How to protect and make your Minecraft Server more secure
This guide is to explain the different ways you can protect your minecraft servers from in-game botting attacks, to hackers rejoining on alts, to preventing backend server access. We will go over the following points -
Protect your servers from being botted
Protect your backend servers connected to a proxy
Protect your servers from VPN joins
Protect your servers from hackers
Protect your server from being DDoSed
General protection practices
Botting is a method of attack where a lot of "fake" users join your server in order to crash it. They send network requests to join at fast speeds in order to crash the server. There are free and paid botting services out there, and in general, this type of attack is not something that can be stopped by our in-house DDoS protection, as this is a server-level attack.
We advise you use something like a login plugin to make users set a password on login, or to authenticate user accounts one-by-one. A plugin we recommend using is LoginSecurity.
If login plugins still can't stop the attack, you can check out anti-botting plugins such as BotSentry. These plugins are able to detect when a high amount of join requests are requested and enable a two-step process at that time.
A proxy setup is unique. It requires that the proxy server be in online mode, while the backend servers are in offline mode ( unauthenticated access ). While the proxy does take care of converting the offline mode users to online mode, there are times when users can attempt to connect directly to the backend server. This gives them the ability to join as any username of their choice, and in this case, they would join as you ( the owner with all the permissions ).
You would install BungeGuard to prevent backdoor access. In this case, you should set up a system where the backend cannot be accessed. The plugin BungeeGuard has a unique token only to your proxy, and only if you have the token will you be able to login to the backend. Please do NOT share this token with anyone!
This makes it so that people can also not make any proxy instances of their own, link it up to your server, and then connect through their proxy ( also known as Rogue Bungees ).
A guide to setting up BungeeGuard can be found here!
Now we all hate that people who get banned join back to your server with an alt account. But it is even worse when they join in with a VPN! This causes a lot of problems, as a VPN can provide unlimited uses, and they probably have unlimited alt accounts due to generators. There are a few plugins we recommend you use to combat this.
AntiVPN - can be installed on proxy too and stops VPN joining.
KauriVPN - Great for stopping almost every possible VPN provider out there! Very centric towards VPN only blocking.
EpicGuard - All-in-one solution. May be a bit wonky since it attempts to stop a lot of things, but it can still work for the most part!
VPNGuard ( pocketmine ) - https://github.com/HiddenMotives/VPNGuard
VPNGuard ( nukkit ) - https://cloudburstmc.org/resources/vpnguard.280/
If people still manage to join on VPNs, this may be due to a personal VPN that they have setup. In that case, you have no option but to keep banning the IPs, or get a VPS to run your server on, and use firewall rules to prevent the player from joining!
To protect your server from hackers and any cheaters, we recommend you to use an anticheat plugin in order to stop them in their tracks!
Any anticheat that is NOT configured will have false positives. Please spend some time configuring your anticheat before declaring it useless, and find out which anticheat you prefer!
Here are some free options -
Advanced AntiCheat - https://www.spigotmc.org/resources/aac-advanced-anti-cheat-hack-kill-aura-blocker.6442/
NoCheatPlus (Updated) - https://ci.codemc.io/job/Updated-NoCheatPlus/job/Updated-NoCheatPlus/
Here are some paid options -
Matrix anticheat - https://www.mc-market.org/resources/13999/
Spartan Anticheat - https://www.spigotmc.org/resources/spartan-anti-cheat-advanced-cheat-detection-hack-blocker-1-7-2-1-17-1.25638/
For bedrock -
ShadowAntiCheat ( pocketmine ) - https://poggit.pmmp.io/p/ShadowAntiCheat/3.6.3
GAC ( nukkit ) - https://cloudburstmc.org/resources/gac.119/
MyGuardian ( nukkit ) - https://cloudburstmc.org/resources/myguardian-anticheat.465/
This is a tricky thing to solve, as it's hard to stop attacks without learning where it originates from. If you have a VPS, you can use firewall rules to stop attacks. If you can, setup an IP whitelist system where your friends/players can put in their IP, and you will only allow those in! You can also look around for free Anti-DDoS providers, though most of them may not suit your needs if you're running a network or have a big playerbase!
In order to stop GeyserMC-based attacks, the only solutoins we see to work is by proxying traffic through a ddos-protected VPS for bedrock only connections, or using TCPShield's anti-ddos protection
While all of this combined may be good, and you may have the best anticheats, the best configurations, the best antivpn's, the best anti-botting systems, your server may still be prone to problems! Here's what we recommend you always do:
While giving subuser access to your panel, make sure you give only permissions they need! Someone with file management permissions could delete all your files. Someone with using version changer can also do the same!
Make sure your backups are locked and cannot be unlocked by a subuser ( if you have any ). Make sure you only trust backup restore permissions to trusted staff, as people can create backups to ignore all your directories, and it may just restore your eula file :O
Make sure you have 2 factor authentication enabled for your WitherPanel account, AND your client account.
Make sure you provide console access only to trusted staff. It is always possible to mess things up!
Make sure you update plugins frequently, as some plugins may have exploits that can be game breaking
Make sure you update your server software often, to fix any dupes/bugs/patches the server software has finished!
We hope this all-in-one guide has helped you protect your Minecraft Server and keeps your security at a top-notch level!
