Quick answer: Secure your Minecraft server with these 5 critical steps: (1) Configure a firewall to allow only port 25565, (2) install essential security plugins (CoreProtect, DiscordSRV, AuthMe), (3) keep your server software and plugins updated, (4) use strong passwords and 2FA for admin accounts, and (5) implement regular automated backups. For DDoS protection, use a professional host with built-in mitigation or services like TCPShield/Cloudflare Spectrum.
Critical Security Checklist
Start here. Complete these steps before opening your server to the public:
| Priority | Security Step | Time Required | Difficulty |
|----------|--------------|---------------|------------|
| π΄ Critical | Configure firewall (UFW/iptables) | 10 min | Easy |
| π΄ Critical | Install CoreProtect (block logging) | 5 min | Easy |
| π΄ Critical | Set up automated backups | 15 min | Medium |
| π΄ Critical | Disable vanilla /op system | 2 min | Easy |
| π‘ High | Install LuckPerms + permissions | 30 min | Medium |
| π‘ High | Enable DDoS protection | 20 min | Medium |
| π‘ High | Configure anti-cheat (Vulcan/Matrix) | 20 min | Medium |
| π’ Medium | Implement login security (AuthMe) | 15 min | Easy |
| π’ Medium | Set up Discord alerts (DiscordSRV) | 10 min | Easy |
| π’ Medium | Harden server.properties | 10 min | Easy |
Firewall Configuration
A firewall is your first line of defense. Block everything except Minecraft traffic.
Ubuntu/Debian: UFW (Uncomplicated Firewall)
# Install UFW if not present
sudo apt update && sudo apt install ufw -y
# Default policies: deny all incoming, allow outgoing
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (change port if you use non-standard)
sudo ufw allow 22/tcp
# Allow Minecraft port
sudo ufw allow 25565/tcp
# Enable firewall
sudo ufw enable
# Verify rules
sudo ufw status verbose
Expected output:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
25565/tcp ALLOW Anywhere
CentOS/RHEL: firewalld
# Start and enable firewalld
sudo systemctl start firewalld
sudo systemctl enable firewalld
# Allow Minecraft port
sudo firewall-cmd --permanent --add-port=25565/tcp
# Reload firewall
sudo firewall-cmd --reload
# Verify
sudo firewall-cmd --list-all
Advanced: Rate Limiting with iptables
Prevent connection flood attacks:
# Allow established connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Rate limit new connections to Minecraft port (max 10/min per IP)
sudo iptables -A INPUT -p tcp --dport 25565 -m state --state NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 25565 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
# Accept Minecraft connections
sudo iptables -A INPUT -p tcp --dport 25565 -j ACCEPT
# Save rules
sudo netfilter-persistent save
Essential Security Plugins
CoreProtect (Block Logging & Rollback)
CoreProtect logs every block break, place, and container interaction. Essential for investigating griefing.
Installation:
cd /path/to/server/plugins
wget https://github.com/PlayPro/CoreProtect/releases/latest/download/CoreProtect.jar
# Restart server
Basic Configuration (plugins/CoreProtect/config.yml):
# Enable MySQL for better performance (optional but recommended)
use-mysql: false # Change to true if you set up MySQL
# What to log
block-place: true
block-break: true
natural-break: true
entity-kills: true
inventory: true
item-transactions: true
# How long to keep logs (days)
max-days: 30
# Performance settings
queue-delay: 3
verbose: false
Essential Commands:
# Check who broke a block (click block with stick)
/co inspect
# Lookup player actions
/co lookup user:PlayerName time:24h
# Rollback player grief
/co rollback user:Griefer time:24h radius:100
# Restore accidental rollback
/co restore user:Griefer time:1h radius:100
LuckPerms (Permissions Management)
Never use vanilla /op. Use LuckPerms for granular permissions.
