AuroraSecurity
The #1 All-in-One Security Suite for Minecraft.
"It's time to stop your server from handing OP to strangers."
❝ About licenses:
After buying this plugin, get your key from our Discord and set it in
license-key inside the main configuration file. The license verifies online (with a 7-day offline cache, so a short internet outage won't take your server down).
AuroraSecurity is a powerful all-in-one tool designed to protect your Minecraft server and network from the most common takeover vectors — IP/UUID spoofing, direct backend connections, OP/admin account hijacking, brute-force, and unauthorized logins. Instead of trusting whatever a client claims, AuroraSecurity verifies identity at the packet level and enforces a strict fail-closed policy: when something looks unsafe, it blocks — and it even locks the server down automatically if it detects an exploitable configuration. Currently supporting Spigot + Forks, Paper, Folia, BungeeCord + Forks and Velocity — all from a single universal jar that auto-detects your platform (drop the same file on your backend or your proxy).Features:
- Multiple storage options with HikariCP pooling. Choose what fits you best: SQLite, MySQL (TLS + certificate verification), or YAML. All inputs use prepared statements — no SQL injection.
YAML:
storage:
# Options: SQLITE, MYSQL, YAML
storage-type: "SQLITE"
mysql:
host: "localhost"
port: 3306
database: "aurorasecurity"
username: "root"
password: "CHANGE_THIS_PASSWORD" # or use the AURORA_MYSQL_PASSWORD env var
ssl:
enabled: true
verify-certificate: true # blocks MITM on the DB link- Customize every message the way you want. Fully extendable configuration and 9 built-in languages (
) — translate and adapt to your needs. - Minimal performance impact. Everything runs asynchronously and checks happen at the packet/handshake level. Built to handle busy networks without lag.
- Folia-ready & region-thread safe.
Modules
Anti-Spoof — the heart of the pluginBlocks IP/UUID/identity spoofing at the handshake, before login even begins. Supports STANDALONE / BUNGEE / VELOCITY with automatic detection, verifies BungeeGuard tokens and Velocity modern-forwarding HMAC, and — most importantly — self-audits your config and auto-LOCKDOWNs the server if it finds a spoofable setup, so you never get caught off-guard in silence.
YAML:
anti-spoof:
enable: true
mode: "AUTO" # AUTO | STANDALONE | BUNGEE | VELOCITY
on-insecure-config: "LOCKDOWN" # refuse all logins if the config is exploitable
bungeeguard-tokens: []
Built-in BungeeGuard — no third-party plugin neededThe proxy module generates and injects the token itself, so you don't have to install a separate BungeeGuard plugin. It auto-detects an existing BungeeGuard install to avoid double-injection, and is leak-safe (the token is never broadcast to other players).
Proxy IP Allow-list — lock your backendOnly your proxy's IP may connect to the backend — every direct external connection is dropped at the handshake, even pings. It checks the real socket IP (which cannot be spoofed) and supports single IPs and CIDR ranges.
Works on shared hosting even with no firewall access.
YAML:
anti-spoof:
# Only these proxy IP(s) may reach the backend. Loopback is always allowed.
proxy-ip-allowlist:
- "203.0.113.10"
- "10.0.0.0/24"
Password & 2FA for staffPBKDF2-HMAC-SHA256 (100,000 iterations) password hashing with random salt, constant-time comparison and lockout on repeated failures. 2FA TOTP (Google Authenticator / Authy…) with replay protection; disabling 2FA requires the current code. Smart login sessions mean no nagging re-prompts.
Auto-Deop unauthenticated OPsPrefer a softer response than a kick? Optionally remove OP from an admin who hasn't verified within a grace period. While the timer runs they're command-blocked (OP can't be abused) and re-prompted to verify, so a legitimate admin simply re-authenticates and keeps OP.
YAML:
protect:
deop-unauthenticated:
enable: false
after-minutes: 5
GeoLocation — block by countryBlock or alert when an admin logs in from an unexpected country (whitelist/blacklist). Free, no API key required.
