Dr. Grom's Sandbox No. 1 - Discord security guide

Introduction

Hi, I'm Dr_GromDr_Grom, Admin of the German branch and the International Translation Archive, and today I'd like to show you how to configure your Discord server for basic security and I will tell you a bit about how role management works, which often is found confusing.

Raids: Of course it is not completely possible to prevent a raid by organizational steps, but you can make it harder for raiders to attack your server, you can limit the damage they can do to a minimum and you can make it unsatisfying for them.

Malicious bots: On Discord, there are bots that are no Discord bots like KIRA or the often used uber-bot. They are more comparable to a web-crawler. Discord bots use an API to access Discord, a special form of account and are marked as bots and have certain abilities and restrictions. One of the restrictions is, that they can only enter a server when an admin allows them to.

However, like everywhere on the internet, there are people with malicious intentions. They use this web-crawler like bots with a normal account, like one for a person. Discord is displayed basically as a website either in a browser or a desktop or mobile app. Servers and channels are just sub-pages. All information displayed to you is sent to your device and therewith also to the crawler. And even more, as not all information is visible. So it is quite easy for someone to write a bot that just accesses all possible combinations of server links until it finds a working link and enters a server. With this attempt to scan Discord for servers by brute force, it is possible to gather the following information:

  • Link and name of a server and owner
  • List of channels and role requirements (not sure if hidden channels can still be scanned)
  • List of users, their roles, connected services, game activity and server owner
  • Other servers that are linked somewhere
  • All messages on all accessible channels

By analyzing this meta-data, they can find security leaks that could be useful to attack the server and assess the attackability by raids and advertisement bots. And there are some that send private messages to users or their names are server links that are embedded by their welcome message.

But, in my opinion more importantly, they can pull the following personal information about your users:

  • Global nick, server nick and IDs
    • Therewith on what servers they are when other servers they are on are scanned
  • Connected services like Steam account, Twitter account etc.
    • What songs they listen to
    • What games they play
  • What status (online, offline etc.) they have at what time of day
    • Upon long term scan they can find the approximate timezone and habits when to access Discord on what day
  • Personal information from descriptive roles like age, gender/sex, origin, ethnicity, political and religious alignment, fetishes etc.
  • And of course, with the given scanning time, lots of information from each users posts:
    • The actual information from the posts
    • What information is posted at what time of day and in general, all activity in relation to the time
    • How long are the messages
    • Spelling misstakes and relations to message lengths and time of day, and maybe the device
    • Writing style and use of formating and emojis
    • Type of information and writing style in relation to the purpose of a channel
    • And a lot more

"But Grom, who is going to sit there and assess all this information? Those are so many data sets and maybe millions of posts…"
Well, powerful AIs are. Memory space is as cheap as ever. They don't analyze all of your posts. They store it all and filter for certain words or phrases or for certain meta-data, like your posts after a certain event or at a certain time of day.

"But Grom, what would they want with that data?"
They sell it! Ever heard of Cambridge Analytica? Ever heard of alleged election manipulation by Facebook? They don't care for you as a person. For them, you and your users are an asset. Products they can make money with. It is up to you to make it as hard for them as possible.

But do not fret! There are measures to reduce their access to a minimum.

1. Understanding Discord role permissions

Yes, we start with the basics. Discord permissions are often misunderstood and to know what you are doing as an admin, you must know how they work.

There are two places where you can set up permissions: The basic role settings and the channel/category permissions.

They differ most by how permissions are set and how they are not set.

basic-role-settings.jpg

Basic role settings

In the basic settings, you can only allow permissions. You can not forbid anything.
Green: Allowed
Grey: Inherit
That means, that everything that is allowed for any role a user has is allowed for the user. The only way to make a user unable to do a thing is not to allow it.

channel-settings.jpg

Channel/category settings

In the channel/category permission settings, you can allow, inherit and deny.
Green: Allowed
Grey: Inherit
Red: Denied
However, permissions/denials are always counted from the highest role a user has. This is useful for mute-roles. Only interited settings are taken from the next lower role that allows or denies it.

To maintain overview, I strongly adivse to only allow/deny abilities once if possible. I advise to keep everything to inherit as much as possible.

1.1 Role structure

There are four reasons, besides being silly, to have roles:

  1. Permissions
  2. Pingability
  3. Displaying attributes by color (like admin/mod status)
  4. Attributes like age, gender, religion etc.

I personally advise to refrain from the fourth to keep roles tidy, buuut many have them anyways.
1-3 usually serve as user groups, while 4 is more like some sort of attribute-tag.
As such, I advise to combine 1-3 in one or two roles per user if possible. Tidyness and a good structure is mandatory for a good administration.

Meaning I advise you have one role for one thing. The less, the better. But more about that later.

2. Channel setting

As Discord itself provides *no* protection against this bots and against raiders, we will build ourselves a nice little Captcha. But as we can't build an actual Captcha, we will set up a channel that serves for the same purpose. I will call this the #welcome channel now. The #welcome channel will serve as a dead end for new users of all sort. They will only be able to see this channel and other users without member-roles as well as the owner and users with admin rights, and other users that can access this channel by their role. I advise to keep the amount of people who can access this channel to a minimum, and to prune it from inactive users who joined and did nothing else once and a while.

2.1 Channel/category structure

I advise to use categories to set up channel permissions. This is the most easy way to manage channels.

I advise for the following categories:

  • #welcome: This channel has own settings, and can be placed outside of the categories.
  • Info channels: All members can read, but only staff can post and edit. For example rules and news.
  • Channels for all members
  • Channels for older members: Usefull to keep newbies who do not know the ropes yet out of more sensitive topics. Optional though advised for medium sized servers.
  • Staff channels: Like a channel to talk about who to kick, a bot channel etc.

Unless a channel needs additional permissions, always keep the channel permissions synchronized with the category and only change them there.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License