gm gm folks!

In case you missed it, last post that went out talked through the security foundations for a safe and successful experience in web3. Here are the biggest takeaways:

You can read the whole post here!

Personal security foundations for web3 and beyond

Protect your digital life in web3 with these top eight tips for security. Learn about password managers, 2FA, wallet bookmarks, wallet silos, and more. Stay safe in the decentralized world!

https://paragraph.xyz

Subscribe below so you don't miss any future posts.

Takeaways

Sections

• How to filter accounts joining the server

• What safety tools are available for admins

• Understanding Discord role permissions

• Protecting against scammers

• Advanced security measures

• How to equip the community

Founders aren't typically equipped for or interested in managing social spaces. But if they can't yet afford it, most founders manage their project's community themselves. Community spaces may start on telegram, or FarCaster channels if you're 😎, but eventually most projects end up on Discord.

Seasoned degens and telegram expats will be familiar with the scams and know not to interact with sketchy messages, but scammers are always improving their tactics. The bait to get founders to FOMO can involve VC funding, media features, or partnership requests.

The scams don't just end at founders though, bad actors love to use the social status of founders to lend legitimacy to their scams. So to protect not just themselves, but also all the noobs who like their project, founders need to secure their community against scammers.

In this article, we’ll walk through the flow of joining Discord servers and how to add security features to that process, how to empower mods with automatic monitoring and moderation, and, finally, how to protect the community from dangerous permissions using the Principle of Least Privilege.

How People Join

Now, let’s delve into how people join servers so we understand where we might put restrictions in place. Server join flow involves a new member getting a Discord invite from somewhere and joining the server. This invite might be from the project website or Twitter; it can come from an individual for invite-only servers.

Filtering out Spammers and Scammers

To maintain the security of the whole server, we can put some restrictions on the join process.

Our first line of defense against spam accounts, scammers, and phishing is a Join Gate.

Use Discord Automod or bots like Hashbot and Wick to prevent accounts with names like Server Support, Team Admin, and Support Bot from joining your server.

The second barrier is human verification, which helps ensure that only legitimate human users gain access to the server. Similar to captchas on websites, inline captcha bots such as Pandez Guard, Captcha Bot, and Wick put a “proof of humanity” test in place.

Whatever bot you choose to use, do not require DMs or redirects to external websites. All interactions should happen in the public channel.

While you should prevent new joiners from posting until after they pass the join gate and human verification, be careful not to restrict access to read-only channels that prove your server is legitimate. Have some public, read-only channels that newcomers can read to distinguish your server from fake impersonation servers. #announcements, #about-the-project, and #safety-guide, for example.

Once users have joined the server, they can gain more access gradually. Users can choose specific roles for themselves via self-select reaction roles. Use moderation bots like Carl, Dyno, and YAGPDB to create reaction roles and automate role assignments.

Safety Tools

Discord Safety Setup

To ensure the safety of your Discord server, it is important to implement Discord’s Safety Setup measures. You should:

1. Enable Raid Protection to defend against a large group of malicious accounts joining at the same time (Server Raid)

2. Enforce Two-Factor Authentication (2FA) for Moderator accounts to reduce likelihood of Moderator account takeovers

3. Set Verification Levels for new joiners to reduce spam and Server Raids

Refer to the Discord support article for details on how to set these three features up. If you want to be extra safe from raids, Beemo is a great low-setup solution for raid protection as well.

Automating Moderation

You can use native Discord Automod or customizable mod bots like Carl, Wick, Dyno, or YAGPDB to set up spam filters, link blocking, and other features. The easiest to set up is Discord Automod.

Beware that you will have to comprehend lots of bot documentation if you decide to use bots for Automod.

Here are the documentation links for the bots referenced above:

• Carl

• Wick

• Dyno

• YAGPDB

I prefer Carl, but all the bots mentioned above are good choices.

For emergencies or immediate security threats, shut down all server activity using lockdown mode from Carl or Wick. These modes restrict posting and give your mods time to remove dangerous posts, administer punishments, and mitigate the risk to your server community.

