Checklists

MUD Security Hardening Checklist

Most MUD incidents come from basic gaps: weak admin access, missing backups, noisy logs, and legacy code assumptions. Use this checklist before public launch and after every major infrastructure change.

Progress0 / 25 complete (0%)

Admin Access Control

0/5

  • Require SSH keys for all admins

    critical

    Disable password-based SSH access and rotate keys when staff changes.

  • Separate immortal and host credentials

    critical

    Do not reuse in-game passwords for shell, database, or panel access.

  • Review privileged accounts monthly

    recommended

    Confirm only active staff retain shell, deploy, or backup permissions.

  • Protect sudo access

    critical

    Limit full host administration to the smallest possible number of maintainers.

  • Document emergency lockout steps

    recommended

    Keep a tested process for revoking access if an account is compromised.

Host and Network Baseline

0/5

  • Restrict open ports

    critical

    Expose only the game port, SSH, and any intentionally public web services.

  • Apply OS security updates

    critical

    Patch the host on a predictable schedule so known package issues do not linger.

  • Enable basic rate limiting

    recommended

    Throttle repeated connection attempts and obvious abuse at the firewall or gateway layer.

  • Run the game as a dedicated user

    critical

    Avoid running the MUD process as root or under a shared system account.

  • Validate restart behavior

    recommended

    Confirm crashes and host reboots do not leave stale sockets or unsafe temp files behind.

Player Data and Persistence

0/5

  • Hash player passwords

    critical

    Store password hashes instead of plaintext or reversible secrets.

  • Back up player files daily

    critical

    Protect characters, boards, account data, and configs with automated backups.

  • Limit sensitive log content

    critical

    Avoid writing passwords, tokens, or private admin notes into general logs.

  • Review file permissions

    recommended

    Ensure only the game service user and trusted admins can read persistent world data.

  • Test backup restore

    critical

    Perform a restore drill so backups are proven usable before an emergency.

Code and Exploit Prevention

0/5

  • Audit unsafe input handling

    critical

    Review command parsing, buffer handling, and copy routines in older C code paths.

  • Lock down builder-only commands

    critical

    Verify OLC, reload, and debug commands cannot be reached by normal players.

  • Review duping and economy exploits

    recommended

    Test rent, corpses, shops, containers, and copyover flows for item duplication.

  • Validate rate-sensitive commands

    recommended

    Throttle spammy commands such as who, score, or auction if they stress the server.

  • Track third-party integrations

    recommended

    Review any bots, web endpoints, or webhook consumers that can issue privileged actions.

Monitoring and Incident Response

0/5

  • Alert on failed login spikes

    recommended

    Notice brute-force attempts or bot traffic before they turn into downtime.

  • Keep structured admin logs

    recommended

    Capture restarts, bans, object restores, and sensitive commands in a searchable format.

  • Prepare a player-facing outage notice

    optional

    Have short copy ready for login banners, Discord, or forums during a security event.

  • Document first-hour response steps

    critical

    List how to isolate the host, preserve evidence, and restore safe service quickly.

  • Run a quarterly security review

    recommended

    Recheck access, logs, backups, and exploit tests on a regular calendar.