Installation:
cd plugins
wget https://download.luckperms.net/1543/bukkit/loader/LuckPerms-Bukkit-5.4.141.jar -O LuckPerms.jar
# Restart server
Initial Setup:
# In-game or console:
# Create groups
/lp creategroup admin
/lp creategroup moderator
/lp creategroup vip
/lp creategroup default
# Set group inheritance (admin inherits moderator perms, etc)
/lp group admin parent set moderator
/lp group moderator parent set vip
/lp group vip parent set default
# Give admin all permissions
/lp group admin permission set * true
# Give moderator basic moderation permissions
/lp group moderator permission set minecraft.command.kick true
/lp group moderator permission set minecraft.command.ban true
/lp group moderator permission set essentials.kick true
/lp group moderator permission set essentials.ban true
/lp group moderator permission set coreprotect.inspect true
/lp group moderator permission set coreprotect.rollback true
# Add user to group
/lp user PlayerName parent set admin
# Web editor for easier management
/lp editor
Vulcan Anti-Cheat
Detects and prevents hacks (fly, speed, killaura, etc).
Installation:
Purchase from Spigot (β¬15) or use Matrix (free alternative):
# Matrix (free)
cd plugins
wget https://github.com/jiangdashao/Matrix-Issues/releases/latest/download/Matrix.jar
# Restart server
Vulcan Configuration Tips:
# config.yml highlights
checks:
combat:
killaura:
enabled: true
punish: true
max-vl: 10 # Violations before kick
reach:
enabled: true
max-reach: 3.1 # Blocks
movement:
fly:
enabled: true
punish: true
speed:
enabled: true
max-vl: 15
# Alert staff in-game
alerts:
enabled: true
permission: "vulcan.alerts" # Give to moderators
AuthMe Reloaded (Login Security)
Requires players to register/login with passwords. Essential for cracked servers, useful for all.
Installation:
cd plugins
wget https://github.com/AuthMe/AuthMeReloaded/releases/latest/download/AuthMe-5.6.0.jar -O AuthMe.jar
# Restart server
Configuration (plugins/AuthMe/config.yml):
settings:
enabled: true
enablePasswordVerifier: true
restrictions:
minPasswordLength: 6
maxPasswordLength: 30
security:
passwordHash: BCRYPT # Most secure
supportOldPasswordHash: false
registration:
enabled: true
force: true
type: EMAIL # or PASSWORD
Email:
mailSMTP: 'smtp.gmail.com'
mailPort: 587
mailAccount: 'your-email@gmail.com'
mailPassword: 'app-password-here'
Player Commands:
/register password email
/login password
DiscordSRV (Discord Integration & Alerts)
Get notified on Discord when players join, leave, or trigger security events.
Installation:
cd plugins
wget https://github.com/DiscordSRV/DiscordSRV/releases/latest/download/DiscordSRV-Build-1.28.0.jar -O DiscordSRV.jar
# Restart server
Setup:
- Create Discord bot at Discord Developer Portal
- Add bot to your server
- Copy bot token
- Edit
plugins/DiscordSRV/config.yml:
BotToken: "YOUR_BOT_TOKEN_HERE"
DiscordChatChannelId: "YOUR_CHANNEL_ID"
# Enable useful alerts
DiscordConsoleChannelId: "ADMIN_CHANNEL_ID"
# Link Minecraft chat with Discord
MinecraftDiscordAccountLinked: true
# Security alerts
Alerts:
- "Player %player% joined from new IP: %ip%"
Server Software Hardening
server.properties Security Settings
# Disable online mode ONLY if you use AuthMe for cracked server
online-mode=true
# Prevent command block exploits
enable-command-block=false
# Hide player IPs from logs (GDPR compliance)
log-ips=false
# Require resource pack (for branded servers)
require-resource-pack=false
# Prevent player report abuse
enforce-secure-profile=false
# Max players (prevent overload)
max-players=100
# Network settings
network-compression-threshold=256
