For example, Collab.Land only requires these permissions:

1. Manage Roles
2. Manage Channels
3. Ban Members
4. Read Messages
5. Send Messages

Understanding Role Permissions

Understanding role permissions within Discord is essential for effective moderation. Discord servers utilize a role hierarchy system to assign permissions effectively.

Role Hierarchy: The order in which roles exist. The closer to the top the higher the role. Discord permissions and actions rely on role hierarchy to determine if an action can be done. For example, you cannot kick someone from the server who has a higher role than you in the hierarchy. Conversely, if a role has Manage Roles permission, it can change the settings for any role below it in the hierarchy and assign those lower roles to any account.

Permission Overrrides

Overrides are permission changes at the category and channel levels. WARNING: these overrides will change your default role permissions.

In addition to the hierarchy, what order permissions and overrides are applied in matter too. The order of role permissions is as follows: server > category > channel. This means that server-level permissions are applied by default, followed by any overrides at the category level, then finally overrides at the channel level.

We recommend not using channel-specific permission overrides and instead relying on category overrides as much as possible. Excessive overrides can complicate moderation and make it challenging to keep track of who has what permissions for which channels. The “view as role” feature, or even reviewing the server with an alt account, can be a valuable ally for administrators to monitor and manage role permissions effectively.

Here is a view of the initial onboarding flow as members gain more access through human verification in a server.

Protecting Against Scammers: The Principle of Least Privilege in Practice

Restrict Dangerous Permissions

Scammers aim to spread phishing links quickly, often by compromising user accounts within your server. To protect against such threats, again, it is crucial to implement the principle of least privilege. This approach involves removing “dangerous” permissions from all users.

Some of the “dangerous” permissions that should be carefully controlled and restricted include:

• Administrator – unlocks all permissions, including access to bot dashboards allowing attackers to weaponize your installed bots
• Mention @everyone, @here, and All Roles – allows attackers to quickly direct attention to their scam links when they do attack
• Kick/Ban Members – these two can be abused to remove your server’s members or even ban your moderation team and prevent you from responding effectively to a server attack
• Manage Webhooks – exposed webhook endpoints allow attackers to post anything (including @everyone mentions) directly into your server, even if you manage to ban all of them
• Manage Server – allows attackers to invite or remove bots, change vanity URL to redirect new joiners to a fake server, change server name/icon
• Manage Roles – can grant roles lower on the role hierarchy to other users and even yourself, allowing for an attacker to escalate their permissions and access other dangerous permissions
• Manage Channels – can be used to create fake announcement channels

By limiting these permissions, you reduce the impact scammers can have within your community. Taking such precautions helps ensure that scammers have minimal opportunities to exploit compromised member accounts and spread malicious links.

Additive Permissions

Think of the following Member/Admin/Owner sections as increasing permissions from 0, rather than the reverse. Additive, not subtractive permissions.

Member Accounts

When setting permissions for member accounts, it is crucial to apply the principle of least privilege. Instead of using subtractive permissions, where lower-tier roles have limitations, utilize additive permissions. This means that higher-tier roles gain additional access and permissions at the server level. Additive permissions are easier to moderate and simpler when dealing with category and channel overrides; click through the possible role combinations using the “View as role” feature to confirm permission settings.

To apply the Least Privilege Principle, you can establish a tiered system for additive member permissions as follows, starting from the least access and increasing permissions:

• Everyone: Lowest permissions, almost nothing. Has no permissions at the server level, has category override for view-only access in read-only channels like #announcements and #about-the-project, and can view the human verification channel.
• Verified Human: Server-level view channels, read/write access to public community spaces, enable members to post and engage in voice channels.
• Full Community Member: Server-level perms to post links, embed content, share images, and more.

By implementing this tiered approach, you ensure that each member has access to the appropriate features while minimizing the potential for abuse by attackers and confusion for moderators. Additionally, web3 communities might use token-gating bots like Collab.Land to grant Full Community Member roles based on wallet holdings.

