If I run a server with offline-mode=false, hide-online-players=true and white-list=true, how easy would it be for an attacker to find out which names are whitelisted to join with a whitelisted name? Is it brute-force hard or does the server leak that info somewhere? How to secure an offline mode server against this?
I’d recommend a separate authentication plugin independent of Mojang accounts. For example this one (didn’t test it myself).
Yes this is necessary for offline mode security. Most attacks come from the attacker joining as the operator and doing whatever, and a auth plugin can stop that. Additionally, make sure that you have a backup system set up, and confirm that the backups work.