diff --git a/.astro/astro/content.d.ts b/.astro/astro/content.d.ts
index c8d78bd1e9..536a4bd0f4 100644
--- a/.astro/astro/content.d.ts
+++ b/.astro/astro/content.d.ts
@@ -235,6 +235,13 @@ declare module 'astro:content' {
collection: "docs";
data: InferEntrySchema<"docs">
} & { render(): Render[".mdx"] };
+"enhancements/Plugins/Free/MiniMOTD.mdx": {
+ id: "enhancements/Plugins/Free/MiniMOTD.mdx";
+ slug: "e/pl/minimotd";
+ body: string;
+ collection: "docs";
+ data: InferEntrySchema<"docs">
+} & { render(): Render[".mdx"] };
"enhancements/Plugins/Free/auctionhouse.mdx": {
id: "enhancements/Plugins/Free/auctionhouse.mdx";
slug: "e/pl/auctionhouse";
@@ -277,13 +284,6 @@ declare module 'astro:content' {
collection: "docs";
data: InferEntrySchema<"docs">
} & { render(): Render[".mdx"] };
-"enhancements/Plugins/Free/minimotd.mdx": {
- id: "enhancements/Plugins/Free/minimotd.mdx";
- slug: "e/pl/minimotd";
- body: string;
- collection: "docs";
- data: InferEntrySchema<"docs">
-} & { render(): Render[".mdx"] };
"enhancements/Plugins/Free/playerauctions.mdx": {
id: "enhancements/Plugins/Free/playerauctions.mdx";
slug: "e/pl/playerauctions";
@@ -760,6 +760,41 @@ declare module 'astro:content' {
collection: "docs";
data: InferEntrySchema<"docs">
} & { render(): Render[".mdx"] };
+"security/basicsecurity.mdx": {
+ id: "security/basicsecurity.mdx";
+ slug: "sec/basicsecurity";
+ body: string;
+ collection: "docs";
+ data: InferEntrySchema<"docs">
+} & { render(): Render[".mdx"] };
+"security/accesscontrol.mdx": {
+ id: "security/accesscontrol.mdx";
+ slug: "sec/accesscontrol";
+ body: string;
+ collection: "docs";
+ data: InferEntrySchema<"docs">
+} & { render(): Render[".mdx"] };
+"security/backups.mdx": {
+ id: "security/backups.mdx";
+ slug: "sec/backups";
+ body: string;
+ collection: "docs";
+ data: InferEntrySchema<"docs">
+} & { render(): Render[".mdx"] };
+"security/firewalls.mdx": {
+ id: "security/firewalls.mdx";
+ slug: "sec/firewalls";
+ body: string;
+ collection: "docs";
+ data: InferEntrySchema<"docs">
+} & { render(): Render[".mdx"] };
+"security/resources.mdx": {
+ id: "security/resources.mdx";
+ slug: "sec/resources";
+ body: string;
+ collection: "docs";
+ data: InferEntrySchema<"docs">
+} & { render(): Render[".mdx"] };
"tools/database.mdx": {
id: "tools/database.mdx";
slug: "t/database";
diff --git a/astro.config.mjs b/astro.config.mjs
index 753d311521..82045c7ed1 100644
--- a/astro.config.mjs
+++ b/astro.config.mjs
@@ -51,6 +51,13 @@ export default defineConfig({
},
collapsed: true,
},
+ {
+ label: "Server Security",
+ autogenerate: {
+ directory: "/security/",
+ },
+ collapsed: true,
+ },
{
label: "Server Troubleshooting",
autogenerate: {
diff --git a/src/content/docs/security/accesscontrol.mdx b/src/content/docs/security/accesscontrol.mdx
new file mode 100644
index 0000000000..57c7b18375
--- /dev/null
+++ b/src/content/docs/security/accesscontrol.mdx
@@ -0,0 +1,21 @@
+---
+description: Access Control
+title: Access Control
+slug: sec/accesscontrol
+---
+
+### Access Control and Role-Based Access Control (RBAC)
+
+**Access Control** is a fundamental security concept that ensures only authorized users can access specific resources, systems, or data. By managing access, organizations can prevent unauthorized actions, such as data breaches, accidental deletions, or system compromises.
+
+**Role-Based Access Control (RBAC)** is a specific method of managing access by assigning permissions based on roles within an organization. Instead of giving permissions directly to users, roles are created (e.g., admin, user, guest), and users are assigned to these roles, simplifying permission management.
+
+Be sure to configure your system in a manner that allows those with access only to resources or data they will need for work.
