Game Servers
How to Set Up a Secure Minecraft Server
Running your own Minecraft Java server gives you full control. This guide runs it under a dedicated non-root user managed by systemd, so a compromise of the game cannot become a compromise of the whole machine, and opens only the one port the game needs.
Install Java 21
Current Minecraft releases require Java 21. Install the headless JRE, which has no GUI dependencies.
sudo apt update sudo apt install -y openjdk-21-jre-headless java -version # verify it reports version 21
Create a Dedicated Non-Root User
Never run a game server as root or as your own login account. Make a locked-down system user that owns only the server files.
# --system service account, no login shell, home at /opt/minecraft sudo useradd -r -m -d /opt/minecraft -s /usr/sbin/nologin minecraft
Download the Server JAR
Place the official server jar in the dedicated user's directory. Get the current download URL from minecraft.net, then fetch it as the minecraft user.
# Run as the minecraft user so file ownership is correct from the start sudo -u minecraft bash -c 'cd /opt/minecraft && wget -O server.jar https://piston-data.mojang.com/v1/objects/<CURRENT_HASH>/server.jar'
Accept the EULA Explicitly
Mojang requires you to agree to the EULA. Run once to generate files, then set the flag yourself; this is a deliberate legal acceptance.
sudo -u minecraft bash -c 'cd /opt/minecraft && java -Xms1024M -Xmx1024M -jar server.jar nogui' # generates eula.txt, then stops # Explicitly accept Mojang's EULA (https://aka.ms/MinecraftEULA): sudo -u minecraft bash -c 'echo "eula=true" > /opt/minecraft/eula.txt'
Create a systemd Service
A systemd unit starts the server on boot, restarts it on crash, and runs it as the minecraft user. The memory flags pin the heap: -Xms is the starting size and -Xmx the maximum; set both equal to avoid resize pauses.
sudo nano /etc/systemd/system/minecraft.service # Paste: [Unit] Description=Minecraft Server After=network.target [Service] User=minecraft WorkingDirectory=/opt/minecraft # -Xms2048M starting heap, -Xmx2048M max heap (keep them equal); raise to fit your RAM ExecStart=/usr/bin/java -Xms2048M -Xmx2048M -jar server.jar nogui Restart=on-failure [Install] WantedBy=multi-user.target
Start, Enable, and Open the Game Port
Enable the service so it survives reboots, then allow only the Minecraft port through the firewall.
sudo systemctl daemon-reload sudo systemctl enable --now minecraft sudo systemctl status minecraft --no-pager # confirm it is active (running) sudo ufw allow 25565/tcp # the only port Minecraft Java needs
Your Minecraft server runs as a dedicated non-root user under systemd, restarts automatically, and exposes only port 25565. Keep the server jar and Java updated, and never widen the firewall beyond the ports you truly need.