gm gm folks!
In case you missed it, last post that went out talked through the security foundations for a safe and successful experience in web3. Here are the biggest takeaways:
Use a password manager
Use quality 2FA
Install wallet warning browser extensions
Keep your assets separated by value and how often you need to use that particular wallet
You can read the whole post here!
Subscribe below so you don't miss any future posts.
Takeaways
Discord is a complicated tool that makes it easy for founders to launch their own chat server for their project's community. But that complexity can make it difficult to ensure scammers and spammers can't exploit the unwary members of that community.
Sections
How to filter accounts joining the server
What safety tools are available for admins
Understanding Discord role permissions
Protecting against scammers
Advanced security measures
How to equip the community
Founders aren't typically equipped for or interested in managing social spaces. But if they can't yet afford it, most founders manage their project's community themselves. Community spaces may start on telegram, or FarCaster channels if you're 😎, but eventually most projects end up on Discord.
Seasoned degens and telegram expats will be familiar with the scams and know not to interact with sketchy messages, but scammers are always improving their tactics. The bait to get founders to FOMO can involve VC funding, media features, or partnership requests.
The scams don't just end at founders though, bad actors love to use the social status of founders to lend legitimacy to their scams. So to protect not just themselves, but also all the noobs who like their project, founders need to secure their community against scammers.
In this article, we’ll walk through the flow of joining Discord servers and how to add security features to that process, how to empower mods with automatic monitoring and moderation, and, finally, how to protect the community from dangerous permissions using the Principle of Least Privilege.
How People Join
Now, let’s delve into how people join servers so we understand where we might put restrictions in place. Server join flow involves a new member getting a Discord invite from somewhere and joining the server. This invite might be from the project website or Twitter; it can come from an individual for invite-only servers.
Filtering out Spammers and Scammers
To maintain the security of the whole server, we can put some restrictions on the join process.
Our first line of defense against spam accounts, scammers, and phishing is a Join Gate.
A join gate is a bot with name filters to prevent accounts with inappropriate, suspicious, or impersonator names from entering the server.
Use Discord Automod or bots like Hashbot and Wick to prevent accounts with names like Server Support, Team Admin, and Support Bot from joining your server.
The second barrier is human verification, which helps ensure that only legitimate human users gain access to the server. Similar to captchas on websites, inline captcha bots such as Pandez Guard, Captcha Bot, and Wick put a “proof of humanity” test in place.
Whatever bot you choose to use, do not require DMs or redirects to external websites. All interactions should happen in the public channel.
An inline captcha is the best method of human verification for secure web3 servers.
While you should prevent new joiners from posting until after they pass the join gate and human verification, be careful not to restrict access to read-only channels that prove your server is legitimate. Have some public, read-only channels that newcomers can read to distinguish your server from fake impersonation servers. #announcements, #about-the-project, and #safety-guide, for example.
Once users have joined the server, they can gain more access gradually. Users can choose specific roles for themselves via self-select reaction roles
. Use moderation bots like Carl, Dyno, and YAGPDB to create reaction roles and automate role assignments.
Be cautious when using mod bots, as they can be abused if attackers gain access and change the role configurations.
Safety Tools
Discord Safety Setup
To ensure the safety of your Discord server, it is important to implement Discord’s Safety Setup measures. You should:
Enable Raid Protection to defend against a large group of malicious accounts joining at the same time (Server Raid)
Enforce Two-Factor Authentication (2FA) for Moderator accounts to reduce likelihood of Moderator account takeovers
Set Verification Levels for new joiners to reduce spam and Server Raids
Refer to the Discord support article for details on how to set these three features up. If you want to be extra safe from raids, Beemo is a great low-setup solution for raid protection as well.
Automating Moderation
Automatic moderation (automod) is when you set bots to automatically assign punishments for breaking your server’s rules.
You can use native Discord Automod or customizable mod bots like Carl, Wick, Dyno, or YAGPDB to set up spam filters, link blocking, and other features. The easiest to set up is Discord Automod.
Refer to the Discord Automod FAQ for tutorials.
Beware that you will have to comprehend lots of bot documentation if you decide to use bots for Automod.
Here are the documentation links for the bots referenced above:
I prefer Carl, but all the bots mentioned above are good choices.