+
+Recommended System Permission Guidelines:
+- System Operator: Full Access
+- System Administrator: Full Access
+- Senior Server Staff: MC Server Start/Stop Access
+- Server Developer: MC Server Files & Start/Stop Access
+
+---
diff --git a/src/content/docs/security/backups.mdx b/src/content/docs/security/backups.mdx
new file mode 100644
index 0000000000..0021fec74e
--- /dev/null
+++ b/src/content/docs/security/backups.mdx
@@ -0,0 +1,44 @@
+---
+description: Backups for your System(s)
+title: Backups
+slug: sec/backups
+---
+
+Backups provide a peace of mind during events where your files become corrupt or if you are attacked by malware/ransomware.
+
+Having a built incident response plan can make or break your ability to overcome issues in production.
+
+---
+
+### Incident Response
+
+**What is *your* first step of recovering your system after a failure?**
+
+This question needs to be answered in detail in an incident response plan. Your plan should cover multiple different types of incidents like a security breach, file corruption, malware removal, and unauthorized access.
+
+If you are unsure of what you would do in any of these scenarios, keep reading.
+
+---
+
+### What to Backup
+
+When configuring backups for your system(s), you need to gather a list of which directories hold your most important data.
+
+For businesses this would be client data, financials, and core services that your clients might use.
+
+In the sense of game servers and game server hosting, you would want to save your databases that addons or plugins might use, as well as information about your panel and the actual game server files.
+
+Having these backed up properly will expedite your ability to come back online when accidents happen.
+
+---
+
+### How to Take Backups
+
+Follow the 3-2-1 rule for backing up your system(s). You should have:
+
+ - 3 Total Backups
+ - 2 Local Backup on seperate machines
+ - 1 Offsite Backup through a storage provider
+
+
+There are many storage providers out there and FOSS backup tools you can install and use. We won't get into that here but a quick google search should bring you to where you need to be.
\ No newline at end of file
diff --git a/src/content/docs/security/basicsecurity.mdx b/src/content/docs/security/basicsecurity.mdx
new file mode 100644
index 0000000000..e4fc266299
--- /dev/null
+++ b/src/content/docs/security/basicsecurity.mdx
@@ -0,0 +1,45 @@
+---
+description: Managing Your System(s)
+title: Basic Security
+slug: sec/basicsecurity
+---
+
+### Malicious Actors
+
+As with any public server, your IP is exposed in some way to the public.
+
+Malicious Actors (Hackers) are constantly scanning networks around the world in the hopes to find a vulnerable system they can attack.
+
+Vulnerabilities come in many different shapes and sizes and chances are you may have of heard or seen them in the past.
+
+**Some Examples**
+
+ - CVE-2021-44228 - Log4Shell (Log4J)
+ - CVE-2021-38003 - Google Chrome Vulnerability
+
+
+
+---
+
+### Strong Passwords
+
+Having a strong password and a secure password storage are both great ways to help safeguard your system(s).
+
+A strong password is the first line of defense against unauthorized access. A weak or commonly used password makes it easy for malicious actors to gain access to your account(s) or system(s).
+
+**Strong Password Guidelines**
+
+ - 12-16 Characters
+ - Includes a mix of uppercase and lowercase letters, numbers, and special characters (where applicable)
+ - Avoids common words, patterns, or easily guessable information
+
+
+---
+
+### Security Updates
+
+Software and Security updates often include multiple patches that fix vulnerabilities found either publicly through BugBounties or from the developers.
+
+**Outdated software can leave you exposed to attacks.**
+
+Always update your software when a new release has been sent out. At a minimum, you should be updating your system(s) once a week if updates are available.
diff --git a/src/content/docs/security/firewalls.mdx b/src/content/docs/security/firewalls.mdx
new file mode 100644
index 0000000000..2db20ef9ac
--- /dev/null
+++ b/src/content/docs/security/firewalls.mdx
@@ -0,0 +1,88 @@
+---
+description: Firewalling and Protecting your System(s)
+title: Firewalling
+slug: sec/firewalls
+---
+
+### Server Firewalling
+
+The concept of firewalling is to prohibit access to your system via the network, or allow access to specific services running on the system.
+
+**Why this is important**
+
+ - Firewalls help block harmful or unwanted traffic, such as viruses or hackers attempting to access your network.
+ - You can configure a firewall to allow only trusted sources to access your network and services.
+ - Firewalls can separate parts of your network to reduce the spread of potential security breaches.
+ - Firewalls can mitigate Distributed Denial of Service (DDoS) attacks by controlling traffic flow and blocking malicious requests.
+
+*In the case of DDoS attacks, you must have available bandwidth (the attack volume must be lower than your total available bandwidth) to continue operating during the attack.*
+*If you forsee anything larger than 10Gbps attacks (common) and don't have DDoS protection, try getting hardware firewall access or a 3rd party DDoS protection provider.*
+
+Depending on your host, your system has some sort of firewall already installed. If not, your host may offer a firewall panel to access and configure a hardware absed firewall, like a switch or a router.
