Discord for the newish Server Admin

This article will focus on setting up your discord server to prepare for a larger audience. I will write a discord 101 for the user later on down the road, but Sirny asked me a couple of questions about discord this morning and it reminded me that I should post a primer for discord admins sooner rather than later. It is a good read for anyone using discord, but if you have next to no experience on discord, some of the terminology may read like greek to you until you become a bit more familiar with navigating your way around.

I’m an OG IRC user… as in the days when you had to telnet into a Unix or Linux server to connect to IRC before we had fancy IRC clients with GUIs. Yes. I’m that old on the internet. I think I was born on the internet. If you happen to know what I’m talking about already then you might be old enough to recall the days of the net splits when EFNET protocol was adopted to resolve the latency in packets that were known to be vulnerable to exploits. So when I landed on Discord sometime back in… 2015 or 2016 ish.. it was like returning home for me. Yes I still giggle when people call # a hashtag. It’s called POUND people. We used to use the command to send the message to a channel instead of having pretty interfaces where you selected the channel to send your message. /msg #channel Hey, what’s up people? No lie, I still remember these commands in my sleep and quite frankly I wish they worked on discord, although the pretty interface certainly does keep the channel threads neatly organized.

In short, I ended up on Discord back in the days of my competitive gaming. I won’t lie, I was known to flood a few servers offline during competitive raids. The boys with AnimaX still cry much like AX2 still cries over my season of brutal suppression where my crew sent them home with no rewards after 45 days of campaigning. As nice and sweet and helpful as I am in the web3 space, I’m a brutal gamer and I make no apologies for owning the other team. When the other side decides to play dirty, I give a 48 hour warning with a “are you sure?” message and then proceed to burn them. I do not consider myself a hacker. I’m really not that skilled. But some exploits are just easy, much like finding your way into a root directory through an unsecure CGI bin back in the 90s. And no, I’m not behind any of the Discord exploits in Crypto or Web3. It’s one thing to do it when gaming (because we all do it in the gaming industry), and it’s another to do it to people’s livelihoods and bank accounts. I did, however, learn a lot about Discord security through my exploits in the gaming world.

The rest of this article will focus on how you stop someone with ill intent from damaging your discord server with some basic server setups. It will not harden your server from all attempts and attacks, but it does stop most of the nefarious actors with ill intent. And by the way, before you freak out after hearing about the “God” command on Discord, that’s been fixed and it no longer works. But it used to work ;)

Landing Room

Please, please, pretty please, for the love of all people on your server, use a landing room for server joins. A landing room, is the channel someone sees when they first join the server. They should not see any other community channels other than the landing room when first joining. In the good ol’ days, the server admins would manually verify that the account that recently joined was in fact a human being and not a spam bot and then assign a security role to the account so that they could join the community. Once the security role has been assigned, the landing room is no longer visible to the account that just joined. Now you have bots that can do react roles to auto assign the security permission to make this even easier. Why do this?

1. It keeps your server membership roster protected. This means the people on your server are less likely to receive malicious DMs because those bots don’t have access to their Discord user names to begin with to be able to message them. This is helpful in the web3 space where we are constantly on the look out for malicious links in DMs. From a gamer perspective, it keeps your membership roster private so the opposing team is not necessarily aware of who you’re working with on your server.
2. If spam bot joins your server, such as a porn bot, the spam messages will be dumped in your landing room where only your server bots and admins will see the messages. This means you did not just subject your general chat to a flood of spam messages especially if the spam contained offensive content (as it usually does.. it usually comes in the form of hate speech, porn, or death threats).
3. You’re verifying that the people in your general chat are active accounts at the time they joined. This doesn’t preclude someone from sneaking their way onto your server and then launching the bot behind the account, but this is actually not as straight forward to do as you would think and requires someone with a little bit of coding skill to make it happen.

Steps required for your landing room. Please follow them or I will be annoyed and will want to leave your server as quickly as I have joined:

1. Create a channel with the following roles with view channel permissions: Admins, everyone, security bot (note: your non-security bots should also not be visible in your landing room). Remove the ability to view the channel for all other security roles. You’ll be able to confirm who can see the channel by using the right hand menu to see which guests are on this channel.
2. For the everyone role, remove the ability to send any messages to the channel or use emojis to react to messages
3. Add a role react menu from a bot like YAGPDB (see documentation here: https://docs.yagpdb.xyz/tools-and-utilities/self-assignable-roles)
4. Use the discord server settings to view the server as everyone security role to verify that you cannot see any other channels other than the landing room. Use the same functionality to verify that your server members with security roles are no longer able to see the landing room. Your server admins should be able to see all channels regardless.

Set up anti-raid and anti-spam on your bots!! Dooooo it! Otherwise I will own your farms.

One of the easiest ways to flood any server offline is to overwhelm the server with autojoin scripts. There’s a ton of them out there. I’m not going to spend the time to tell you how to do this as the point of the article is to defend from such tactics, not promote such tactics. Most general purpose admin bots have anti-raid settings. Please take the time to set this up. What this will do is limit the number of joins that can happen in a given time period on your server so your server cannot be flooded offline. I usually limit mine to something reasonable like 50 joins in a 5 minute period of time. For anti-raid, I do use kicks and bans. This is imperative. A flood join looks something like 1,000 users with similar names all joining one right after another with no end in sight. If you’re bot is setup to manage this and you have a landing room, you have nothing to worry about other than the annoyance of your server log being cluttered. If you don’t have this setup, it is up to you to recognize what is happening and to manually react to protect your server… good luck!

