There is an exploit with Bungeecord which allows users to spoof your UUID by pretending to join as you using a separate Bungeecord instance. To fix it, you need to install one of the following plugins on your non-Bungeecord servers:
IPWhitelist: https://www.spigotmc.org/resources/61/
BungeeGuard: https://github.com/lucko/BungeeGuard/releases
Here are instructions on how to install each of the above plugins. You only need one.
IPWhitelist:
⬤ Download the plugin from https://www.spigotmc.org/resources/61/ and put it in your Bukkit/Spigot servers.
⬤ Restart.
⬤ Open the config file and add your server IP (excluding port) to the "whitelist" section.
⬤ Restart.
⬤ Done! Your server is now protected and you can configure the config.yml at any time to your liking and use /ipwl reload to reload it.
BungeeGuard:
Your server must be using Paper to be able to use BungeeGuard, it cannot be running Spigot/Bukkit.
On BungeeCord
⬤ Download the proxy plugin from https://github.com/lucko/BungeeGuard/releases and put it in your BungeeCord server.
⬤ Restart.
⬤ Open the plugins/BungeeGuard/token.yml file and copy the token
On Paper
⬤ Download the backend plugin from https://github.com/lucko/BungeeGuard/releases and put it in your Paper servers.
⬤ Open the plugins/BungeeGuard/config.yml file on each server and add the previously copied token to allowed_tokens
⬤ Done! Your server is now protected and you can configure the config.yml at any time to your liking and restart the server to load the changes.# Allowed authentication tokens.
allowed-tokens:
- "AUSXEwebkOGVnbihJM8gBS0QUutDzvIG009xoAfo1Huba9pGvhfjrA21r8dWVsa8"
