---
title: "Security Rules"
description: "Protect your server from unauthorized access, abuse, and attacks with these essential security practices."
category: "Server Management"
tags: ["Security", "Protection", "Important"]
readTime: 4
---

A publicly accessible server is a target. Follow these rules to minimize your attack surface and keep your data safe.

## Account Security

<Steps>
  <Step number={1} title="Enable Two-Factor Authentication">
    Go to your Sonata account → **Security** → **Enable 2FA**. Use an authenticator app (Google Authenticator, Authy, or Bitwarden). Never use SMS-based 2FA for critical accounts.
  </Step>
  <Step number={2} title="Use a strong, unique password">
    Your billing and control panel passwords should be at least 20 characters, randomly generated, and stored in a password manager. Do not reuse passwords across services.
  </Step>
  <Step number={3} title="Revoke unused API keys">
    Go to the **API Keys** section in your control panel. Delete any keys that are no longer in use. Create separate keys per application — never share a single key across multiple services.

    <Callout type="warning">
      Never commit API keys to Git repositories. If you accidentally expose a key, rotate it immediately from the control panel.
    </Callout>
  </Step>
</Steps>

## In-Game Security

### Minecraft Servers

- Keep `online-mode=true` — this validates player identities with Mojang
- Use a permission plugin (LuckPerms) — never give players `*` (all) permissions
- Set a strong RCON password and do not expose the RCON port publicly
- Regularly audit your operator (op) list: `/whitelist` and `/op` commands

### All Game Servers

<Callout type="danger" title="Never share your console access">
  Anyone with access to your console tab has full control over your server, including the ability to delete files and execute arbitrary commands. Treat it like root SSH access.
</Callout>

## DDoS Protection

Sonata provides network-level DDoS mitigation on all plans. This filters volumetric attacks before they reach your server. However:

- Layer 7 (application-level) attacks may require your own rate limiting
- If you're under sustained attack, contact support immediately — we can activate enhanced filtering

## File Permissions

Only grant file manager access to users who absolutely need it. Use the **Subuser** feature in Pterodactyl to create limited-access accounts for moderators who only need console access.