Most general purpose admin bots also have anti-spam features. My preference when using anti-spam is to use the mute feature rather than kick or ban. The benefit here is that if a community member unintentionally triggers the anti-spam feature, they are not kicked and bounced! They are just muted. I usually have my servers setup to say 5 repeating messages within 1 minute and you’re on mute. If it happens to hit the annoying “wen utilities” community member also, so much the better.

Most bots that have maturity in their development will allow for you to ignore certain channels and to ignore certain security roles. I always ignore my server admin roles (but not my community admins — we will discuss this more in a moment), and I also tend to ignore any channels that are for admins only where you might be working with commands over and over again before getting it right and pushing it to the more public channels. You might also consider any channels you have setup where people are interacting with game bots and would be expected to send the same command over and over again to that chat (waifu, pokemon, fishing, etc.).

See your preferred bot’s documentation on how to set these up, but as an example I am posting YAGPDB youtube that walks through this in detail. https://www.youtube.com/watch?v=98GAUC3H1hc

The importance of Role Hoist in your security setup

When setting up your security roles on a Discord server, you’ll notice that there is a hierarchical ranking system. The server owner will ALWAYS retain full control over the server. Server Admin role should have the server admin box checked at the bottom of the security permissions setup. This will give them access to anything and everything on the server all the time, including channels that are by direct member addition only.

I remove the server admin permission from the bots after they join the server. You’ll need to go manually do this. The reason I do this is that I prefer to control which permissions the bots inherit as Discord continues to grow and change permissions. Additionally, I do not give community admins the server admin permission. Community admins should be able to mute community members, but really kicks and bans are extreme and can cause a lot of consternation in your community and should be left up to a server admins’ discretion. Also, I’ve seen a community admin go rogue and kick everyone off the server except the server admins. It happens. But please do give your community admins the ability to mute a community member and the ability to delete messages! With these two permissions your community admin should be able to manage 90% of the issues that happen in general chat. I however, do not give my community admins the ability to delete messages in announcement channels.

In short, use the role hierarchy to make sure that your server admins retain control over the bots so they can continue to operate them efficiently for your server and in the event a bot becomes exploited the server admin can remove them without having to track down the server owner. The bots then have the next highest level in the event that a community admin goes rogue or your server some how becomes subject to the social engineering to duplicate the community admin account (hopefully your server owner is smart enough to not fall for it on a server admin account). And then give your community admins the permissions they need to manage the channels where the community is interacting.

DELETE YOUR WEBHOOKS

Okay I get it. Embedded messages on discord look slick. They really really do. They create a polished, elegant, and more sophisticated look and feel to your discord community. I love them. However, the way to do embedded messages tends to be through webhooks.

Webhooks are a known potential exploit, because all it requires is the webhook link to push content into your discord server…. including malicious links. Those of us that have been around Discord forever will tell you that WE ALL KNOW THAT WEBHOOKS ARE SUBJECT TO INJECTIONS and now you do too. They always have been and they always will be by virtue of what they are and are intended to be. This doesn’t mean that you should not use them, but they should be used with caution and by someone that appreciates what a webhook is and does. So now that you know this, are you really surprised about all the discord “hacks” that have been happening on web3 focused servers? Following where I’m going with this?

So if you’re getting into the more advanced stuff of hooking up your social media feeds to channels on discord, or you’re using discohook.org to create beautiful menus and messages on your discord server, for the LOVE OF GOD, remove the webhook on the discord side after you’ve pushed the content.

If you’re going to leave a webhook live, please make sure your community is aware that the channel has a live webhook and is subject to manipulation and that they should not click on any links!!! No joke. When in doubt, they should type the link out instead of clicking on the link!!! This is serious people. I’d explain how easy it is to manipulate a webhook, but I’d rather not put it out there for other people to discover this manipulation.

So now that you know the concerns around webhooks, are you going to give your bot or your community admin members permissions to manage webhooks? I hope that answer is a no. This is why I remove the server administrator privilege from bots once they’ve joined the server, because otherwise the bots do have the ability to manage webhooks.

Use at least two general purpose bots

This is an obvious thing but only if you’ve been around long enough to see it happen. When using bots that are hosted by a 3rd party (which is any bot that you invite to join your server), they do from time to time go down for maintenance and updates. Having two general purpose bots setup with anti-raid and anti-spam will help you in the event that one of your bots does happen to go down for whatever reason.

Here are general purpose bots I use on my own servers. Just depends on my mood and which one I want to setup. Some I’ve used because they were around before the others. As always, do your own research and you are at your own risk, these are just my personal favs. Please note the date on this article, I have no intention of updating this year after year.

Yet Another General Purpose Discord Bot: https://yagpdb.xyz/
Dyno Bot: https://dyno.gg/bot
I find Mee6 annoying but it’s a sturdy bot anyways: https://mee6.xyz/
Nadeko is still my favorite along with YAGPDB: https://nadeko.bot/

There are tons of other bots out there, these are just the ones I’ve bothered playing with and leaving on a server. I’m known for kicking a bot 10 minutes after inviting it when I realize it doesn’t get me where I want to go.

As always, I remain your Discord Queen running in the background. I’m happiest hanging out on Lynxy Lynx’s Lab and with Beatrix and the SugarKnights (B&SK forever!). Feel free to send me a DM on twitter @lynxhelek or send me an e-mail lynx@damgnft.io

I might respond next year when I’m done playing with discord servers. ❤❤❤