Finally, you can implement automated mute punishments using native Automod Timeout or mod bots’ Muterole features.

While utilizing mod bots can enhance server management, it’s important to remember that the more bots you have, the higher the risk of any single bot getting compromised and used against you. Therefore, it is crucial to follow the principle of Least Privilege and grant only the necessary permissions to each bot. For example, Collab.Land only requires these permissions:

1. Manage Roles

2. Manage Channels

3. Ban Members

4. Read Messages

5. Send Messages

Understanding Role Permissions

Understanding role permissions within Discord is essential for effective moderation. Discord servers utilize a role hierarchy system to assign permissions effectively.

Discord permissions rely on role hierarchy to determine if an action can be done. For example, you cannot kick someone from the server who has a higher role than you in the hierarchy. Conversely, if a role has Manage Roles permission, it can change the settings for any role below it in the hierarchy and assign those lower roles to any account.

Permission Overrides

Overrides are permission changes at the category and channel levels.

In addition to the hierarchy, what order permissions and overrides are applied in matter too. The order of role permissions is: server > category > channel. This means that server-level permissions are applied by default, followed by any overrides at the category level, then finally overrides at the channel level.

Excessive overrides can complicate moderation and make it challenging to keep track of who has what permissions for which channels.

The “view as role” feature, or even reviewing the server with an alt account, can be a valuable ally for administrators to monitor and manage role permissions effectively.

Here is a view of the initial onboarding flow as members gain more access through human verification in a server.

Protecting Against Scammers: The Principle of Least Privilege in Practice

Restrict Dangerous Permissions

Scammers aim to spread phishing links quickly, often by compromising user accounts within your server. To protect against such threats, again, it is crucial to implement the principle of Least Privilege. This approach involves removing “dangerous” permissions from all users.

Some of the “dangerous” permissions that should be carefully controlled and restricted include:

• Administrator – unlocks all permissions, including access to bot dashboards allowing attackers to weaponize your installed bots

• Mention @everyone, @here, and All Roles – allows attackers to quickly direct attention to their scam links when they do attack

• Kick/Ban Members – these two can be abused to remove your server’s members or even ban your moderation team and prevent you from responding effectively to a server attack - using mod bot commands for kick/ban is usually safer.

• Manage Webhooks – exposed webhook endpoints allow attackers to post anything (including @everyone mentions) directly into your server, even if you manage to ban all of them

• Manage Server – allows attackers to invite or remove bots, change vanity URL to redirect new joiners to a fake server, change server name/icon

• Manage Roles – can grant roles lower on the role hierarchy to other users and even yourself, allowing for an attacker to escalate their permissions and access other dangerous permissions

• Manage Channels – can be used to create fake announcement channels

By limiting these permissions, you reduce the impact scammers can have within your community. Taking such precautions helps ensure that scammers have minimal opportunities to exploit compromised member accounts and spread malicious links.

Additive Permissions

Think of the following Member/Admin/Owner sections as increasing permissions from 0, rather than the reverse. Additive, not subtractive permissions.

Member Accounts

When setting permissions for member accounts, it is crucial to apply the principle of Least Privilege.

Instead of using subtractive permissions, where lower-tier roles have limitations, utilize additive permissions. This means that higher-tier roles gain additional access and permissions at the server level.

Click through the possible role combinations using the “View as role” feature to confirm permission settings.

To apply the Least Privilege Principle, you can establish a tiered system for additive member permissions as follows, starting from least access and increasing permissions:

• Everyone: Lowest permissions, almost nothing. Has no permissions at the server level, has category override for view-only access in read-only channels like #announcements and #about-the-project, and can view the human verification channel.

• Verified Human: Server-level view channels, read/write access to public community spaces, enable members to post and engage in voice channels.

• Full Community Member: Server-level perms to post links, embed content, share images, and more.

