A public 7 Days to Die server is exposed to two distinct threat surfaces: network-level attacks (port scans, UDP floods, brute-force on admin interfaces) and in-game griefing (offline raids, base destruction, claim bypass). This guide covers both — what to lock down at the firewall, what to harden in serverconfig.xml, and where mods or hosting-provider features matter.
The four ports relevant to a 7D2D dedicated server, in order of who should reach them:
| Port | Protocol | Property | Who needs it |
|---|---|---|---|
| 26900 | UDP (and TCP for some setups) | ServerPort | All players. The game traffic port. Forward this and the few above it (the engine uses adjacent ports for game traffic). |
| 8080 | TCP (HTTP) | ControlPanelPort | Admins only. Disabled by default (ControlPanelEnabled=false); leave disabled unless you need it. |
| 8081 | TCP (telnet) | TelnetPort | Admins only. Plaintext protocol — never open to the internet. |
127.0.0.1 or whitelist your admin IP only. If the panel is enabled and exposed, it's an authentication endpoint someone will try to brute-force. Always change ControlPanelPassword from the default CHANGEME.127.0.0.1 only. SSH-tunnel for remote admin work. Set TelnetPassword in serverconfig.xml — TelnetFailedLoginLimit (default 10) and TelnetFailedLoginsBlocktime (default 10 seconds) provide weak rate-limiting; supplement with firewall rules.serverconfig.xml)All defaults below are taken from our serverconfig.xml reference.
| Property | Default | Hardening recommendation |
|---|---|---|
ControlPanelEnabled | false | Leave false. Only flip to true if you actively use the panel; bind 8080 to localhost in that case. |
ControlPanelPassword | CHANGEME | Change to a long random string before exposing the panel. The default is the single most-tried password in opportunistic scans. |
TelnetEnabled | — | Disable if you don't use telnet/scripting. If enabled, keep behind a firewall. |
TelnetPassword | (empty) | Always set a password. An empty password permits passwordless connection from anything reaching the port. |
TelnetFailedLoginLimit | 10 | Wrong-password attempts before the source IP is blocked. |
TelnetFailedLoginsBlocktime | 10 | Block duration in seconds. Short — supplement with firewall rules for sustained protection. |
HideCommandExecutionLog | 0 | 0=show everything; 1=hide from telnet/panel; 2=also hide from remote game clients; 3=hide everything. Set to 2 or 3 if you don't want admin commands echoed in the in-game log. |
The land-claim system is the primary anti-grief lever. The actual property names and their defaults:
| Property | Default | Effect |
|---|---|---|
LandClaimCount | 1 | Maximum keystones per player. Raise to 2–3 for PvE servers where players want a horde base + a stash base; keep at 1 for PvP to discourage spread. |
LandClaimSize | 41 | Side length (in blocks) of the protected box around a keystone. |
LandClaimDeadZone | 30 | Minimum block distance between two players' keystones (unless friended). Prevents claim-overlap griefing. |
LandClaimExpiryTime | 7 | Days a player can be offline before their claim's protection expires. |
LandClaimDecayMode | 0 | 0 = slow linear decay, 1 = fast exponential, 2 = none (full protection until full expiry). Set to 2 if your players take vacations from the server. |
LandClaimOnlineDurabilityModifier | 4 | Block-hardness multiplier inside the claim while the owner is online. Default 4×. 0 means infinite (indestructible). Raise (e.g. 8) for tougher PvP bases; do not raise to absurd values like 40× — players will rage when they can't break through obvious griefing structures. |
LandClaimOfflineDurabilityModifier | 4 | Same multiplier while the owner is offline. Raise to mitigate offline raids on PvP servers; set to 0 for "offline = invincible base." |
LandClaimOfflineDelay | 0 | Minutes after logout before the offline modifier kicks in. Set to 5–15 to prevent a player from logging out mid-fight to gain offline protection. |
BedrollDeadZoneSize | 15 | Box "radius" of the no-zombie-spawn zone around a bedroll. Prevents zombie spawns from invading bedrooms but doesn't stop other players in PvP. |
For game servers, the threats you actually see in the wild are network-level UDP floods, not application-layer attacks. The relevant terms:
Practical takeaway: if uptime under attack matters, pay for a hosting provider with built-in network DDoS scrubbing. Self-hosted on a residential or basic VPS, you can't out-config a flood.
ControlPanelPassword from CHANGEME.TelnetPassword; bind 8081 to 127.0.0.1.ControlPanelEnabled if you don't actively use it.serveradmin.xml — no test accounts left at permission level 0.shutdown, never kill -9 — corrupted saves are a security risk too (forced re-rolls).serverconfig.xml referenceHideCommandExecutionLog