SafeNET is a lightweight plugin protecting you from direct backend server access and IP-forwarding bypass exploit, mainly for those who cannot access or configure their firewall systems. The plugin has been serving protection for everyone since 2019, connecting BungeeGuard (from which it took the inspiration) and the good old IP-whitelisting feature and delivering all features in one, compact and versatile package.
When using a proxy server (e.g. BungeeCord) to connect your servers together, the backend servers must run in offline mode, disabling account authentication. That enables hackers and unauthorized users to join backend servers with whatever account freely (including yours as an admin).
Each player has their own profile, which contains information about them (UUID, skin textures...). These data are given to the proxy server when a player joins and then forwarded by the proxy to each of the backend servers, when you're being connected to them. This plugin uses a passphrase, which is forwarded to the backend servers to check for integrity.
After an exploit has been found, which allows for packets to be uncaught by plugins during a specific timeframe, effectively bypassing the authentication and leaving your server vulnerable, this system's been enriched with sessions. A special session key is generated each time the server starts, is attached to player's profile when authenticated and verified when the player is on the edge of joining the server (spawning into the world). Sessions patch any possible way around the initial authentication.
You can't go wrong with classic BungeeGuard, however, if you would also like to use the IP-whitelist, this is the way to go. The plugin also supports GeyserMC ( including Floodgate), which other plugins do not. Logs everything to the console for easy verification and control over connection flow.
The plugin has been downloaded 20K+ times, and is active on 300+ networks managing over 1500 backend servers.
NOTE! SafeNET should only be used if you cannot access, set up nor manage a firewall on your network (shared hosts).
Download the latest release from the panel on the right. The plugin supports all major:
- proxy servers (BungeeCord, Waterfall, FlameCord...) running the latest release (build 1637 or newer),
- backend servers (Bukkit, Spigot, Paper, Purpur...) running 1.8 - 1.20 releases.
The plugin must be installed on all servers on your network. Consult the documentation linked below for further information and setup instructions.
You can view the setup instructions and other details on the wiki. If you need help with anything, feel free join the Discord server. Or, just to talk with us 👋