max-world-size=29999984 # Default, reduce if needed
# Rate limiting
rate-limit=0 # Disable vanilla rate limit (use TCPShield instead)
spigot.yml / paper.yml Security Settings
Paper config (config/paper-global.yml):
proxies:
velocity:
enabled: false
online-mode: false
secret: ''
bungee-cord:
online-mode: true # Set true if using BungeeCord
anticheat:
anti-xray:
enabled: true
engine-mode: 2 # Hides ores from X-rayers
hidden-blocks:
- copper_ore
- deepslate_copper_ore
- gold_ore
- deepslate_gold_ore
- iron_ore
- deepslate_iron_ore
- lapis_ore
- deepslate_lapis_ore
- diamond_ore
- deepslate_diamond_ore
- emerald_ore
- deepslate_emerald_ore
- ancient_debris
misc:
disable-relative-projectile-velocity: true # Prevents some exploits
Disable Dangerous Commands
# bukkit.yml
settings:
allow-end: true
commands:
# Disable vanilla /op (use LuckPerms instead)
vanilla-permissions:
minecraft.command.op: false
minecraft.command.deop: false
DDoS Protection
DDoS attacks overwhelm your server with traffic. You need protection.
Built-in Host Protection (Best Option)
Space-Node includes enterprise DDoS protection:
- Automatic mitigation up to 100 Gbps
- No configuration needed
- Included in all plans (β¬0.90/GB)
TCPShield (Free for Small Servers)
TCPShield proxies traffic and filters attacks:
Setup:
- Sign up at TCPShield.com
- Add your server IP and domain
- Point your domain's A record to TCPShield's IP
- Install TCPShield plugin:
cd plugins
wget https://github.com/TCPShield/RealIP/releases/latest/download/TCPShield.jar
# Restart server
- Edit
plugins/TCPShield/config.yml:
# Enable IP forwarding
only-allow-proxy-connections: true
- Update
server.properties:
# Change to TCPShield's domain
server-ip=your-domain.tcpshield.com
Cloudflare Spectrum (Paid, Enterprise)
For large servers, Cloudflare Spectrum offers unlimited DDoS protection:
- Cost: $250/month minimum
- Protects against massive attacks (multi-terabit)
- Best for 500+ player networks
Backup Strategy
Rule #1: Automate backups. Manual backups don't happen.
Using Cron + rsync (Linux)
# Create backup script
cat > /opt/minecraft-backup.sh << 'EOF'
#!/bin/bash
BACKUP_DIR="/backups/minecraft"
SERVER_DIR="/path/to/minecraft/server"
DATE=$(date +%Y%m%d-%H%M%S)
# Create backup directory
mkdir -p $BACKUP_DIR
# Use screen to send save-all command
screen -S minecraft -p 0 -X stuff "say Backup starting...^M"
screen -S minecraft -p 0 -X stuff "save-all^M"
sleep 5
screen -S minecraft -p 0 -X stuff "save-off^M"
sleep 2
# Backup world files
tar -czf $BACKUP_DIR/world-$DATE.tar.gz -C $SERVER_DIR world world_nether world_the_end
# Re-enable saving
screen -S minecraft -p 0 -X stuff "save-on^M"
screen -S minecraft -p 0 -X stuff "say Backup complete!^M"
# Delete backups older than 7 days
find $BACKUP_DIR -name "world-*.tar.gz" -mtime +7 -delete
# Optional: Upload to S3, Backblaze, etc.
# aws s3 cp $BACKUP_DIR/world-$DATE.tar.gz s3://my-bucket/
EOF
chmod +x /opt/minecraft-backup.sh
# Add to crontab (backup every 6 hours)
crontab -e
# Add line:
0 */6 * * * /opt/minecraft-backup.sh
Using Backup Plugins
WorldGuard + AutoSaveWorld (easiest):
cd plugins
wget https://dev.bukkit.org/projects/autosaveworld/files/latest -O AutoSaveWorld.jar
# Restart server
Config (plugins/AutoSaveWorld/config.yml):
save:
enabled: true
interval: 900 # 15 minutes
backup:
enabled: true
interval: 21600 # 6 hours
backupstokeep: 20
worlds:
- world
- world_nether
- world_the_end
compress: true # gzip backups
Protecting Against Common Exploits
Book & Quill Crash
Malicious books with huge NBT data crash servers.