VPN / Proxy detectionFlag connections coming through VPNs, proxies, and hosting/datacenter ranges. Choose
KICK or ALERT, with a bypass permission for trusted players.
Account / IP limiterLimit how many distinct accounts a single IP may use within a time window — stops bot swarms and multi-account abuse.
YAML:
anti-spoof:
account-ip-limit:
enable: true
max-accounts-per-ip: 3
window-minutes: 60
Real-time protection & Command BlockerContinuously monitors OP / Creative-Spectator / sensitive permissions against approved IPs and challenges or removes access. Until a monitored player passes verification, every command is blocked — no sneaky
/op.
Discord integrationA role-gated bot to manage trusted IPs via slash commands, plus private DM alerts per admin (new-IP login, blocked login, failed password/2FA) — complete with location & ISP — and a one-click "Add IP" button.
IP history & Audit logTracks every admin IP and alerts on new ones. A tamper-resistant daily audit log records all security events and auto-cleans old files.
Why AuroraSecurity?AuroraSecurity was built to replace an entire stack of separate security plugins with one consistent, battle-tested solution. Most "anti-grief" setups protect everything except the one thing that actually gets servers taken over: a direct, spoofed connection to the backend. AuroraSecurity closes that hole at the source, then layers password/2FA, GeoIP, VPN detection, IP allow-listing, Discord alerting and auditing on top — every layer independent, so even if one is bypassed, the others hold.
| Capability | Typical separate plugins | AuroraSecurity |
| IP/UUID spoof protection |  Extra plugin |  Built-in, packet-level |
| BungeeGuard |  Separate plugin | Built-in injection |
| Backend IP lock | Needs firewall | Done by the plugin |
| Password + 2FA | Several plugins | All in one |
| GeoIP / VPN | Bought separately | Included, free |
| Discord alerts | Limited | Bot + private DM + location |
| Self-protect on misconfig | No | Automatic LOCKDOWN |
| Plugins to install | 5–7 plugins | 1 plugin |
Set up in 3 minutes- Drop the
.jarintoplugins/on every backend. - Put your
license-keyinconfig.yml. - Leave
anti-spoof.mode: AUTO— it detects your setup and protects it.
Commands & Permissions/aurorasec help— command list/aurorasec reload— reload config/messages/aurorasec license— license status/aurorasec password set|remove|check|logout/aurorasec 2fa setup|confirm|disable|status/aurorasec discord link|unlink|status|test
/aursecaurorasecurity.admin— base command accessaurorasecurity.reloadaurorasecurity.password.set / .remove / .check / .logoutaurorasecurity.2fa.setup / .disable / .adminaurorasecurity.discord.link / .adminaurorasecurity.geoip.bypassaurorasecurity.antispoof.bypass
Statistics❝ What data is collected?
AuroraSecurity uses bStats, which does not collect any personal data — only anonymous server info (player count, online mode, version, etc.), sent asynchronously. You can disable it anytime in the bStats config. See bStats: Getting Started.
End User License Agreement (EULA)By purchasing or using AuroraSecurity, you agree to the following:
No Resale or Redistribution. You may not resell, redistribute, or share this product in any form, or make it accessible to third parties not directly involved in your project. License Restrictions & Termination. You may not relicense, sublicense, or transfer this product. We reserve the right to revoke a license in justified cases (abuse, EULA violation). Unjustified termination may be refunded via this platform. Refund Policy. This is a digital product; refunds are not offered unless the plugin fails to work as described and the author cannot provide a fix within a reasonable time after being contacted. No refunds after 3 days from purchase. Authorized Use Only. Only the purchasing person/entity may use the product; access may be shared only with collaborators on the same project. You are responsible for any unauthorized distribution. Immediate Access. As a digital product with immediate access on purchase, refund rights are limited under digital-goods regulations.
Links- Discord (support & license): https://discord.gg/kT4AYNkQuv — join our community for technical support.
- Documentation / Wiki: https://wiki.asgmc.net/
AuroraSecurity — sleep well, your server has a guard.
Enjoying it? A 5-star review means a lot!
