🔒 Security Best Practices
Comprehensive security guide for protecting QBCore servers against threats, exploits, and malicious activities while maintaining optimal gameplay experience.
Security Overview
QBCore server security involves multiple layers of protection including server hardening, resource validation, database security, player protection, and incident response. A comprehensive security strategy is essential for maintaining server integrity.
Security Threat Categories
- Server-Level Attacks - OS exploits, unauthorized access, DoS attacks
- Resource Exploits - Malicious code, script injection, privilege escalation
- Database Attacks - SQL injection, unauthorized data access, data corruption
- Player Exploits - Cheating, griefing, social engineering, account theft
- Network Attacks - DDoS, packet manipulation, traffic interception
Security Framework
Defense in Depth
Implement multiple security layers:
- Network Security - Firewalls, DDoS protection, secure protocols
- Server Security - OS hardening, access controls, monitoring
- Application Security - Code validation, input sanitization, authentication
- Data Security - Encryption, access controls, backup protection
- Operational Security - Incident response, monitoring, staff training
Zero Trust Model
- Verify Everything - No implicit trust for any component
- Principle of Least Privilege - Minimum necessary access rights
- Continuous Monitoring - Real-time threat detection
- Micro-Segmentation - Isolate critical components
Immediate Security Actions
Critical Security Checklist
- ✅ Change Default Passwords - All admin, database, and service accounts
- ✅ Enable Firewall - Block unnecessary ports and services
- ✅ Update Systems - OS, FiveM, QBCore, and all dependencies
- ✅ Secure Database - Remove default accounts, enable authentication
- ✅ Review Resources - Audit all installed resources for security
- ✅ Enable Logging - Comprehensive security event logging
Quick Hardening Steps
# Update system packages
sudo apt update && sudo apt upgrade -y
# Configure basic firewall
sudo ufw enable
sudo ufw allow 22/tcp # SSH
sudo ufw allow 30120/tcp # FiveM
sudo ufw allow 30120/udp # FiveM UDP
sudo ufw deny 3306/tcp # Block MySQL external access
# Secure SSH
sudo sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart ssh
# Set up fail2ban
sudo apt install fail2ban -y
sudo systemctl enable fail2banCommon Security Vulnerabilities
Resource-Level Vulnerabilities
- SQL Injection - Unsanitized database queries
- Command Injection - Unsafe command execution
- Path Traversal - Unauthorized file access
- Privilege Escalation - Improper permission checks
- Memory Corruption - Buffer overflows and memory leaks
Example Vulnerable Code
-- ❌ VULNERABLE: SQL Injection
local query = "SELECT * FROM players WHERE name = '" .. playerName .. "'"
MySQL.query(query)
-- ✅ SECURE: Parameterized Query
local result = MySQL.query.await('SELECT * FROM players WHERE name = ?', {playerName})
-- ❌ VULNERABLE: Command Injection
os.execute("rm " .. fileName)
-- ✅ SECURE: Input Validation
if fileName:match("^[%w%._-]+$") then
os.remove(fileName)
end
-- ❌ VULNERABLE: Privilege Escalation
RegisterNetEvent('admin:giveItem', function(item, amount)
-- No permission check!
player.Functions.AddItem(item, amount)
end)
-- ✅ SECURE: Permission Validation
RegisterNetEvent('admin:giveItem', function(item, amount)
local player = QBCore.Functions.GetPlayer(source)
if player.PlayerData.job.name == 'admin' and player.PlayerData.job.grade.level >= 5 then
player.Functions.AddItem(item, amount)
end
end)Security Architecture
Server Security
Learn how to harden your operating system, configure firewalls, implement access controls, and protect against server-level attacks.
Resource Security
Master secure coding practices, input validation, authentication systems, and protection against resource-based exploits.
Database Security
Implement database hardening, secure connection protocols, data encryption, and protection against SQL injection attacks.