Avoid using MEE6 due to its team’s history of hacked accounts and failure to deliver promised web3 features.
For emergencies or immediate security threats, shut down all server activity using lockdown mode from Carl or Wick. These modes restrict posting and give your mods time to remove dangerous posts, administer punishments, and mitigate the risk to your server community.
Finally, you can implement automated mute punishments using native Automod Timeout or mod bots’ Muterole features.
While utilizing mod bots can enhance server management, it’s important to remember that the more bots you have, the higher the risk of any single bot getting compromised and used against you. Therefore, it is crucial to follow the principle of Least Privilege and grant only the necessary permissions to each bot. For example, Collab.Land only requires these permissions:
Manage Roles
Manage Channels
Ban Members
Read Messages
Send Messages
Understanding Role Permissions
Understanding role permissions within Discord is essential for effective moderation. Discord servers utilize a role hierarchy system to assign permissions effectively.
Role Hierarchy: The order in which roles exist. The closer to the top the higher the role.
Discord permissions rely on role hierarchy to determine if an action can be done. For example, you cannot kick someone from the server who has a higher role than you in the hierarchy. Conversely, if a role has Manage Roles
permission, it can change the settings for any role below it in the hierarchy and assign those lower roles to any account.
Permission Overrides
Overrides are permission changes at the category and channel levels.
Overrides will change your default role permissions in those categories and channels.
In addition to the hierarchy, what order permissions and overrides are applied in matter too. The order of role permissions is: server > category > channel
. This means that server-level permissions are applied by default, followed by any overrides at the category level, then finally overrides at the channel level.
I recommend not using channel-specific permission overrides and instead relying on category overrides as much as possible.
Excessive overrides can complicate moderation and make it challenging to keep track of who has what permissions for which channels.
The “view as role” feature, or even reviewing the server with an alt account, can be a valuable ally for administrators to monitor and manage role permissions effectively.
Here is a view of the initial onboarding flow as members gain more access through human verification in a server.
Protecting Against Scammers: The Principle of Least Privilege in Practice
Restrict Dangerous Permissions
Scammers aim to spread phishing links quickly, often by compromising user accounts within your server. To protect against such threats, again, it is crucial to implement the principle of Least Privilege. This approach involves removing “dangerous” permissions from all users.
Some of the “dangerous” permissions that should be carefully controlled and restricted include:
Administrator
– unlocks all permissions, including access to bot dashboards allowing attackers to weaponize your installed botsMention @everyone, @here, and All Roles
– allows attackers to quickly direct attention to their scam links when they do attackKick/Ban Members
– these two can be abused to remove your server’s members or even ban your moderation team and prevent you from responding effectively to a server attack - using mod bot commands for kick/ban is usually safer.Manage Webhooks
– exposed webhook endpoints allow attackers to post anything (including @everyone mentions) directly into your server, even if you manage to ban all of themManage Server
– allows attackers to invite or remove bots, change vanity URL to redirect new joiners to a fake server, change server name/iconManage Roles
– can grant roles lower on the role hierarchy to other users and even yourself, allowing for an attacker to escalate their permissions and access other dangerous permissionsManage Channels
– can be used to create fake announcement channels
By limiting these permissions, you reduce the impact scammers can have within your community. Taking such precautions helps ensure that scammers have minimal opportunities to exploit compromised member accounts and spread malicious links.
Additive Permissions
Think of the following Member/Admin/Owner sections as increasing permissions from 0, rather than the reverse. Additive, not subtractive permissions.
Member Accounts
When setting permissions for member accounts, it is crucial to apply the principle of Least Privilege.
Instead of using subtractive permissions, where lower-tier roles have limitations, utilize additive permissions. This means that higher-tier roles gain additional access and permissions at the server level.
Additive permissions are easier to moderate and simpler when dealing with category and channel overrides.
Click through the possible role combinations using the “View as role” feature to confirm permission settings.
To apply the Least Privilege Principle, you can establish a tiered system for additive member permissions as follows, starting from least access and increasing permissions:
Everyone
: Lowest permissions, almost nothing. Has no permissions at the server level, has category override for view-only access in read-only channels like #announcements and #about-the-project, and can view the human verification channel.Verified Human
: Server-level view channels, read/write access to public community spaces, enable members to post and engage in voice channels.Full Community Member
: Server-level perms to post links, embed content, share images, and more.