Admin Accounts

Administrator and moderator accounts are valuable targets for scammers. These accounts have high-level permissions and often have access to the “dangerous permissions” described above. Compromising these accounts can give attackers access to scam the entire server if the server is not following Least Privilege principles. To protect these high-value accounts, several security measures should be in place:

Enforce two-factor authentication (2FA) for all moderator accounts. This is a setting in Discord’s Safety Setup.

Assume that any account can become compromised at any time. Applying Least Privilege principles to restrict even moderator permissions protects everyone in your community from the actions of compromised accounts.

Consider utilizing automated security solutions like Wick or Good Knight.

• Wick offers reactive Quarantine settings that respond to account actions but requires careful configuration and trust in the bot.
• Good Knight provides pre-emptive security measures by allowing mods to temporarily escalate permissions as needed. After a short time window, GK automatically removes dangerous permissions, ensuring that even compromised admin and mod accounts cannot use those dangerous permissions. Prevent scammers from exploiting permissions with GK’s additional layer of password and 2FA protection.

Special Case: Server Owner

Assigning the server owner role to a “cold” account, separate from the day-to-day accounts for admins, is a wise practice. This setup ensures that the server owner always maintains the highest level of access on a secure account, even if other administrators’ accounts are compromised. Use this precautionary measure to safeguard your server and maintain control of critical settings and permissions. Follow Discord’s instructional article to transfer server ownership.

Advanced Security Measures

To bolster the security of your Discord server, consider implementing the following advanced security measures:

• Protect your server’s vanity invite https://discord.gg/{fancy_name}. Keep your server boosts topped up and restrict the Manage Server permission to prevent compromised accounts from swapping your vanity URL to a fake phishing URL.
• Utilize regular expression (regex) filtering with native Automod features. Filter out specific types of spam and unwanted content while ensuring that genuine messages from the community are not affected using text pattern-matching. For example, this would allow you to keep excessive gms to a #gm channel only.
• Install tools like f1rewall to add another layer of security by implementing a CAPTCHA verification process before users can access the Discord invite to join your server. See f1rewall in action on the PoolTogether website.

Equipping the Community with Tools and Knowledge

To empower your community and enhance their ability to protect themselves, add the following features:

Tools

• Provide reporting tools to enable community members to report suspicious activities or potential scams. Use Discord bots like Shield or ChainPatrol for scam reporting and URL checking within Discord.
• Encourage everyone to use transaction simulation extensions to help community members verify the safety of transactions and avoid potential scams. We recommend tools like Pocket Universe, Wallet Guard, Revoke.cash, Stelo, and JoinFire.
• Create a #scam-alert channel within your community to keep everyone aware of ongoing scams and potential threats.
• Use Discord’s Follow feature to get alerts from established security communities like Boring Security and Server Forge.

Knowledge

• Educate your community about basic security measures to keep their Discord accounts and personal information protected.
• Share resources such as security threads and information on potential threats related to socially-engineered FOMO, bookmarklets, and QR codes.
• Register your community for a Security 101 session with Boring Security by reaching out to an @Mod on the Boring Security discord!

By arming your community with the necessary tools and knowledge, you create a culture of security and safety and reduce the risk of falling victim to scams or security breaches!

Additional Resources

For further information and resources related to Discord server security, consider exploring the following:

• Glossary of security terms: A comprehensive list of security terms to familiarize yourself with
• Bankless Academy security lesson: An async security lesson provided by Bankless Academy to enhance your understanding of web3 security
• Boring Security classes: Free live classes and free resources offered by Boring Security to deepen your knowledge of Discord server security
• Watch out for scam OAuth lookalikes
• Mindmap of scam types and how they work
• Discord Security thread of threads

By implementing these restricted role permissions and advanced security measures, you can create a more secure and enjoyable environment for your Discord server community.

Have any questions or want to learn more about web3 security and stay up to date on the most current security information, scams, and tactics? Join Boring Security in our discord at https://discord.gg/boringsecurity