+
+When configuring your firewall, always remember that the top-most rule is the first that will be run.
+
+For a basic, secure firewall setup on Linux, you could use something like UFW (UncomplicatedFirewall)
+
+For Example:
+`ufw allow 22 # Allows traffic to the default SSH port`
+`ufw allow 25565 # Allows traffic to the default Minecraft port`
+`ufw deny 3306 # Denies all traffic to MySQL/MariaDB`
+
+*You would not want to use these rules in a production setup, this is just an example of using UFW.*
+
+For Windows, you have the option of using "Windows Defender Firewall with Advanced Security"
+This does not follow the traditional rule of top-down routines for firewalls, but it will help you secure your system.
+
+---
+
+### UFW Basics
+
+A basic firewall setup on linux for a Minecraft server running Pterodactyl would look like this:
+`ufw allow from {Your Home IP}` # Allows your home IP to access the server entirely
+`ufw allow from 172.18.0.0/8` # Allows the Pterodactyl Subnet access to the server's services
+`ufw allow from {Your Server IP}` # Allows your server to access itself via the public IP
+`ufw deny 3306` # Denies outside access to your Databases
+`ufw deny 22` # Denies outside access to SSH
+`ufw allow 25565` # Allows outside access to your Minecraft Server
+
+If you wanted to allow a staff member SSH access:
+`ufw allow from {Their IP} to any port 22` # Allows their home IP to access port 22
+
+**Note** - Docker (Used with Pterodactyl and other popular panels) bypasses UFW rules. Docker rules MUST be set in IPTables.
+
+You can find many tutorials online about the use of UFW. If you wanted a more advanced approach with more control, you can look into using IPTables.
+
+---
+
+### ICMP
+
+We're going to take a look into ICMP, a protocol enabled by default on most systems.
+
+ICMP is mainly used for diagnostics and error-reporting in networks. It helps your system send error messages or information about the network it's on. The most common ICMP message is the `ping`.
+
+Malicious Actors can use ICMP to aid with Network Reconnaissance.
+
+ - Attackers send ICMP Echo Requests (pings) to a range of IPs to see which hosts are active. This is the first step in identifying targets on a network
+ - While ICMP itself doesn't scan ports, attackers combine it with other tools (like nmap) to check for open ports after discovering live hosts. ICMP can give clues about the network setup and potential services to attack
+ - Attackers may use ICMP to covertly send data (ICMP tunneling) through firewalls that allow ICMP traffic, essentially creating a backdoor communication channel.
+
+
+While it may make full sense to disable ICMP on your network, there are also some implications to this.
+
+**Trade-Offs**
+
+Pros
+
+ - If your server doesn’t respond to ICMP requests, it makes it harder for malicious actors to know if your server is live or responsive
+ - Blocking ICMP responses (like pings) can prevent attackers from easily identifying active hosts in your network
+
+
+Cons
+
+ - ICMP is used for troubleshooting; disabling it means no ping replies, making it difficult to diagnose network issues like connectivity problems
+ - Some applications rely on ICMP for network monitoring or load balancing. Disabling it may cause them to malfunction, especially if they use ICMP to check the health of connections
+ - Some network protocols use ICMP messages (like "Destination Unreachable" or "Time Exceeded") to properly route traffic or avoid routing loops. Disabling ICMP can lead to inefficient routing and slower network performance
+
+
+Keep this in mind when setting up your firewall.
diff --git a/src/content/docs/security/resources.mdx b/src/content/docs/security/resources.mdx
new file mode 100644
index 0000000000..3bc48d0e12
--- /dev/null
+++ b/src/content/docs/security/resources.mdx
@@ -0,0 +1,19 @@
+---
+description: Helpful Resources for Security
+title: Resources
+slug: sec/resources
+---
+
+If you are running a large server or have little-to-no experience in Cybersecurity or System Administration, there are a ton of people willing to help you.
+
+For a DIY approach, most tutorials on [DigitalOcean](https://www.digitalocean.com/community/tutorials) should suffice. They go over basic and advanced System Administration techniques to include firewalling, RSA Keys, and other Linux basics.
+
+If you would rather pay experienced System Administrators to manage your system for you on a one-off or recurring basis, you can look at the following:
+***Try to avoid Service Teams. They will hire anyone to do the work, with or without certifications***
+
+| Name | Website | Discord |
+|----------|----------|----------|
+| InfraCharm Inc. | [Link](https://infracharm.com) | [Link](https://infracharm.com) |
+| Jasmeow.Systems | [Link](https://jasmeow.me/jhq) | [Link](https://discord.com/invite/Vs7Pm8UgNK) |
+| CraftSupport | [Link](https://www.craftsupport.net/) | [Link](https://discord.com/invite/SP87wwm6DU) |
+| Rejsik | None | [Link](https://dsc.gg/rsas) |