Fix (Paper):
# paper-world-defaults.yml
misc:
max-book-page-size: 2560 # Limit page size
max-book-total-size-multiplier: 0.98
End Crystal Lag Machines
Players spam End Crystals to lag the server.
Fix (Purpur):
# purpur.yml
world-settings:
default:
gameplay-mechanics:
player-max-entity-collisions: 8 # Limit collision checks
mobs:
enderman:
ignore-projectiles: true # Prevent crystal farms
Nether Portal Traps
Trap players in portals to kill them unfairly.
Fix: Install BetterPortals or configure spawn protection:
# server.properties
spawn-protection=16 # 16 block radius around spawn
Dupe Glitches
Stay updated! Paper fixes most dupe glitches quickly.
Prevention:
- Update to latest Paper build immediately when new versions drop
- Monitor Paper Discord for exploit announcements
- Use CoreProtect to rollback duped items
Security Audit Checklist
Run through this monthly:
| Check | Status | Notes |
|-------|--------|-------|
| β Server software up-to-date | | Paper/Purpur latest build |
| β All plugins updated | | Check with /version |
| β Java version current | | Should be Java 21+ |
| β Firewall rules correct | | sudo ufw status |
| β Backups working | | Check last backup date |
| β CoreProtect logging | | /co stats |
| β LuckPerms configured | | No vanilla ops |
| β Anti-cheat active | | Check recent flags |
| β DDoS protection enabled | | Test with TCPShield |
| β Strong passwords | | 12+ chars, mixed case |
| β 2FA on admin accounts | | AuthMe + Discord |
| β No unused plugins | | Remove old/inactive |
| β SSH key-only auth | | Disable password login |
| β Non-standard SSH port | | Change from 22 |
Securing SSH Access
Your VPS needs protection too:
Disable Password Authentication
# Edit SSH config
sudo nano /etc/ssh/sshd_config
# Change these lines:
PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes
# Restart SSH
sudo systemctl restart sshd
Change SSH Port
# Edit SSH config
sudo nano /etc/ssh/sshd_config
# Change port (use 1024-65535)
Port 2222
# Update firewall
sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp
# Restart SSH
sudo systemctl restart sshd
Install Fail2Ban
Automatically block IPs after failed login attempts:
# Install
sudo apt install fail2ban -y
# Configure
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
# Add/modify:
[sshd]
enabled = true
port = 2222 # Your SSH port
maxretry = 3
bantime = 3600
# Start
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
# Check bans
sudo fail2ban-client status sshd
Incident Response Plan
When you detect a security breach:
Step 1: Stop the Bleeding (5 minutes)
# If under attack, shut down server temporarily
screen -S minecraft -X stuff "stop^M"
# Or kick all players
screen -S minecraft -X stuff "kick @a Server maintenance^M"
# Enable firewall to block all traffic
sudo ufw default deny incoming
Step 2: Investigate (30 minutes)
# Check CoreProtect logs
/co lookup time:24h
# Check player IPs
/co lookup user:SuspiciousPlayer
# Check console logs
tail -n 500 logs/latest.log | grep -i "error\|exploit\|hack"
# Check running processes
ps aux | grep java
Step 3: Rollback & Restore (1 hour)
# Rollback grief
/co rollback user:Griefer time:24h radius:global
# Or restore from backup
cd /path/to/server
tar -xzf /backups/minecraft/world-20260122.tar.gz
Step 4: Patch & Prevent (2 hours)
- Update server software and all plugins
- Ban offending players (UUID and IP)
- Review and tighten permissions
- Add new security measures
- Document what happened
Step 5: Communicate (30 minutes)
- Announce incident to players (be transparent)
- Explain what was compromised
- Detail prevention steps taken
- Reassure players their data is safe
Advanced Security: Honeypot Servers
Run a fake "admin" account to catch hackers:
# Create fake op account
/lp user FakeAdmin permission set fawe.* true
/lp user FakeAdmin permission set worldedit.* true
# Monitor this account with CoreProtect
# If it does anything suspicious, you caught a hacker
Security Myths Debunked
Myth: "Cracked servers can't be secure"
False. With AuthMe and proper configuration, cracked servers can be just as secure. You lose Mojang account verification, but gain control over authentication.
