Hytale Server Security & Hardening Guide

[BitaceS]

Hi Hytaler,

We was working last days on some Guides and running a Hytale server is fun, but leaving it unsecured can lead to griefing, exploits, crashes, or even full system compromise.

This guide covers the most important security steps every server owner should apply, whether you run a private world or a public community server.

---

Table of Contents​

1. Run the Server as a Separate User
2. Keep Java and the Server Updated
3. Use a Firewall
4. Limit Open Ports
5. Enable Backups
6. Protect Admin Commands
7. Use Whitelist for Private Servers
8. Monitor Logs
9. Use Screen
10. DDoS Protection and Network Hardening

---

1. Run the Server as a Separate User​

Never run your game server as root.

Create a dedicated user:

adduser hytale
su - hytale

This prevents attackers from gaining full system access if something goes wrong.

---

2. Keep Java and the Server Updated​

Outdated software is one of the most common causes of server compromises.

Update your system:

apt update && apt upgrade -y

Check Java version:

java --version

Always use the latest official server build.

---

3. Use a Firewall​

Only allow the port your server actually needs.

Hytale default port:

• UDP 5520

On Ubuntu/Debian:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw allow 5520/udp
sudo ufw enable

Check status:

sudo ufw status

---

4. Limit Open Ports​

Avoid exposing:

• Unused game ports
• Database ports
• Test services

Check open ports:

ss -tulnp

---

5. Enable Automatic Backups​

Backups protect you from:

• Griefing
• Data corruption
• Plugin crashes
• Server exploits

Manual backup example:

tar -czf backup-$(date +%F).tar.gz universe/

---

6. Protect Admin Commands​

Never give admin rights to untrusted players.

Best practices:

• Use strong admin passwords
• Limit operator access
• Review permission files regularly

---

7. Use Whitelist for Private Servers​

If your server is for testing or friends only, enable a whitelist.

This prevents random players from joining.

---

8. Monitor Server Logs​

Logs help detect:

• Crash causes
• Suspicious commands
• Exploit attempts
• Connection spam

View logs:

tail -f logs/latest.log

---

9. Use Screen for Stability​

Never run the server directly in your SSH session.

Install screen:

sudo apt install screen -y

Start a session:

screen -S hytale

Start server:

java -XX:AOTCache=HytaleServer.aot -jar HytaleServer.jar --assets Assets.zip

Detach:

CTRL + A, then D

Return later:

screen -r hytale

---

10. DDoS Protection and Network Hardening​

Game servers are frequent targets of UDP floods or connection spam.
While software cannot stop large attacks alone, you can reduce the impact significantly.

A) Use Proper Hosting​

The most important protection:

• Use a VPS or dedicated server with DDoS protection
• Avoid hosting from home
• Choose providers with network-level filtering

Most serious attacks must be filtered by your host.

---

B) Only Open Required Ports​

For most setups:

• UDP 5520 → Hytale server
• TCP 22 → SSH

Everything else should stay closed.

---

C) Basic Network Hardening (Linux sysctl)​

Create a config file:

sudo nano /etc/sysctl.d/99-hytale-hardening.conf

Paste:

net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.core.somaxconn = 4096
net.core.netdev_max_backlog = 16384

Apply:

sudo sysctl --system

---

D) Protect SSH from Login Floods (Fail2ban)​

Install:

sudo apt install fail2ban -y
sudo systemctl enable --now fail2ban

Create config:

sudo nano /etc/fail2ban/jail.d/sshd.local

Paste:

[sshd]
enabled = true
maxretry = 5
findtime = 10m
bantime = 6h

Restart:

sudo systemctl restart fail2ban

---

E) What to Do During a DDoS Attack​

If you notice:

• Huge lag spikes
• Server not responding
• Massive connection counts
• High bandwidth usage

Do this:

1. Check traffic and connections
2. Contact your hosting provider
3. Provide logs or a packet capture if requested

Many hosts can apply custom filters if you give them sample attack data.

---

F) How to Create a Traffic Capture for Your Host​

A packet capture helps your provider identify the attack pattern and apply filters.

Install tcpdump:

sudo apt install tcpdump -y

Start a capture on the Hytale port:

sudo tcpdump -i any udp port 5520 -w hytale-attack.pcap

Let it run for about 30–60 seconds during the attack, then stop it with:

CTRL + C

You will get a file like:

hytale-attack.pcap

Send this file to your host’s support team.

This helps them:

• Identify attack patterns
• Create custom filters
• Block malicious traffic faster

---

Final Checklist​

Before opening your server to the public:

• Server runs under its own user
• Firewall enabled
• Only port 5520 open
• Backups enabled
• Fail2ban active
• Server running inside screen

If these are in place, your server is already far more secure than most early setups.

---

Disclaimer​

This guide is provided for general security hardening and educational purposes only.
Every server environment is different, and these settings may need adjustments depending on your hosting provider, player count, and network setup.

We are not responsible for any data loss, downtime, or configuration issues caused by applying the steps in this guide.

Always:

• Create backups before changing system settings
• Test configurations on a staging server if possible
• Consult your hosting provider for network-level protection

---

If you have additional tips or experience with attacks, share them below to help other server owners.