EML Docs

Security advice

Running a Minecraft server and a custom Launcher backend (EML AdminTool) exposes your machine to the internet. Because EML AdminTool controls your launcher and distributes files to your players, it is a critical target.

The following tutorial provides essential security advice to protect your server and data. You are not obliged to follow all these measures, nor to implement them exactly as described in the tutorial: this is simply to outline the most common solutions to ensure the security of your server.

Firewall configuration

The golden rule of server security is: block everything, allow only what is needed.

You should only expose ports that are actively used by your players or yourself.

  • SSH (22): For your remote access.
  • HTTP (80) & HTTPS (443): For EML AdminTool (via Nginx).
  • Minecraft (usually 25565): For the game server.

Warning

If you setup NGINX as a reverse proxy (recommended), you should NOT open port 8080 in your firewall. The traffic should go through port 80/443, which then talks to Docker locally. Opening port 8080 directly bypasses NGINX and its security configurations (SSL, logs, etc.).

DDoS protection

Game servers are frequent targets for DDoS attacks. Using a service like Cloudflare is highly recommended to hide your server’s real IP address.

For EML AdminTool (Web)

Cloudflare works perfectly for the AdminTool (API & Dashboard).

  1. Log in to Cloudflare and create an account if you don’t have one.
  2. Add your domain to Cloudflare.
  3. Create an A record pointing to your server IP.
  4. Enable the “Proxy” status (Orange Cloud).

This hides your server’s IP behind Cloudflare’s network, absorbing web-based attacks.

For the Minecraft server (Game)

Important

The standard (free) Cloudflare proxy only handles HTTP/HTTPS traffic. It does NOT support the Minecraft protocol (TCP).

If you proxy your Minecraft subdomain (e.g., play.myserver.com) with the “Orange Cloud”, players will not be able to connect. To allow players to connect while still protecting your server, follow these steps:

  1. Create a separate A record for the game (e.g., play.myserver.com).
  2. Disable the Proxy (Grey Cloud / “DNS Only”).
  3. This exposes your real IP for the game port, but allows connection.
  4. Advanced: To protect the game port, you would need Cloudflare Spectrum (Paid) or a dedicated DDoS-protected hosting provider (OVH, NeoProtect, etc.).

Application security

Strong passwords

EML AdminTool is the control center of your launcher. If an attacker gains access, they can push malicious updates to all your players.

Use a generated password of at least 16 characters for the Admin account.

HTTPS is mandatory

Never run EML AdminTool in production over HTTP.

  • It exposes your admin password in clear text.
  • It exposes the session tokens of your users.
  • Modern browsers may block downloads or APIs from non-secure sources.

Follow the Set up NGINX and Use an SSL Certificate guides to ensure encryption.

System maintenance

A secure server is an updated server. Botnets scan for outdated software vulnerabilities 24/7.

  • Update your OS: Run updates regularly.
    • Debian/Ubuntu: sudo apt update && sudo apt upgrade
    • CentOS/RHEL: sudo dnf update
  • Update EML AdminTool: Check our GitHub releases for security patches.
  • Protect your .env file: This file contains your database credentials and secret keys. Ensure it is never shared or committed to a public repository.