Player Protection
Deploy anti-cheat systems, implement fair play enforcement, protect player data, and prevent social engineering attacks.
Anti-Cheat Systems
Configure and deploy comprehensive anti-cheat solutions including native detection, behavior analysis, and automated response systems.
Incident Response
Develop incident response procedures, forensic analysis capabilities, recovery strategies, and lessons-learned processes.
Security Monitoring
Real-Time Monitoring
-- Security event monitoring
local securityEvents = {}
RegisterNetEvent('security:logEvent', function(eventType, details)
local timestamp = os.time()
local player = QBCore.Functions.GetPlayer(source)
local event = {
timestamp = timestamp,
player = player and player.PlayerData.citizenid or 'unknown',
source = source,
type = eventType,
details = details,
severity = GetEventSeverity(eventType)
}
table.insert(securityEvents, event)
-- Alert on high severity events
if event.severity >= 8 then
AlertAdmins(event)
if event.severity >= 9 then
-- Automatic response for critical events
DropPlayer(source, 'Security violation detected')
end
end
end)
function GetEventSeverity(eventType)
local severityMap = {
['suspicious_command'] = 6,
['invalid_trigger'] = 7,
['exploit_attempt'] = 8,
['cheat_detected'] = 9,
['admin_impersonation'] = 10
}
return severityMap[eventType] or 5
endAutomated Alerts
-- Discord webhook for security alerts
function AlertAdmins(event)
local webhook = "https://discord.com/api/webhooks/your_webhook_url"
local embed = {
{
title = "🚨 Security Alert",
description = "Security event detected",
color = event.severity >= 9 and 16711680 or 16776960, -- Red or Yellow
fields = {
{name = "Event Type", value = event.type, inline = true},
{name = "Player", value = event.player, inline = true},
{name = "Severity", value = event.severity .. "/10", inline = true},
{name = "Details", value = json.encode(event.details)},
{name = "Timestamp", value = os.date("%Y-%m-%d %H:%M:%S", event.timestamp)}
}
}
}
PerformHttpRequest(webhook, function(err, text, headers) end, 'POST', json.encode({
username = "QBCore Security",
embeds = embed
}), {['Content-Type'] = 'application/json'})
endSecurity Best Practices
Secure Development
- Input Validation - Validate all user inputs
- Output Encoding - Encode data for safe output
- Authentication - Verify user identity and permissions
- Authorization - Enforce access controls
- Error Handling - Don’t expose sensitive information
- Logging - Log security-relevant events
- Encryption - Protect sensitive data
Operational Security
- Regular Updates - Keep all software current
- Monitoring - Continuous security monitoring
- Backup Strategy - Regular, tested backups
- Incident Response - Prepared response procedures
- Staff Training - Security awareness education
- Access Controls - Strict access management
- Network Security - Perimeter and internal defenses
🚫
Security is not a one-time setup. It requires ongoing attention, regular updates, and continuous monitoring to remain effective.
Compliance and Legal
Data Protection
- GDPR Compliance - European data protection requirements
- CCPA Compliance - California privacy rights
- Player Data Rights - Data access, correction, deletion
- Data Retention - Appropriate retention periods
- Breach Notification - Legal reporting requirements
Terms of Service
Ensure your terms of service cover:
- Acceptable use policies
- Anti-cheat enforcement
- Data collection and usage
- Dispute resolution procedures
- Liability limitations
Security Tools and Resources
Recommended Tools
- Fail2Ban - Intrusion prevention system
- OSSEC - Host-based intrusion detection
- ModSecurity - Web application firewall
- Nmap - Network security scanner
- Wireshark - Network protocol analyzer
Security Resources
- CVE Database - Known vulnerability tracking
- Security Forums - Community threat intelligence
- Vendor Security Advisories - Official security updates
- Penetration Testing - Professional security assessment
This security guide provides comprehensive protection strategies for QBCore servers. Regular review and updates of security measures are essential for maintaining protection against evolving threats.