By implementing this tiered approach, you ensure that each member has access to the appropriate features while minimizing the potential for abuse by attackers and confusion for moderators. Additionally, web3 communities might use token-gating bots like Collab.Land to grant Full Community Member roles based on wallet holdings.
Admin Accounts
Administrator and moderator accounts are valuable targets for scammers. These accounts have high-level permissions and often have access to the “dangerous permissions” described above. Compromising these accounts can give attackers access to scam the entire server if the server is not following Least Privilege principles. To protect these high-value accounts, several security measures should be in place:
Enforce two-factor authentication (2FA) for all moderator accounts.
Moderators can enable their 2FA by following this Discord guide.
Server owners can enforce 2FA for moderators in:
Server Settings > Safety Setup > Permissions
Assume that any account can become compromised at any time. Applying Least Privilege principles to restrict even moderator permissions protects everyone in your community from the actions of compromised accounts.
Consider utilizing automated security solutions like Wick or Good Knight.
Wick offers reactive Quarantine settings that respond to account actions but requires careful configuration and trust in the bot.
Good Knight provides pre-emptive security measures by allowing mods to temporarily escalate permissions as needed. After a short time window, GK automatically removes dangerous permissions, ensuring that even compromised admin and mod accounts cannot use those dangerous permissions. Prevent scammers from exploiting permissions with GK’s additional layer of password and 2FA protection.
Special Case: Server Owner
Assigning the server owner role to a “cold” account, separate from the day-to-day accounts for admins, is a wise practice. This setup ensures that the server owner always maintains the highest level of access on a secure account, even if other administrators’ accounts are compromised. Use this precautionary measure to safeguard your server and maintain control of critical settings and permissions. Follow Discord’s instructional article to transfer server ownership.
Advanced Security Measures
To bolster the security of your Discord server, consider implementing the following advanced security measures:
Protect your server’s vanity invite
https://discord.gg/{fancy_name}
. Keep your server boosts topped up and restrict theManage Server
permission to prevent compromised accounts from swapping your vanity URL to a fake phishing URL.Utilize regular expression (regex) filtering with native Automod features. Filter out specific types of spam and unwanted content while ensuring that genuine messages from the community are not affected using text pattern-matching. For example, this would allow you to keep excessive
gm
s to a #gm channel only.Install tools like f1rewall to add another layer of security by implementing a CAPTCHA verification process before users can access the Discord invite to join your server. See f1rewall in action on the PoolTogether website.
Equipping the Community with Tools and Knowledge
To empower your community and enhance their ability to protect themselves, add the following features:
Tools
Provide reporting tools to enable community members to report suspicious activities or potential scams. Use Discord bots like Shield or ChainPatrol for scam reporting and URL checking within Discord.
Encourage everyone to use transaction simulation extensions to help community members verify the safety of transactions and avoid potential scams. I recommend tools like Pocket Universe, Wallet Guard, Revoke.cash, Stelo, and JoinFire.
Create a #scam-alert channel within your community to keep everyone aware of ongoing scams and potential threats.
Use Discord’s Follow feature to get alerts from established security communities like Boring Security and Server Forge.
Knowledge
Educate your community about basic security measures to keep their Discord accounts and personal information protected.
Share resources such as security threads and information on potential threats related to socially-engineered FOMO, bookmarklets, and QR codes.
Register your community for a Security 101 session with Boring Security by reaching out to an
@Mod
on the Boring Security discord!
Additional Resources
For further information and resources related to Discord server security, explore the following:
Glossary of security terms: A comprehensive list of security terms to familiarize yourself with
Bankless Academy security lesson: An async security lesson provided by Bankless Academy to enhance your understanding of web3 security
Boring Security classes: Free live classes and free resources offered by Boring Security to deepen your knowledge of Discord server security
Watch out for scam OAuth lookalikes
Mindmap of scam types and how they work
By implementing these restricted role permissions and advanced security measures, you can create a more secure and enjoyable environment for your Discord server community.
This post was originally published as an article on Boring Security.