Basic Secured NFT Discord Server Template
General Server Setup Overview
Discord Security Tips
If you're starting a new Discord for an NFT project and getting everything set up during this bear market, here are some broad strokes about what you should focus on during the setup. Use my template, please. This is a base template for an NFT server, I just spent a couple hours updating it: https://discord.new/XcCCyNMh5B7D I released this for FREE. Use it. This will give you a base default of channels, categories, roles, and perms that are more locked down.
Here is my old list of recommended bots: https://twitter.com/Jon_HQ/status/1504575074396884993… Generally this still applies, with the critical exception of a bot to delete webhooks as they are created. (Server Supervisor) Setting up these bots securely is actually very difficult.
Follow the Cold Admin Protocol. Long thread about this. Just do it please. https://twitter.com/Jon_HQ/status/1524246902912339968… I'm getting tired trying to explain it all the time, this is a requirement. If you do not follow this protocol to the letter your community will be targeted for attacks.
Educate your team, mods, and any other staff. I released a free quiz around Discord security, make every person on your team take it. If they don't prove they took it, remove their perms. Seriously... Take this extremely seriously.
Look into hiring an auditor Using the tools and resources above helps, but as any community grows, issues fester, and there are a TON of really good auditors being trained and coming out of the @server_forge community. Having anyone double check your work is always good.
What Bot Coverage Do You Need?
Discord Security Tip - What bots do you need?
Below is my curated list of bots that I usually install into new servers, or add on during the course of an audit. I'll explain what the 'reason' for each entry means in more detail...
(For alternative bots, I listed only bots I had experience with, were easy to set up, and cost the least. There are definitely most existing, but I either haven't tested them or found them to preform poorly) I recommend using all the bots in the Primary column.
This is a huge issue for Discord servers, a 'nuke' in Discord is when a mod bans or kicks all the members in the Discord or other malicious mass actions. Wick also stops against mass mentions. Without Wick it is hard to give mods ban perms. Wick is a must have.
Links WL and Logs
Probot lets you make a Links Whitelist - all other links are instantly deleted. Also you can set up logging of all actions and track if channel or role permissions mysteriously change - has the potential to catch an attack before it happens.
SpamDefender will ban any accounts joining your server with common phishing usernames and once set up properly, any accounts trying to impersonate your project or your team members. This is so important to have and protects newbies in the space.
This feature stops malicious bot accounts from joining your server in mass, raids can sometimes contain hundreds of thousands of accounts. Having some sort of bot in place to handle all these fake joins is super important.
This is the thing you see in almost every server where the member count is listed in the top left above all other channels.
And all the other 'reason' entries are self explanatory. Hope this is helpful and if you join a server and *DON'T* see Wick on the sidebar, that team is probably doing something wrong. Feel free to send them this thread.
WL role management: You can use a bot to manage roles, and let your moderators add people to a 'staking role' or a WL/AL role, without giving them manage roles perms. More info on that here: https://twitter.com/lukenamop/status/1498115241317650437
Making the Discord Work for Your Team
Discord Security... and... Community Management?
Discord security is not just keeping things secure, it's also about keeping things useable. So let's flip the script a bit and look at what CMs 𝗻𝗲𝗲𝗱 to do inside a Discord community, and how we can do it securely.
Announcing events with a everyone ping This is a big one, CMs need to let their community know when something is going on. Unfortunately the mention everyone permissions is what attackers are after. There is only one secure solution here: https://twitter.com/Jon_HQ/status/1549077129916125184
Mentioning other roles... This is where we can compromise - while we can't give mention everyone permissions to CMs... we can give them custom commands. This is how in Dyno you can make a command that only a certain role can use, which will ping the 'scam-alerts' role.
You can make a more complex custom command and allow the bot to use text you use after the command to echo that in the ping notification. This allows communities to do game nights, alpha pings, notify about new tweets, all from hot accounts, securely. And pretty quick to set up!
The trusty CM ban hammer... CMs need to be able to kick/ban members, but kick perms let you use prune, and ban perms could be used to kick out team members. This is why we use a bot like Wick to handle kick/ban commands... plus it comes with a useful warn command too!
Assigning allow list... Manage roles permission is 𝙚𝙭𝙘𝙚𝙚𝙙𝙞𝙣𝙜𝙡𝙮 dangerous. We should never grant that role to hot accounts... and as you're about to see... it's custom command time again! Here's a guide from Jacob to use YAG to assign roles: https://twitter.com/lukenamop/status/1514393435754700800
Toggling channels off and on... Sometimes there is a channel that is only relevant temporarily - this might be an AMA channel or a game channel. One route is to use your Announcement Account... the other, is... you guessed it, a custom command! Here it is in ccommandbot.
Deleting messages or using timeout Both manage messages and timeout perms, in my opinion, are actually fine from a security perspective to give to moderators and community managers. Don't need a custom command for these!
Bots that allow custom commands are dangerous They usually require a lot of dangerous perms to execute their duties. My general recommendation is to use two different bots, one for roles, one for channels, and never give access to both. And check their position in hierarchy.
