Welcome to this Fast and Easy "Secure your server" Guide for Spigot and BungeeCord! COMPLETE ALL THIS STEPS TO ENSURE GOOD SECURITY ON YOUR SERVER OR NETWORK! [BungeeCord] Never use IPWhitelist or OnlyProxyJoin, this plugins can be bypassed Spoiler: BungeeCord Protection Don't change your IPs to 127.0.0.1 if you're using RedisBungee! Only Follow the Firewall step for RedisBungee Protection! Remove that plugins if you use them and change your Spigot Servers IP to "127.0.0.1", that ensures no one will be able to join remotely to "steal" your accounts without joining your BungeeCord Server. Just change all your sub-servers located in BungeeCord's config.yml like this: Spoiler: Example config.yml BungeeCord servers: <name-of-your-spigot-server>: address: 127.0.0.1:xxxxx # <- Change xxxxx with the ports of the Spigot Server restricted: false And modify your Spigot Servers server.properties like this: Spoiler: server.properties server-ip=127.0.0.1 network-compression-threshold=-1 Cant change IP because of Multicraft? Use this! Spoiler: Multicraft Protection If you're using Multicraft/Web Panel install this in your spigot servers, you can use it for more security in Linux too http://www.spigotmc.org/resources/onlyproxy.13613/ [IMPORTANT] Use a Firewall (Linux Only) Spoiler: Linux Protection Without a Firewall you're just letting ANYONE to connect to your machine, this is really risky. And if you're using Redis this will protect your Spigot Servers from getting accesed remotely. Spoiler: Installing Firewall Command to install UFW (Uncomplicated Firewall) UFW is a addon for IPTables to make IPTables easier to setup sudo apt-get install ufw Now i will teach you how i configure UFW myself, this is the best way for me Go to /etc/ufw/ and open the file before.rules add the rules you want there Firstable add this lines after *filter to use rate limiting *filter :ufw-user-limit - [0:0] :ufw-user-limit-accept - [0:0] To open ports you need to add this lines: # This lines opens port 25565 but rate limited (6 connections per sec) -A ufw-before-input -p tcp --dport 25565 -m conntrack --ctstate NEW -m recent --set -A ufw-before-input -p tcp --dport 25565 -m conntrack --ctstate NEW -m recent --update --seconds 1 --hitcount 10 -j ufw-user-limit -A ufw-before-input -p tcp --dport 25565 -j ufw-user-limit-accept # Copy and paste the 25565 lines and replace them with any port to open any other ports you need # Increase the hitcount to 20 if you have problems with databases # Run this line in the linux console to open ssh ports with rate limit (6 connections per 30 secs) sudo ufw limit ssh If you're using RedisBungee run this in the machine that has your spigot servers This will allow only your Bungee machine to connect to your Spigot servers sudo ufw allow from <bungee-ip> to any port <port-of-your-spigot-server> proto tcp After finishing setup this run the following commands sudo ufw enable sudo ufw reload You can block ICMP Packets to prevent ICMP Packet flood/DDoS and pinging from windows cmd. Spoiler: Block ICMP Packets Add this to /etc/ufw/before.rules # icmp flood -A ufw-before-input -p icmp --icmp-type echo-request -j DROP -A ufw-before-input -p icmp -m icmp --icmp-type address-mask-request -j DROP -A ufw-before-input -p icmp -m icmp --icmp-type timestamp-request -j DROP -A ufw-before-input -p icmp -m icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT [BungeeCord/Spigot] Prevent common Exploits and Netty Attacks Spoiler: Exploit Protection There are ways to Crash your server, "ForceOP", etc... Install this plugins in your Bungee and Spigot servers (If you dont use bungee install them in your Spigot server): Spoiler: Spigot/Bungee Plugins Prevent Hackers from stealing your account with the UUID Spoof Exploit and Crashing the server with CustomPayload (Jigsaw Crash). https://www.spigotmc.org/resources/2ls-exploitfixer-advanced-server-anticrash.62842/ And Install this only in all your Spigot Servers: Spoiler: Spigot Plugins Use FAWE, it is a lot more performant than WorldEdit and will fix WorldEdit Crash exploit https://www.spigotmc.org/resources/fast-async-worldedit-voxelsniper.13932/ To fix BungeeCord invalid packets exceptions (OutOfBounds, DecoderException, HTTP packets, etc...) use the following BungeeCord fork. Spoiler: BungeeCord Fork I forked Travertine and removed unnecesary methods running when invalid packets are sent, use this jar as it was a normal BungeeCord jar. https://www.2l-studios.com/flamecord/ [Recommended] Stop Bot Attacks Spoiler: Install a AntiBot Best AntiBot that blocks most of known bot bypasses. https://www.spigotmc.org/resources/2ls-antibot-the-ultimate-anti-bot-plugin.62847/ Test Server IP: play.arkflame.com Support Discord: http://discord.gg/cjt9bPA Thats all! Now your server is mostly protected! Please Rate if you liked this guide and comment what you think!