This guide is meant to be a Fast & Easy guide for non-programmers to protect their servers and know how exploits basically work. Don't use plugins for Firewalling People tend to use plugins for Firewalling like IPWhitelist, OnlyProxyJoin, etc... when hosting a BungeeCord Network. This plugins aren't really safe because they are not denying connections completelly to your server and in the worst cases this can be bypassed (by fowarding a null address) and let exploiters to UUIDSpoof you by forwarding Spigot with a selected UUID. (ex: A player called "haxxor" changes his UUID to yours to get your permissions) [Forwarding Spigot invalid addresses/uuids can only be done if Spigot has bungeecord: true wich is a necessary function for BungeeCord networks] A real solution is to install a Firewall in your server, you need a linux system for this. You can use IPTables or UFW (I personally recommend UFW because it helps you manage IPTables easier for begginers) (For servers with multiple machines you would need to make a special ruleset to only allow access from your machines) Or set your Spigot servers addresses to 127.0.0.1 so only your BungeeCord that is in the same machine can access them. If for some reason you can't use this methods keep using plugins for firewalling but this is not recommended. A little Firewalling tutorial for UFW Im going to give you up some tips for UFW as its my personal selection. (You can replicate this for IPTables with different procedures) Command to install UFW (Uncomplicated Firewall) sudo apt-get install ufw Go to /etc/ufw/ and open the file before.rules ad add the following rules: Add this lines after *filter to use rate limiting. Code (Text): *filter :ufw-user-limit - [0:0] :ufw-user-limit-accept - [0:0] Add this lines to open your 25565 port ratelimited by 10 connections in 1 second. (You can modify this as you like) Feel free to add as many ports as you want to open. Code (Text): -A ufw-before-input -p tcp --dport 25565 -m conntrack --ctstate NEW -m recent --set -A ufw-before-input -p tcp --dport 25565 -m conntrack --ctstate NEW -m recent --update --seconds 1 --hitcount 10 -j ufw-user-limit -A ufw-before-input -p tcp --dport 25565 -j ufw-user-limit-accept Run this command in the Linux console to open the SSH port limited by 6 connections in 30 seconds: sudo ufw limit ssh If you're using RedisBungee run the following command to allow only your BungeeCord machines to connect your servers: sudo ufw allow from <bungee-ip> to any port <port-of-your-spigot-server> proto tcp After finishing setup this run the following commands: sudo ufw enable sudo ufw reload You can block ICMP Packets to prevent ICMP Packet flood. (pinging from windows cmd, with sometimes causes lag) Add this lines to /etc/ufw/before.rules Code (Text): # icmp flood -A ufw-before-input -p icmp --icmp-type echo-request -j DROP -A ufw-before-input -p icmp -m icmp --icmp-type address-mask-request -j DROP -A ufw-before-input -p icmp -m icmp --icmp-type timestamp-request -j DROP -A ufw-before-input -p icmp -m icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT Preventing Crashes and other Exploits Crashes are caused for multiple reasons, i will recommend ExploitFixer and FlameCord for protection because i developed them and i personally think that they are the best free option for Exploit fixing at the moment. ExploitFixer protects you from the following exploits: · CustomPayload packets with big book data used to overload the server and lag it. · UUIDSpoof that is used on non-firewalled servers with bungeecord: true by connecting to a Spigot instance and forwarding a invalid UUID/Address. · NullAddress its a exploit used to bypass ipwhitelist by forwarding a invalid address and making it return a server error · Commands that some plugins have and can crash your server are blocked by ExploitFixer. · Items are remade by ExploitFixer to prevent invalid Hacked Creative Items. (Players with creative mode can create any kind of item by sending a packet) · Packets that accomplish certain conditions (ex: sending big book data) will be blocked from the server to prevent lagging your network. (ExploitFixer protects you from every packet possible sent by players) · Signs created by hacked clients that have extra lines to crash your server. Download ExploitFixer Netty is the API used by BungeeCord to establish connections with players. Netty Exploits are exploits that lag the Netty threads to make the BungeeCord stop accepting connections. (ex: generating exceptions to prevent the connection from closing until timeout) FlameCord simply fixes Netty Exploits by following this procedures: · Flush() before closing a connection. (Closing them normally seems to keep the connection instead of closing it) · Close on invalid request. (If a invalid request is done FlameCord closes the connection) · Close on exception. (If a exception occurs because invalid data is sent FlameCord will close the connection) Preventing Bot Attacks To prevent bot attacks i personally recommend using this plugin. My Server IP: play.arkflame.com 2LSpigot Discord: https://discord.gg/cjt9bPA Did i forgot something? Let me know in the thread comments! DISCLAIMER: I am the developer of ExploitFixer, FlameCord and AntiBot, my intention by promoting those is to give you the best protection plugins available for free at the time.