By implementing this tiered approach, you ensure that each member has access to the appropriate features while minimizing the potential for abuse by attackers and confusion for moderators. Additionally, web3 communities might use token-gating bots like Collab.Land to grant Full Community Member roles based on wallet holdings.

Admin Accounts

Administrator and moderator accounts are valuable targets for scammers. These accounts have high-level permissions and often have access to the “dangerous permissions” described above. Compromising these accounts can give attackers access to scam the entire server if the server is not following Least Privilege principles. To protect these high-value accounts, several security measures should be in place:

• Enforce two-factor authentication (2FA) for all moderator accounts.

  • Moderators can enable their 2FA by following this Discord guide.

• Assume that any account can become compromised at any time. Applying Least Privilege principles to restrict even moderator permissions protects everyone in your community from the actions of compromised accounts.

• Consider utilizing automated security solutions like Wick or Good Knight.

  • Wick offers reactive Quarantine settings that respond to account actions but requires careful configuration and trust in the bot.

  • Good Knight provides pre-emptive security measures by allowing mods to temporarily escalate permissions as needed. After a short time window, GK automatically removes dangerous permissions, ensuring that even compromised admin and mod accounts cannot use those dangerous permissions. Prevent scammers from exploiting permissions with GK’s additional layer of password and 2FA protection.

Special Case: Server Owner

Assigning the server owner role to a “cold” account, separate from the day-to-day accounts for admins, is a wise practice. This setup ensures that the server owner always maintains the highest level of access on a secure account, even if other administrators’ accounts are compromised. Use this precautionary measure to safeguard your server and maintain control of critical settings and permissions. Follow Discord’s instructional article to transfer server ownership.

Advanced Security Measures

To bolster the security of your Discord server, consider implementing the following advanced security measures:

• Protect your server’s vanity invite https://discord.gg/{fancy_name}. Keep your server boosts topped up and restrict the Manage Server permission to prevent compromised accounts from swapping your vanity URL to a fake phishing URL.

• Utilize regular expression (regex) filtering with native Automod features. Filter out specific types of spam and unwanted content while ensuring that genuine messages from the community are not affected using text pattern-matching. For example, this would allow you to keep excessive gms to a #gm channel only.

• Install tools like f1rewall to add another layer of security by implementing a CAPTCHA verification process before users can access the Discord invite to join your server. See f1rewall in action on the PoolTogether website.

Equipping the Community with Tools and Knowledge

To empower your community and enhance their ability to protect themselves, add the following features:

Tools

• Provide reporting tools to enable community members to report suspicious activities or potential scams. Use Discord bots like Shield or ChainPatrol for scam reporting and URL checking within Discord.

• Encourage everyone to use transaction simulation extensions to help community members verify the safety of transactions and avoid potential scams. I recommend tools like Pocket Universe, Wallet Guard, Revoke.cash, Stelo, and JoinFire.

• Create a #scam-alert channel within your community to keep everyone aware of ongoing scams and potential threats.

• Use Discord’s Follow feature to get alerts from established security communities like Boring Security and Server Forge.

Knowledge

• Educate your community about basic security measures to keep their Discord accounts and personal information protected.

• Share resources such as security threads and information on potential threats related to socially-engineered FOMO, bookmarklets, and QR codes.

• Register your community for a Security 101 session with Boring Security by reaching out to an @Mod on the Boring Security discord!

Additional Resources

For further information and resources related to Discord server security, explore the following:

• Glossary of security terms: A comprehensive list of security terms to familiarize yourself with

• Bankless Academy security lesson: An async security lesson provided by Bankless Academy to enhance your understanding of web3 security

• Boring Security classes: Free live classes and free resources offered by Boring Security to deepen your knowledge of Discord server security

• Watch out for scam OAuth lookalikes

• Mindmap of scam types and how they work

• Discord Security thread of threads

By implementing these restricted role permissions and advanced security measures, you can create a more secure and enjoyable environment for your Discord server community.

This post was originally published as an article on Boring Security.