Securing Your Servers
It is vital that you secure your backend servers. As part of setting up Velocity, you will put your server into offline mode, which means in theory, someone could impersonate any player on your server. This is extremely dangerous, so it is important to make sure only the proxy can connect to your servers.
This guide will explore the various options for securing your backend servers so only your proxy can connect to them. Note that this is an exploration of options, aiming to review the various options and give you advantages and disadvantages to them, so you can make an informed decision.
This list is not in any particular order, and almost all of these methods can be combined as needed.
Operating system firewalls
When properly configured, using the firewall facilities provided by your server's operating system is a highly effective way to protect your servers. The Velocity project strongly recommends the use of a firewall.
Instructions for your operating system may vary. Solutions for major server OSes include:
- Windows: Windows Firewall
- Linux: iptables, nftables
Advantages:
- Fool-proof if you do not give untrusted servers access to your servers
- Does not require any extra Minecraft server configuration
- Part of good system hardening advice for any operating system
Disadvantages:
- Tricky first-time setup
- May be difficult to use with multiple proxies
- Firewall configuration must be kept in sync with new servers and proxies
- Not viable on a shared host
Velocity modern forwarding
If your server only supports Minecraft 1.13 and above, Velocity's modern forwarding can forward player information to your servers and provide a second layer of protection against someone trying to impersonate as your proxy.
Velocity modern forwarding is not a replacement for a firewall. We strongly recommend using a firewall with any Minecraft proxy setup.
Advantages:
- Get player info forwarding for free
- Secure on a shared host, provided the host has implemented proper protections
- Works if you host your server on multiple physical servers
Disadvantages:
- Only works for Minecraft 1.13 and above
- Requires Paper 1.13 or above, or FabricProxy-Lite if you use Fabric
- Relies on the forwarding secret being kept secret
Binding to localhost
If you are hosting your proxy on the same physical computer as your other servers (and nobody else
is hosting servers on them), binding your servers to localhost is a very simple way of protecting
them from getting connected to by anything other than the proxy.
For each server, open the server.properties file. Find the line that starts with server-ip and
change the line to server-ip=127.0.0.1. Save the file and restart the server.
Afterwards, open your velocity.toml file and ensure all the servers are pointing to
127.0.0.1:<port>.
Advantages:
- Trivial setup compared to other methods discussed
- Fool-proof if you do not give untrusted users access to your server
Disadvantages:
- Setup must be reversed (and an alternate method used) if you move any of the servers to a different physical server ( such that the proxy and the server are not on the same physical server)
- Not viable on a shared host
Using an encrypted tunnel
This is a variation of binding to localhost, but instead of hosting all your servers on a single
physical server, you will set up an encrypted tunnel between each of your servers, and make sure the
server only listens for incoming connections from the tunnel. There are many different solutions,
ranging from VPN solutions such as WireGuard,
OpenVPN, and tinc to encrypted tunnels such as
spiped. This guide will not go into details of how to set up
each of these solutions.
Advantages:
- Encrypts traffic between your proxy and your servers while ensuring only authorized clients can connect to your servers
Disadvantages:
- Very complex setup
- Impossible to use on a shared host
IP whitelisting plugins
As a last line of defense, you can choose to restrict logins to users on an IP whitelist using a plugin like IPWhitelist.
Advantages:
- May be your only solution if none of the other solutions will work (especially on a shared host)
Disadvantages:
- Vulnerable to attack if the attacker can get a server on the same node as your proxy is on
Other important security advice
This common-sense general advice goes without saying:
- Keep frequent backups of your server
- Set up a firewall on your server
- Run your servers as an unprivileged user (this means no sudoaccess or running asrootfor Linux users!)
- Update Velocity, your Minecraft server and server plugins, and your server's operating system frequently
- Use strong passwords
- Carefully think about the potential impacts of installing any plugins or software before actually doing so
- Secure any and all other services you may be running on your server
- Follow all system hardening advice for your operating system
We will not provide a full treatment to the advice given above, so please do some research of your own. Your setup will vary - there is no "one size fits all" advice we can give other than these general guidelines.