Myth: "Plugins cause security problems"
Mostly false. Outdated or poorly coded plugins can, but modern plugins from reputable developers are safe. Always check reviews and update frequency.
Myth: "DDoS protection is expensive"
False. Many quality hosts include it free (like Space-Node). TCPShield is free for smaller servers. You don't need Cloudflare Spectrum unless you're a huge network.
Myth: "Anti-cheats ban innocent players"
Partially true. Aggressive anti-cheat configs cause false positives. Start with lenient settings and tune gradually. Never auto-banβalways review evidence.
Cost of Security
| Security Component | Cost | Frequency |
|-------------------|------|-----------|
| Firewall (UFW) | Free | One-time |
| CoreProtect | Free | One-time |
| LuckPerms | Free | One-time |
| Matrix Anti-Cheat | Free | One-time |
| Vulcan Anti-Cheat | β¬15 | One-time |
| AuthMe | Free | One-time |
| DiscordSRV | Free | One-time |
| TCPShield | Free | Monthly |
| Backups (storage) | β¬2-5/month | Monthly |
| Quality host with DDoS | Included | Monthly |
| Total | β¬0-20 setup + β¬0-5/month | - |
Security is cheap. Getting hacked is expensive.
Frequently Asked Questions
Do I really need all these plugins?
Minimum essentials: CoreProtect, LuckPerms, and backups. Everything else is highly recommended but optional based on your server type.
Can I get hacked if I use these steps?
Your risk drops to near-zero. No system is 100% secure, but following this guide puts you ahead of 99% of servers.
What if I'm already compromised?
Restore from backup, change all passwords, update everything, review permissions, and ban the attacker's UUID + IP range.
Is PaperMC more secure than Spigot?
Yes. Paper fixes vanilla security bugs faster and includes anti-xray built-in. Always use Paper over Spigot.
Should I worry about Java exploits?
Keep Java updated to the latest version (Java 21+ for Minecraft 1.20+). Oracle patches security issues quickly.
How do I secure a BungeeCord network?
- Use IP forwarding
- Firewall backend servers to only accept from BungeeCord
- Run anti-bot plugins (AntiVPN, AntiBot)
- Protect BungeeCord with TCPShield
Final Recommendations
Minimum Security (30 minutes):
- Configure firewall
- Install CoreProtect
- Set up automated backups
- Remove vanilla ops, install LuckPerms
Recommended Security (2 hours):
- Everything above
- Install anti-cheat (Matrix or Vulcan)
- Enable DDoS protection (TCPShield or quality host)
- Set up DiscordSRV alerts
- Harden server configs
Maximum Security (4+ hours):
- Everything above
- Implement AuthMe with 2FA
- Custom anti-cheat configs
- Honeypot accounts
- Security audit scripts
- Incident response documentation
Start with minimum, expand to recommended. Maximum security is overkill for most servers.
Need a secure hosting platform out of the box? Space-Node's Minecraft hosting includes DDoS protection, automatic backups, and pre-configured firewalls. Starting at β¬0.90/GB/month in the Netherlands with 99.9% uptime SLA.
Related security resources:
