Read in 4 minutes
·Server Management

Security Rules

Protect your server from unauthorized access, abuse, and attacks with these essential security practices.

#Security#Protection#Important

A publicly accessible server is a target. Follow these rules to minimize your attack surface and keep your data safe.

Account Security

1

STEP 1Enable Two-Factor Authentication

Go to your Sonata account → SecurityEnable 2FA. Use an authenticator app (Google Authenticator, Authy, or Bitwarden). Never use SMS-based 2FA for critical accounts.

2

STEP 2Use a strong, unique password

Your billing and control panel passwords should be at least 20 characters, randomly generated, and stored in a password manager. Do not reuse passwords across services.

3

STEP 3Revoke unused API keys

Go to the API Keys section in your control panel. Delete any keys that are no longer in use. Create separate keys per application — never share a single key across multiple services.

Warning:

Never commit API keys to Git repositories. If you accidentally expose a key, rotate it immediately from the control panel.

In-Game Security

Minecraft Servers

  • Keep online-mode=true — this validates player identities with Mojang
  • Use a permission plugin (LuckPerms) — never give players * (all) permissions
  • Set a strong RCON password and do not expose the RCON port publicly
  • Regularly audit your operator (op) list: /whitelist and /op commands

All Game Servers

Never share your console access

Anyone with access to your console tab has full control over your server, including the ability to delete files and execute arbitrary commands. Treat it like root SSH access.

DDoS Protection

Sonata provides network-level DDoS mitigation on all plans. This filters volumetric attacks before they reach your server. However:

  • Layer 7 (application-level) attacks may require your own rate limiting
  • If you're under sustained attack, contact support immediately — we can activate enhanced filtering

File Permissions

Only grant file manager access to users who absolutely need it. Use the Subuser feature in Pterodactyl to create limited-access accounts for moderators who only need console access.

Security Checklist

  • 2FA enabled on billing and control panel accounts
  • No shared or reused passwords
  • API keys scoped and regularly rotated
  • RCON disabled or port-protected
  • Subusers created instead of sharing main credentials
  • Backup configured and tested
PreviousConfiguration GuideNextBilling Overview
Back to Support Center