Security Best Practices

Protecting your Arcadium infrastructure and game servers.

API Security

API Token Management

Create Strong Tokens:

• Never reuse tokens across environments
• Use descriptive names
• Set expiration dates for temporary access

Secure Storage:

# ✅ Good - Environment variables
export ARCADIUM_TOKEN="arcadium_live_..."

# ❌ Bad - Hardcoded
const token = "arcadium_live_...";

Regular Rotation:

1. Create new token
2. Update applications
3. Test thoroughly
4. Revoke old token

Authentication

Token Security:

• Keep tokens private
• Don't commit to version control
• Use secrets management (Vault, AWS Secrets Manager)
• Regenerate if exposed

Rate Limiting:

• Respect rate limits
• Implement backoff strategies
• Cache responses when possible

Agent Security

Machine Security

Operating System:

# Keep system updated
sudo apt update && sudo apt upgrade -y

# Enable automatic security updates
sudo apt install unattended-upgrades

Firewall Configuration:

# Allow only necessary ports
sudo ufw default deny incoming
sudo ufw default allow outgoing

# API connection (outbound only)
# Game server ports (as needed)
sudo ufw allow 27015/tcp
sudo ufw allow 27015/udp

sudo ufw enable

SSH Hardening:

# Disable root login
PermitRootLogin no

# Use key-based authentication
PasswordAuthentication no

# Change default port
Port 2222

Agent Authentication

Token Protection:

• Store in protected config file
• Restrict file permissions: chmod 600 /etc/arcadium/agent.yaml
• Regenerate token if machine compromised

TLS/SSL:

• Agent uses WSS (WebSocket Secure)
• Certificates validated
• No plaintext communication

Cluster Security

Access Control

Principle of Least Privilege:

• Grant minimum required role
• Regular permission audits
• Remove inactive members

Role Assignment:

VIEWER - Read-only, for observers
MODERATOR - Player management only
ADMIN - Full management, no billing
OWNER - Complete control

Team Management

Best Practices:

• Review team quarterly
• Use 2FA where possible (external to Arcadium)
• Document team changes
• Immediate removal on departure

Audit Logs:

• Enable audit logging
• Review regularly for suspicious activity
• Monitor failed authentication attempts

Game Server Security

RCON Protection

Strong Passwords:

# ✅ Good
rcon.password = "x8#mK9$pL2@nQ7w"

# ❌ Bad
rcon.password = "password123"

Access Restrictions:

• Bind RCON to localhost only if possible
• Use firewall rules to restrict RCON port
• Change default RCON ports

Game Configuration

Disable Unnecessary Features:

# Example for various games
EnableCheats = False
AllowAdminCommands = False
DebugMode = Disabled

Player Limits:

• Set appropriate max players
• Implement anti-spam measures
• Use whitelist for private servers

Mod Security

Vetting Mods:

• Download from official sources only
• Read user reviews
• Check last update date
• Avoid abandoned mods

Monitoring:

• Watch for unusual behavior
• Check for unauthorized network calls
• Review mod permissions

Data Protection

Backups

Regular Backups:

Schedule: Daily at 3 AM
Retention: 30 days
Location: Separate disk/server

Backup Security:

• Encrypt backup files
• Store offsite
• Test restoration regularly
• Restrict backup access

Player Data

GDPR Compliance:

• Collect only necessary data
• Provide data export
• Honor deletion requests
• Document data usage

Data Minimization:

• Don't store unnecessary player info
• Anonymize analytics data
• Regularly purge old data

Network Security

DDoS Protection

Mitigation Strategies:

• Use DDoS protection service (Cloudflare, etc.)
• Rate limiting
• Connection throttling
• Geographic filtering if applicable

Monitoring:

• Track unusual traffic patterns
• Alert on traffic spikes
• Log connection attempts

Firewall Rules

Restrictive Rules:

# Only allow game ports and API
# Block everything else by default

# Example for ARK server
ufw allow from any to any port 7777 proto udp
ufw allow from any to any port 7778 proto udp
ufw allow from any to any port 27015 proto tcp

Incident Response

Compromise Detection

Warning Signs:

• Unexpected server restarts
• Unknown admin accounts
• Unusual file modifications
• Traffic to suspicious IPs

Response Steps

If Compromised:

1. Isolate - Disconnect server from network
2. Assess - Determine what was accessed
3. Contain - Revoke tokens, change passwords
4. Recover - Restore from clean backup
5. Learn - Document and improve security

Reporting

Security Issues:

• Report vulnerabilities privately
• Email: security@arcadiumpanel.com
• Include reproduction steps
• Allow time for patching

Monitoring

Log Management

What to Log:

• Authentication attempts
• RCON commands
• File modifications
• Player actions
• API requests

Log Security:

• Rotate logs regularly
• Ship to central logging service
• Protect from tampering
• Set retention policies

Alerts

Configure Alerts:

• Failed login attempts
• Unusual API activity
• Server crashes
• Resource exhaustion
• New team members added

Compliance

Terms of Service

Review and Follow:

• Arcadium ToS
• Game EULAs
• Platform policies (Steam, etc.)
• Local laws (GDPR, CCPA)

Licensing

Respect Licenses:

• Use legitimate game licenses
• Follow mod licenses
• Credit attribution where required
• Commercial vs non-commercial use

Resources

Security Tools

• Fail2Ban - Intrusion prevention
• UFW - Firewall
• ClamAV - Antivirus
• rkhunter - Rootkit detection

Further Reading

• OWASP Security Guidelines
• CIS Benchmarks
• NIST Cybersecurity Framework

Next Steps

• Team Management
• Roles & Permissions
• API Authentication