So why is all of the above so important?? A totally secure Discord server has 0 perms granted But this does not make it useable, and if you audit or set up a Discord server that doesn't work for the mods and the CMs, it will lead to them giving themselves dangerous perms...
This leads projects to feel secure since they got an audit, but still end up with dangerous perms granted to low level team roles. This is extremely bad - and you should make sure that your auditor sets up your server so it is useable by you and your team.
If you liked these tips or ended up using one of the custom commands or tips on your own server, consider following my twitter at Jon_HQ for more.
Avoid Giving Bots Too Many Perms
Discord Bot Compromise Update
What's next? How do we stop this in the future? So - official little recap here - past the bot pushing a bad update, the bot asked for manage webhook perms, which it might need for some functionality... but there is no reason to grant it.
If you had manage channels, manage roles, you CAN'T grant webhooks without the webhook perm. Lesson to learn: you can't take a bot dev's permission request at face value-Learn your bots and perms they need. And @Collab_Land_ stop asking for Admin perms. You're a major risk.
Also if you had ticket tool enabled - check this thread to solve any sleeper attackers: https://twitter.com/lukenamop/status/1509805953054613508
Brand Monitoring Can Save You Even After a Compromise
This could save your NFT's Discord from getting hacked
What if you could identify that one of your moderators was compromised... and that attackers were preparing a fake mint announcement in your Discord... Hours or days before it happened?
There is one common denominator that I don't think anyone is tracking at this point - all of these fake mint announcements point to a different fake domain that resembles the project it is attacking. Domain name registrations are public information! We can track it.
There are a couple paid tools to do this, I researched a couple of them and this one https://research.domaintools.com/monitor/brand-monitor/… seems to be the best. Using this tool ($99/mo) you can tell when an attacker has registered for instance "invisiblefreinds" as a domain.
When you get a notification that someone has created a fake domain, you can audit and reassess your Discord, and nip any attacks in the bud.
(If anyone can find a free tool that does this please let me know - I wasn't able to find any that can do mispellings + all tlds).
Never Use Expiring Discord Invites (Here's the Alternative)
If you want to do a CLOSED Discord for marketing hype reasons or whatever, you can do it safely. Read this to learn how... and the reason why a closed Discord using expiring invites is a bad idea...
Bad actors have been abusing this for quite awhile. Projects that say join invite link aLKcm3 right now to get into the CLOSED Discord, create fomo. People share these links in alpha groups, and it is first come first serve. Attackers make a vanity URL to match the invite code.
Folks join a duplicate, phishing Discord. This is not good - and you should not sacrifice security on the altar of marketing FOMO hype. Instead, let's do this safely - first of all, you need a proper verification gate. Use Wick, or Premium Captcha Bot.
Create two channels #rules only visible to Everyone role, denied by anyone verified. And #verify which is only visible when YOU want to announce the Discord is opening up for a period of time. To do this, just toggle on and off Everyone role from viewing the channel. That's it.
(You need the #rules channel for vanity url) Now just release an official project Discord vanity invite link. Never change it or deactivate. People will join the Discord but can't talk. Can't do anything. You still have the exclusivity of rewarding fans that follow your Twitter.
Setting Up an Automessage to Protect New Frens
Discord Tip: Protect the new frens
Every Discord moderation bot has something called an Automessage. Enable this, smack it into #general, and send the message every 4-6 hours. Spam the newbs to save them Use my template, tell me if you think there is anything else to add!
My Free (and Open Source) Discord Ticket Thread Bot
Free Discord Bot Released!
Sorry this took so long to get out but NFT NYC and Covid both interfered with the release time. I'm announcing a bot I developed with @cryptovega_ called Ticket Thread. It lets you open tickets in private threads. It is free and opensourced!
But first, why is this so important? Traditional ticket tools open up a new channel for each ticket created, this means you end up with hundreds and hundreds of open tickets. This is both a security risk and extremely hard to manage. Ticket Thread solves this.
Using a feature built into Discord called private threads, we can create, archive, and handle tickets without complicated systems or difficult set up. The bot requires no dangerous permissions to run making it a safer option. Plus threads have a 2x limit compared to channels.
For management, the bot provides a log of opened threads. This makes it super easy for staff to join tickets, deal with issues, and close threads when done. So yeah, how do you install it?
Here's the link to add it to your server: https://discord.com/api/oauth2/authorize?client_id=993570644665053306&permissions=362924854336&scope=bot%20applications.commands… This is just a public instance I spun up for anyone to use. If you want to host your own instance, here is the source code and how to set it up:
Make sure the bot has permissions to post in the channel you want the ticket button in. Then type /ticket. Make sure general users have perms in that channel to send messages in threads. Next type /ticketlogs and a channel name to make the logs channel, make sure bot has perms.
And that's pretty much it. Easy set up. I'm going to be using this bot in all of my own set ups, let me know if you find any bugs or issues using the bot! Cheers!
P.S. if not apparent. This requires private threads to function, so you need server boost lvl2 or lvl3 to use this bot. Will not work in unboosted servers!