Protect your servers from being botted
Protect your backend servers connected to a proxy
Protect your servers from VPN joins
Protect your servers from hackers
Protect your server from being DDoSed
General protection practices
π€ Protecting your server from being botted π€
Overview
Botting is a method of attack where a lot of "fake" users join your server in order to crash it. They send network requests to join at fast speeds in order to crash the server. There are free and paid botting services out there, and in general, this type of attack is not something that can be stopped by our in-house DDoS protection, as this is a server-level attack.
Stopping it
We advise you use something like a login plugin to make users set a password on login, or to authenticate user accounts one-by-one. A plugin we recommend using is LoginSecurity.
If login plugins still can't stop the attack, you can check out anti-botting plugins such as BotSentry. These plugins are able to detect when a high amount of join requests are requested and enable a two-step process at that time.
π Protect your backend servers connected to a proxy π
Overview
A proxy setup is unique. It requires that the proxy server be in online mode, while the backend servers are in offline mode ( unauthenticated access ). While the proxy does take care of converting the offline mode users to online mode, there are times when users can attempt to connect directly to the backend server. This gives them the ability to join as any username of their choice, and in this case, they would join as you ( the owner with all the permissions ).
Stopping it
You would install BungeGuard to prevent backdoor access. In this case, you should set up a system where the backend cannot be accessed. The plugin BungeeGuard has a unique token only to your proxy, and only if you have the token will you be able to login to the backend. Please do NOT share this token with anyone!
This makes it so that people can also not make any proxy instances of their own, link it up to your server, and then connect through their proxy ( also known as Rogue Bungees ).
A guide to setting up BungeeGuard can be found here!
πΊοΈ Protect your server from VPN joins πΊοΈ
Overview
Now we all hate that people who get banned join back to your server with an alt account. But it is even worse when they join in with a VPN! This causes a lot of problems, as a VPN can provide unlimited uses, and they probably have unlimited alt accounts due to generators. There are a few plugins we recommend you use to combat this.
Stopping it
For Java
AntiVPN - can be installed on proxy too and stops VPN joining.
KauriVPN - Great for stopping almost every possible VPN provider out there! Very centric towards VPN only blocking.
EpicGuard - All-in-one solution. May be a bit wonky since it attempts to stop a lot of things, but it can still work for the most part!
For Bedrock -
VPNGuard ( pocketmine ) - https://github.com/HiddenMotives/VPNGuard
VPNGuard ( nukkit ) - https://cloudburstmc.org/resources/vpnguard.280/
If people still manage to join on VPNs, this may be due to a personal VPN that they have setup. In that case, you have no option but to keep banning the IPs, or get a VPS to run your server on, and use firewall rules to prevent the player from joining!
π§βπ» Protect your server from hackers π§βπ»
Overview
To protect your server from hackers and any cheaters, we recommend you to use an anticheat plugin in order to stop them in their tracks!
Any anticheat that is NOT configured will have false positives. Please spend some time configuring your anticheat before declaring it useless, and find out which anticheat you prefer!
Stopping it
Here are some free options -
Advanced AntiCheat - https://www.spigotmc.org/resources/aac-advanced-anti-cheat-hack-kill-aura-blocker.6442/
NoCheatPlus (Updated) - https://ci.codemc.io/job/Updated-NoCheatPlus/job/Updated-NoCheatPlus/
Here are some paid options -
Matrix anticheat - https://www.mc-market.org/resources/13999/
Spartan Anticheat - https://www.spigotmc.org/resources/spartan-anti-cheat-advanced-cheat-detection-hack-blocker-1-7-2-1-17-1.25638/
For bedrock -
ShadowAntiCheat ( pocketmine ) - https://poggit.pmmp.io/p/ShadowAntiCheat/3.6.3
GAC ( nukkit ) - https://cloudburstmc.org/resources/gac.119/
MyGuardian ( nukkit ) - https://cloudburstmc.org/resources/myguardian-anticheat.465/
π― Protect your server from being DDoSed π―
This is a tricky thing to solve, as it's hard to stop attacks without learning where it originates from. If you have a VPS, you can use firewall rules to stop attacks. If you can, setup an IP whitelist system where your friends/players can put in their IP, and you will only allow those in! You can also look around for free Anti-DDoS providers, though most of them may not suit your needs if you're running a network or have a big playerbase!
In order to stop GeyserMC-based attacks, the only solutoins we see to work is by proxying traffic through a ddos-protected VPS for bedrock only connections, or using TCPShield's anti-ddos protection
β General Protection Practices β
While all of this combined may be good, and you may have the best anticheats, the best configurations, the best antivpn's, the best anti-botting systems, your server may still be prone to problems! Here's what we recommend you always do:
While giving subuser access to your panel, make sure you give only permissions they need! Someone with file management permissions could delete all your files. Someone with using version changer can also do the same!
Make sure your backups are locked and cannot be unlocked by a subuser ( if you have any ). Make sure you only trust backup restore permissions to trusted staff, as people can create backups to ignore all your directories, and it may just restore your eula file :O
Make sure you have 2 factor authentication enabled for your WitherPanel account, AND your client account.
Make sure you provide console access only to trusted staff. It is always possible to mess things up!
Make sure you update plugins frequently, as some plugins may have exploits that can be game breaking
Make sure you update your server software often, to fix any dupes/bugs/patches the server software has finished!
We hope this all-in-one guide has helped you protect your Minecraft Server and keeps your security at a top-notch level!
Updated on: 08/03/2023
Thank you!