If I run a server with offline-mode=false, hide-online-players=true and white-list=true, how easy would it be for an attacker to find out which names are whitelisted to join with a whitelisted name? Is it brute-force hard or does the server leak that info somewhere? How to secure an offline mode server against this?
I鈥檇 recommend a separate authentication plugin independent of Mojang accounts. For example this one (didn鈥檛 test it myself).
Yes this is necessary for offline mode security. Most attacks come from the attacker joining as the operator and doing whatever, and a auth plugin can stop that. Additionally, make sure that you have a backup system set up, and confirm that the backups work.
I used to have the same setup, then someone joined the server using my brother鈥檚 username and proceeded to grief spawn. Definitely use a separate auth plugin