Main Gameserver Setup+haproxy with Chatgpt

[rihosedemon]

What do you think for this guide I made with chatgpt is it enough for protecting the server? It also recommends to do not use SYNPROXY+IPSET if the server does not have many players as it is not luckily it will attract serious attacks and the rest are enough as it can cause login issues to 1-2% of players and it will be needed to find a manually solution for them. If you have something extra to suggest I would be glad to here.

2. Basic System Hardening​

Update System:
bash
ΑντιγραφήΕπεξεργασία

sudo apt update && sudo apt upgrade -y

Create Admin User:
bash
ΑντιγραφήΕπεξεργασία

sudo adduser gameserveradmin
sudo usermod -aG sudo gameserveradmin

Secure SSH Access:
bash
ΑντιγραφήΕπεξεργασία

sudo nano /etc/ssh/sshd_config

Edit:

• PermitRootLogin no
• PasswordAuthentication no (use SSH keys)

Then restart SSH:
bash
ΑντιγραφήΕπεξεργασία

sudo systemctl restart sshd

---

3. UFW Strict Firewall Setup​

Install UFW:
bash
ΑντιγραφήΕπεξεργασία

sudo apt install ufw -y

Allow Only Proxy VPS and Website VPS:
bash
ΑντιγραφήΕπεξεργασία

sudo ufw allow from PROXY_VPS_IP to any port 2121 proto tcp
sudo ufw allow from PROXY_VPS_IP to any port 7778 proto tcp
sudo ufw allow from WEBSITE_VPS_IP to any port 3306 proto tcp
sudo ufw allow ssh

Default Policies:
bash
ΑντιγραφήΕπεξεργασία

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable

Now only trusted servers can talk to your GameServer and Database.

---

4. Fail2Ban Setup​

bash
ΑντιγραφήΕπεξεργασία

sudo apt install fail2ban -y
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo systemctl enable --now fail2ban

---

5. CrowdSec Setup​

bash
ΑντιγραφήΕπεξεργασία

curl -s https://install.crowdsec.net | sudo bash
sudo systemctl enable --now crowdsec-firewall-bouncer-nftables

---

6. System Network Tuning​

Edit /etc/sysctl.conf:
bash
ΑντιγραφήΕπεξεργασία

sudo nano /etc/sysctl.conf

Add:
ini
ΑντιγραφήΕπεξεργασία

# Performance tuning
net.core.somaxconn = 4096
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 6291456
net.ipv4.tcp_wmem = 4096 65536 6291456
net.ipv4.tcp_congestion_control = cubic

Apply:
bash
ΑντιγραφήΕπεξεργασία

sudo sysctl -p

This will optimize your server for hundreds of players.

---

7. MariaDB Installation and Hardening​

Install MariaDB:
bash
ΑντιγραφήΕπεξεργασία

sudo apt install mariadb-server -y
sudo systemctl enable --now mariadb

Secure MariaDB:
bash
ΑντιγραφήΕπεξεργασία

sudo mysql_secure_installation

Allow External Trusted Access:
Edit:
bash
ΑντιγραφήΕπεξεργασία

sudo nano /etc/mysql/mariadb.conf.d/50-server.cnf

Change:
ini
ΑντιγραφήΕπεξεργασία

bind-address = 0.0.0.0

Restart MariaDB:
bash
ΑντιγραφήΕπεξεργασία

sudo systemctl restart mariadb

Database will now allow trusted external connections.

---

8. Database User Setup​

Login to MySQL:
bash
ΑντιγραφήΕπεξεργασία

sudo mysql -u root -p

Create CMS Web User:
sql
ΑντιγραφήΕπεξεργασία

CREATE USER 'cmswebuser'@'WEBSITE_VPS_IP' IDENTIFIED BY 'yourstrongpassword';
GRANT SELECT, INSERT, UPDATE ON login.* TO 'cmswebuser'@'WEBSITE_VPS_IP';
FLUSH PRIVILEGES;
EXIT;

CMS can access only login DB with limited rights.

---

9. Lucera Server Files Configuration​

authserver.properties
ini
ΑντιγραφήΕπεξεργασία

LoginServerPort = -1
HAProxyLoginserverHostname = 127.0.0.1
HAProxyLoginserverPort = 2121

server.properties
ini
ΑντιγραφήΕπεξεργασία

GameserverPort =
HAProxyGameserverPort = 7778

Proper HAProxy v2 connection.

---

10. Cloudflare DNS Setup​

Create two DNS Records in Cloudflare:

Type	Name	Content (IP)	Proxy Status
A	login.yourservername.com	Proxy VPS IP	DNS Only
A	game.yourservername.com	Proxy VPS IP	DNS Only

Hides real IP addresses.

---

11. Client Patch Configuration (l2.ini)​

ini
ΑντιγραφήΕπεξεργασία

[URL]
LoginServerIP=login.yourservername.com
LoginServerPort=2106

Players connect through your proxy securely.

