Security
Security best practices for your Hytale server
Security
This Docker image is built with security as a priority. Learn about the security features and best practices.
Built-in Security Features
Non-Root User
The container runs as a non-root user (hytale UID 1000):
USER hytale:hytaleBenefits:
- Limits potential damage from compromised processes
- Follows principle of least privilege
- Prevents privilege escalation attacks
Dropped Capabilities
By default, unnecessary Linux capabilities are dropped:
cap_drop:
- ALL
cap_add:
- CHOWN # Change file ownership
- DAC_OVERRIDE # Bypass file permission checks
- SETUID # Set user ID
- SETGID # Set group IDThis minimizes attack surface by only granting required permissions.
No New Privileges
The no-new-privileges security option prevents privilege escalation:
security_opt:
- no-new-privileges:trueThis prevents processes from gaining new privileges through setuid/setgid binaries.
Read-Only Root Filesystem
Consider making the root filesystem read-only:
security_opt:
- no-new-privileges:true
read_only: true
tmpfs:
- /tmp
- /var/tmpRead-only mode is advanced. Only enable if you understand the implications.
Network Security
Minimal Port Exposure
Only expose the necessary port:
ports:
- "5520:5520/udp" # Only Hytale server portNever expose:
- Docker daemon socket
- Debug ports
- Internal management ports
Firewall Rules
Implement strict firewall rules:
# Allow only Hytale server port
ufw default deny incoming
ufw default allow outgoing
ufw allow 5520/udp
ufw enableIP Whitelisting
For private servers, whitelist specific IPs:
# Allow only specific IP ranges
ufw allow from 192.168.1.0/24 to any port 5520 proto udp
ufw allow from YOUR_FRIEND_IP to any port 5520 proto udpAuthentication Security
Token Protection
Authentication tokens are sensitive. Protect them:
volumes:
- hytale-auth:/home/hytale/.config:rw,ZNever Share Tokens
- Don't commit auth volumes to version control
- Don't share volume backups publicly
- Rotate tokens regularly (every 30 days automatically)
Secure Token Storage
The container stores tokens with restricted permissions:
# Inside container
chmod 600 ~/.config/hytale/auth.json
chown hytale:hytale ~/.config/hytale/auth.jsonVolume Security
Secure Mount Points
Use proper permissions for volume mount points:
# On host system
sudo chown -R 1000:1000 /path/to/volumes/hytale-data
sudo chmod 750 /path/to/volumes/hytale-dataBackup Encryption
When backing up volumes, encrypt them:
# Create encrypted backup
tar czf - /var/lib/docker/volumes/hytale-data | \
openssl enc -aes-256-cbc -salt -out hytale-backup.tar.gz.enc
# Restore encrypted backup
openssl enc -aes-256-cbc -d -in hytale-backup.tar.gz.enc | \
tar xzf -Container Hardening
Resource Limits
Prevent resource exhaustion:
deploy:
resources:
limits:
cpus: '2.0'
memory: 6G
reservations:
memory: 2GRestart Policy
Use a safe restart policy:
restart: unless-stopped # Recommended
# NOT: restart: always # Can cause issues during maintenanceHealth Checks
Implement health monitoring:
healthcheck:
test: ["CMD", "pgrep", "-f", "java"]
interval: 30s
timeout: 10s
retries: 3
start_period: 60sLogging Security
Limit Log Size
Prevent disk exhaustion from logs:
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "3"Secure Log Access
Restrict log file permissions:
sudo chmod 640 /var/lib/docker/containers/*/*-json.logUpdate Security
Regular Updates
Keep your image updated:
# Pull latest image
docker compose pull
# Recreate containers with new image
docker compose up -dThe container has built-in auto-update for server files, but you should also update the Docker image regularly.
Vulnerability Scanning
Scan your images for vulnerabilities:
# Using Docker Scout
docker scout cves romariin/hytale-docker:latest
# Using Trivy
trivy image romariin/hytale-docker:latestAccess Control
Docker Socket Protection
Never mount the Docker socket unless absolutely necessary:
# ❌ DANGEROUS - Don't do this
volumes:
- /var/run/docker.sock:/var/run/docker.sockSSH Access
If providing SSH access to the host:
# Use key-based authentication only
sudo nano /etc/ssh/sshd_config
# Set: PasswordAuthentication no
# Set: PermitRootLogin no
# Restart SSH
sudo systemctl restart sshdFail2ban
Protect against brute force attacks:
sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2banMonitoring & Auditing
Container Logs
Monitor for suspicious activity:
# Watch logs in real-time
docker compose logs -f
# Search for errors
docker compose logs | grep -i error
# Export logs for analysis
docker compose logs > server-logs.txtSystem Monitoring
Track resource usage:
# Monitor container stats
docker stats hytale-server
# Check system resources
htopSecurity Auditing
Audit your Docker configuration:
# Docker Bench Security
docker run --rm --net host --pid host --userns host --cap-add audit_control \
-v /etc:/etc:ro \
-v /usr/bin/containerd:/usr/bin/containerd:ro \
-v /usr/bin/runc:/usr/bin/runc:ro \
-v /usr/lib/systemd:/usr/lib/systemd:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
docker/docker-bench-securityIncident Response
If Compromised
If you suspect a security breach:
-
Immediately stop the container:
docker compose down -
Preserve evidence:
docker compose logs > incident-logs.txt -
Rotate credentials:
docker volume rm examples_hytale-auth -
Update everything:
docker compose pull docker compose up -d -
Review and harden:
- Check this security guide
- Review firewall rules
- Audit access logs
- Update passwords
Best Practices Checklist
- Container runs as non-root user
- Capabilities dropped to minimum
- No-new-privileges enabled
- Only necessary ports exposed
- Firewall configured correctly
- Authentication tokens protected
- Resource limits set
- Log rotation configured
- Regular updates scheduled
- Backups encrypted
- Monitoring in place