Here you will find how to prevent certain exploits to protect your server
This guide will assume you are running Purpur. Some settings required for this guide to work are not available in Paper or Spigot. Similar exploits might exist in vanilla, fabric or forge servers, and you will have to find mods that fix them on those loaders.
Keep up to date on your server software. There are exploits that are fixed in newer versions of the software, even if it's not announced. If you are running a server, you should be running the latest version possible to avoid critical vulnerabilities.
Armor stands can be used to create lag machines. This is done by placing huge amounts of armor stands and forcing them to move via water, pistons or other means. This can be fixed by disabling armor stand tick and collision lookups. This will cause armor stands to not being able to be pushed or pulled (even by gravity).
paper-world-defaults.yml
Books are a common target for exploitation techniques, and have been used for all sorts of nasty things in the past including duplication exploits, crash exploits, and forcing servers to run out of memory while producing massive amounts of chunk data.
Option 1
Moderately reducing page-max can mitigate most book exploits without affecting vanilla clients.
paper-global.yml
Option 2
Disabling books completely prevents the most book exploits (as long as plugins don't create non-standard books). Pufferfish config option prevents players from writing to the book, therefore ruling out anything that requires player input to work.
pufferfish.yml
This exploit is similar to the armor stand one, but instead of armor stands, it uses entities that can be pushed by other entities. This can be fixed by setting a smaller limit on how many entities can collide with a singular entity. You can set the max-entity-collisions to 2 to still have relatively natural behavior, or set it to 0 to completely disable collisions. The option to fix climbing bypassing cramming rule is also available, but it's disabled by default.
paper-world-defaults.yml
Some commands on the server might have a lot of logic involved with their command suggestions. This can be exploited by sending a lot of packets that request the server to send suggestions for the command. This can be mitigated by setting packet limit for command suggestions that is just slightly above fast rate of typing commands, so normal players won't be affected.
paper-global.yml
While even spigot will protect you from this exploit, there's a slight oversight that will enable a single command to be usable to perform this one. To fix this, simply remove /skill command from the spam exclusions list in spigot.yml.
spigot.yml
Sometimes shear quantity of players joining the server can cause the server to lag out. This is especially true for bot attacks and moments after server restart. This can be fixed by setting max joins per tick. Players joining will be delayed in time so server can properly tick between handling them. If joins still overwhelm the server, you can also enable max-joins-per-second in purpur.yml that will make it so value from paper config will be applied per second instead of per tick.
paper-global.yml
purpur.yml
Limiting the amount of consecutive neighbor updates before skipping additional ones. Moderately reducing this value has no game impact and helps alleviate various 'neighbor update lag machines'.
server.properties
Projectiles can be suspended in bubble columns indefinitely. They can also be transported into unloaded chunks in mass. If anyone loads the chunk with amassed projectiles, server can crash due to loading too many things at once. This can be stopped by limiting how much time projectiles can exist in the world and how many of them are saved and loaded with a chunk. If the timeout is applied to ender pearls, it will prevent usage of ender pearl suspension contraption.
paper-world-defaults.yml
pufferfish.yml
Malicious players can use auto clicker or a mod to switch between recipe book recipes extremely quickly. This is pretty expensive operation for the server and can cause huge slowdowns. This is actually fixed in default paper config, but older configs might not have it added, so make sure it's there.
paper-global.yml
When new treasure map is generated, usually via cartographer villager or opening a chest with treasure map in it, the server searches for the treasure that map should lead to. This search is done in a way that in most cases causes a lot of chunks loading and possibly generating them. This search can halt the server for long enough that watchdog process kills it. It can also be triggered by feeding dolphins fish.
Option 1
To fix this one you basically have to disable treasure maps and dolphins searching for treasure. This is the recommended and 100% effective solution.
paper-world-defaults.yml
purpur.yml
Option 2
Alternatively, you can keep the maps enabled, but set up vanilla world border and make sure your world is pregenerated within the border. Then you can just make sure that already discovered treasures are valid as the search result. This will prevent the treasure search from loading chunks that are not generated.
paper-world-defaults.yml
Managing server performance and security requires careful consideration of various exploits and mechanisms that can impact gameplay and stability. From managing entity interactions to controlling chunk loading during treasure hunts, administrators must implement strategic configurations and updates.
Ensuring that server configurations, such as disabling treasure map searches or limiting entity interactions, align with performance goals can mitigate potential slowdowns or crashes caused by intensive operations. Additionally, keeping server software updated with the latest patches and configurations is crucial to safeguard against new exploits and vulnerabilities.