---

12. Industrial Firewall Setup (SYNPROXY + IPSet)​

This section brings 99% Anti-DDoS protection!
Install needed packages:
bash
ΑντιγραφήΕπεξεργασία

sudo apt install ipset iptables-persistent conntrack

IPSet Creation:
bash
ΑντιγραφήΕπεξεργασία

sudo ipset create ipset_allowed_ports hash:net
sudo ipset create ipset_whitelist hash:net
sudo ipset create ipset_players_whitelist hash:net
sudo ipset create ipset_blacklist hash:net
sudo ipset create banned_limit_conn hash:net timeout 300
sudo ipset create banned_limit_synproxy_ack hash:net timeout 300
sudo ipset create banned_limit_syn hash:net timeout 300

Kernel Optimization (Extra /etc/sysctl.conf entries):
bash
ΑντιγραφήΕπεξεργασία

net.netfilter.nf_conntrack_max = 2000000
net.netfilter.nf_conntrack_tcp_timeout_established = 1800
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.ipv4.tcp_syncookies = 1

Apply:
bash
ΑντιγραφήΕπεξεργασία

sudo sysctl -p

Firewall Raw Table (Pre-filtering attackers early):
bash
ΑντιγραφήΕπεξεργασία

sudo iptables -t raw -A PREROUTING -m set --match-set ipset_whitelist src -j ACCEPT
sudo iptables -t raw -A PREROUTING -m set --match-set ipset_blacklist src -j DROP
sudo iptables -t raw -A PREROUTING -m set --match-set banned_limit_conn src -j DROP
sudo iptables -t raw -A PREROUTING -m set --match-set banned_limit_synproxy_ack src -j DROP
sudo iptables -t raw -A PREROUTING -m set --match-set banned_limit_syn src -j DROP
sudo iptables -t raw -A PREROUTING -i enp3s0f0 -p tcp --syn -m multiport --dports 2106,7777 -j CT --notrack

SYNPROXY Setup (catch fake TCP SYN attacks):
bash
ΑντιγραφήΕπεξεργασία

sudo iptables -A FORWARD -i enp3s0f0 -p tcp -m multiport --dports 2106,7777 -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
sudo iptables -A FORWARD -i enp3s0f0 -p tcp -m multiport --dports 2106,7777 -m state --state INVALID -j DROP

Your firewall now handles SYN flood, botnet TCP floods, bad packets, and spoofed traffic!
Save All Rules:
bash
ΑντιγραφήΕπεξεργασία

sudo netfilter-persistent save

---

13. Emergency Snapshot Plan​

After setup and testing, create a VPS snapshot.
If anything happens, you restore in 5 minutes — no need to redo setup.

---

Final Status: Your Server Is Production-Ready!​

Component	Status
OS Hardened
SSH Secured
Firewall (Proxy + Website Only)
Fail2Ban Installed
CrowdSec Installed
MariaDB Secured
Lucera HAProxy v2 Setup
Industrial Firewall (SYNPROXY + IPSet)
Cloudflare DNS Protection
Emergency Snapshot Ready

 

[Trance]

A few suggestions:

- Most Linux distros won’t have synproxy ready out of the box - you’ll either have to install it or enable the module.
- If you’re using conntrack to track connections, make sure you tweak the number of hash buckets.
- You adjusted the TCP socket buffer, but didn’t touch the system-wide max open files limit. If you’re bumping up the buffer, you should raise the file limit too.
- Block any new connections that aren’t TCP right in the mangle table.
- Honestly, get rid of UFW - it’s not doing you any favors. It just translates to iptables anyway. Better to move your rules straight into iptables, including the default policies.
- Don’t leave ports like SSH, MySQL, and others wide open. Only allow access from whitelisted IPs.
- More.

"This section brings 99% Anti-DDoS protection!" - That’s very false - however, that's much better than nothing. Even with synproxy, invalid packets can still be exploited if you don't add a few extra measures in the mangle table. On top of that, based on the limits you’re using, it wouldn’t take much to max them out - and once that happens, nobody else would be able to log in unless you’ve got something else in place. I’m sure you know what I’m referring to. IPset can definitely handle a lot of IPs if set up properly, but temporarily banning IPs that are clearly from attackers doesn’t really help in the long run. Once your rules are solid and you’re confident they won't block legit traffic, it’s better to just drop everything right away. Looks like you were trying to save some resources by not using the INPUT chain (or FORWARD chain if you’re setting this up on a proxy/firewall).

Fun fact: SYNPROXY really shows its strength when it's used on a forward proxy server - it’s easily 10 times more effective compared to running it directly on the VPS hosting the server. If you try to use SYNPROXY on the FORWARD chain on the same machine as the VPS, it won’t do anything. It has to be applied on the INPUT chain to actually have an effect.

 

[Deazer]

AI-generated posts will soon have automated moderation(delete).
What happened to you? Try using what AI generates yourself - it's just Stack Overflow on steroids, nothing more!

 

[rihosedemon]

AI-generated posts will soon have automated moderation(delete).
What happened to you? Try using what AI generates yourself - it's just Stack Overflow on steroids, nothing more!

I created this topic to gather opinions from experienced people on this subject and hopefully contribute to building a proper guide.

The idea is simple: many people worry that after investing time and money into building their server, everything could be ruined easily by a DDoS attack.

In reality, more than 50% of customers here likely have minimal coding experience, and I believe less than 10% have actual Linux administration experience.

So, people are often forced to either:

Hire someone — with high payment — to configure their servers (and still not be sure if it was done properly),

Or blindly trust various partial or outdated guides.


Creating a valid, modern, and tested security guide would help both the customers and the project itself:

Customers would save money and feel more confident.

You would attract more new customers, because people would see Lucera as a safer, more reliable choice for launching a server without fear of failure due to attacks.