Discord Hardening
Discord Safety 101:How To Keep Threats Out of Your Discord Server
Numerous Web3 initiatives utilize Discord extensively to connect with both their communities and internal teams. However, this hasn't gone unnoticed by scammers. They've infiltrated some renowned projects' Discord servers, promoting questionable coins and fraudulent sites aiming to pilfer NFTs and cryptocurrency.
@nftherder consistently reports on these Discord breaches. His findings indicate that in June 2023 alone, 89 web3 projects' Discord servers fell victim to cyber-attacks.
Based on insights from Security Researcher and Safesoul Patrol @ashu_barot, we've curated some strategies to strengthen Discord protection. These strategies can be beneficial for multiple social platforms as well. So please spread the word!
Essential Safety Measures (for all users & admins)
🔵 2FA is Essential: - Boost account security by enabling Two-Factor Authentication. This extra layer, combined with a strong password, greatly bolsters your defense. You can use Authy, Google Auth, or other 2FA apps.
🔵 Strong Passwords: - Every platform needs a unique, strong password. Can't remember them all? A password manager, like LastPass or 1Password, is a game-changer.
🔵 Direct Messages: - Even trusted contacts can get hacked. Always double-check unexpected links, QR Codes or files sent your way. There are instances where scammers offer jobs via DMs in Discord and ask to click dubious links (for ‘verification’), clicking the link leads to the compromise of an account.
🔵Short Links: - You just received a short link, but not sure if it is legit! You don’t want to click it, but is there a way to identify the original link without clicking it? Yes, there is a way. Use services like https://checkshorturl.com
🔵 Connected App Audit: - Periodically review apps connected to Discord under `Settings > Connections`. Remove any you don't recognize or no longer use.
🔵 Update Regularly: - Keep your Discord mobile app, software updated. Regular patches address vulnerabilities, ensuring you have the latest protections.
🔵Files: If someone sends you a file that you don’t trust, try uploading it to virustotal.com, it will analyze the file using signatures from major antivirus vendors and tell if it has been flagged as ‘malicious’.
Looking to dive deeper? Give Any.Run a shot. It's an interactive platform where you can upload files to analyze malware behaviors in a secure sandbox setting. Get a technical understanding of your file's actions.
🔵Sandboxing: - If using Discord on a computer, use software like ‘sandboxie’ to open untrusted files. It provides an isolated environment, so your computer remains safe from dangerous malware, and discord token grabbers.
2. Safeguarding Servers (for discord server admins)
🔵 Server-wide 2FA: - When activated, server-wide 2FA mandates that all your moderators and admins must use 2FA on their accounts to perform tasks like message deletion. All admins and moderators must use 2FA. No exceptions.
More info on 2FA - https://support.discord.com/hc/en-us/articles/219576828-Setting-up-Two-Factor-Authentication
🔵 Disable SMS-based 2FA - SMS as 2FA method is still popular, it's increasingly proven to be vulnerable, especially given the recent surge in sim swapping incidents. For enhanced security, it's advisable to use HMAC-based OTP applications like Authy or Google Authenticator.
🔵 Cold Accounts: - Cold accounts are made solely for admin purposes that need special attention. Ensure they're secured with unique passwords and 2FA. Do not use them for usual interaction.
@jon_hq specializes in Discord security and has suggested a detailed approach for creating cold accounts. https://twitter.com/Jon_HQ/status/1600188358616969216
🔵 Server Roles: - Regularly review who has what permissions. Reserve elevated roles, like 'Administrator', for only those truly necessary.
🔵 Backups: - Custom roles, channels, or configurations? Back them up regularly. It's tedious to recreate lost settings. You can use the ‘server template’ feature of Discord or third-party tools for creating Discord server backups.
🔵 Invite Links: - In case your server is not open to all, review who is allowed to create Invite links. ‘Invite links’ without expiration are risky. Always set expiration and Maximum number of uses for invite links.
Go to server settings → Invites. Review all existing invite links which are not required anymore for all private channels.
🔵AutoMod and Explicit image filter:- Set up these features to streamline moderation and shield your server from spammers, scammers, and raids. Utilize it to filter out particular keywords, slurs, explicit images, and more to uphold a positive ambiance.
🔵 Verification Levels: - Consider ramping up server verification levels. It filters out bots and scammers but maintains a user-friendly balance.
🔵Raid Protection: - Discord has this feature in Beta mode and is enabled for all for now. You can use ‘slow mode’ to prevent chaos. Also, disable usage of ‘@everyone’ to prevent sending notifications to all members.
Read more about Raid protection
🔵 Audit Log - Review audit logs periodically. Discuss with your team members if you notice any unusual activity from their accounts.
🔵Awareness - Be aware of scams in crypto, fake airdrops, pump and dump schemes etc. you can use the Safesoul browser extension to see a warning while visiting dangerous websites and Twitter accounts. SafeSoul patrols diligently flag hacked Twitter profiles, malicious websites, and deceptive airdrops.
Feel free to share the write-up on your discord server. Also tell us, what changes did you make in your discord account/server after reading this thread? Not a server owner? Check what rights you have as a normal user on your favorite servers.