By balancing functionality with performance optimizations, server administrators can provide a stable and enjoyable experience for players while maintaining security and preventing disruptive gameplay issues.
entities:
armor-stands:
do-collision-entity-lookups: false
tick: falseitem-validation:
book-size:
page-max: 1024enable-books: falsecollisions:
max-entity-collisions: 2
fix-climbing-bypassing-cramming-rule: truepacket-limiter:
overrides:
ServerboundCommandSuggestionPacket:
action: DROP
interval: 1.0
max-packet-rate: 15.0commands:
spam-exclusions: []misc:
max-joins-per-tick: 3settings:
network:
max-joins-per-second: truemax-chained-neighbor-updates=10000chunks:
entity-per-chunk-save-limit:
arrow: 8
ender_pearl: 8
experience_orb: 8
fireball: 8
small_fireball: 8
snowball: 8entity_timeouts:
ARROW: 200
EGG: 200
ENDER_PEARL: 200
SNOWBALL: 200packet-limiter:
overrides:
ServerboundPlaceRecipePacket:
action: DROP
interval: 4.0
max-packet-rate: 5.0environment:
treasure-maps:
enabled: falseworld-settings:
default:
mobs:
dolphin:
disable-treasure-searching: true treasure-maps:
find-already-discovered:
loot-tables: true
villager-trade: trueGood starting value: true Enable this to hide ores from x-rayers. For detailed configuration of this feature check out Configuring Anti-Xray.
anti-xray.enabled
Good starting value: true
Enable this to hide ores from x-rayers. For detailed configuration of this feature check out Configuring Anti-Xray. Enabling this will actually decrease performance, however it is much more efficient than any anti-xray plugin. In most cases the performance impact will be negligible.
nether-ceiling-void-damage-height
Good starting value: 127
If this option is greater that 0, players above the set y level will be damaged as if they were in the void. This will prevent players from using the nether roof. Vanilla nether is 128 blocks tall, so you should probably set it to 127. If you modify the height of the nether in any way you should set this to [your_nether_height] - 1.
. Oracle has changed their licensing, and there is no longer a compelling reason to get your java from them. Recommended vendors are and . Alternative JVM implementations such as OpenJ9 or GraalVM can work, however they are not supported by Paper and have been known to cause issues, therefore they are not currently recommended.
Your garbage collector can be configured to reduce lag spikes caused by big garbage collector tasks. You can find startup flags optimized for Minecraft servers . Keep in mind that this recommendation will not work on alternative JVM implementations. It's recommended to use the startup flags generator to get the correct startup flags for your server
In addition, adding the beta flag --add-modules=jdk.incubator.vector before -jar in your startup flags can improve performance. This flag enables Pufferfish to use SIMD instructions on your CPU, making some maths faster. Currently, it's only used for making rendering in game plugin maps (like imageonmaps) possibly 8 times faster.
Absolutely unnecessary since they can be replaced with and and frankly, they're less configurable than basic server configs. They tend to use more resources scanning and removing items than not removing the items at all.
It's really hard to justify using one. Stacking naturally spawned entities causes more lag than not stacking them at all due to the server constantly trying to spawn more mobs. The only "acceptable" use case is for spawners on servers with a large amount of spawners.
Anything that enables or disables plugins on runtime is extremely dangerous. Loading a plugin like that can cause fatal errors with tracking data and disabling a plugin can lead to errors due to removing dependency. The /reload command suffers from exact same issues and you can read more about them in
Paper offers a /mspt command that will tell you how much time the server took to calculate recent ticks. If the first and second value you see are lower than 50, then congratulations! Your server is not lagging! If the third value is over 50 then it means there was at least 1 tick that took longer. That's completely normal and happens from time to time, so don't panic.
is a plugin that allows you to profile your server's CPU and memory usage. You can read on how to use it . There's also a guide on how to find the cause of lag spikes .
Way to see what might be going on when your server is lagging are Timings. Timings is a tool that lets you see exactly what tasks are taking the longest. It's the most basic troubleshooting tool and if you ask for help regarding lag you will most likely be asked for your Timings. Timings is known to have a serious performance impact on servers, it's recommended to use the Spark plugin over Timings and use Purpur or Pufferfish to disable Timings all together.
To get Timings of your server, you just need to execute the /timings paste command and click the link you're provided with. You can share this link with other people to let them help you. It's also easy to misread if you don't know what you're doing. There is a detailed on how to read them.
To see how to fix exploits that can cause lag spikes or crashes on a Minecraft server, refer to