FiveM Server Setup Guide
Complete guide for setting up and securing a FiveM server with proxy, firewall, and DDoS protection
Requirements & Prerequisites
System Requirements
- Operating System: Windows Server 2019/2022 or Ubuntu 20.04/22.04 LTS
- CPU: 4+ cores (8+ recommended for high-population servers)
- RAM: 8GB minimum (16GB+ recommended)
- Storage: 100GB+ SSD storage
- Network: 1Gbps connection minimum
- Ports: 30120 (default FiveM port), 30110-30130 (recommended range)
Important Licensing Requirements
- Valid FiveM server license (free for up to 32 players)
- Patreon subscription for higher player counts
- Steam API key for proper authentication
- Rockstar Social Club account
Server Installation
Step 1: Download FiveM Server
Windows
# Create server directory
mkdir C:\FiveM-Server
cd C:\FiveM-Server
# Download latest server build
curl -O https://runtime.fivem.net/artifacts/fivem/build_server_windows/master/latest/server.zip
# Extract files
Expand-Archive server.zip -DestinationPath .
Linux
# Create server directory
mkdir /home/fivem-server
cd /home/fivem-server
# Download latest server build
wget https://runtime.fivem.net/artifacts/fivem/build_proot_linux/master/latest/fx.tar.xz
# Extract files
tar -xf fx.tar.xzStep 2: Create Server Configuration
server.cfg
# Basic server configuration
endpoint_add_tcp "0.0.0.0:30120"
endpoint_add_udp "0.0.0.0:30120"
# Server identity
sv_hostname "^2Your FiveM Server ^7| ^3Welcome!"
sv_maxclients 32
sv_endpointprivacy true
# License and authentication
sv_licensekey "your-license-key-here"
steam_webApiKey "your-steam-api-key-here"
# Server security
rcon_password "your-secure-rcon-password"
sv_enforce_gamebuild 2944
# OneSync settings (for 32+ players)
onesync on
# Resources to start
ensure mapmanager
ensure chat
ensure spawnmanager
ensure sessionmanager
ensure basic-gamemode
ensure hardcap
# Custom resources
ensure [essential]
ensure [cars]
ensure [maps]
# Server tags
tags "roleplay, serious, whitelisted"
# Loading screen
loadscreen_manual_shutdown yesBasic Configuration
Directory Structure Setup
Directory Structure
FiveM-Server/
├── server.cfg
├── server.exe (Windows) / run.sh (Linux)
├── resources/
│ ├── [essential]/
│ ├── [cars]/
│ ├── [maps]/
│ └── [scripts]/
├── cache/
├── logs/
└── data/Resource Management
Resource Configuration
# Essential resources (always load first)
ensure mapmanager
ensure chat
ensure spawnmanager
ensure sessionmanager
ensure basic-gamemode
ensure hardcap
# Admin resources
ensure [admin]
ensure vMenu
ensure EasyAdmin
# Core gameplay resources
ensure [esx] # if using ESX framework
ensure [vrp] # if using vRP framework
ensure mysql-async # database connector
# Custom resources (load last)
ensure custom-hud
ensure custom-scripts
ensure custom-carsDatabase Configuration (MySQL)
MySQL Setup
# Install MySQL (Ubuntu)
sudo apt update
sudo apt install mysql-server
# Secure MySQL installation
sudo mysql_secure_installation
# Create FiveM database
mysql -u root -p
CREATE DATABASE fivem_db;
CREATE USER 'fivem_user'@'localhost' IDENTIFIED BY 'secure_password';
GRANT ALL PRIVILEGES ON fivem_db.* TO 'fivem_user'@'localhost';
FLUSH PRIVILEGES;Proxy & Load Balancing
Nginx Reverse Proxy for Web Interface
nginx.conf
server {
listen 80;
server_name your-server.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name your-server.com;
ssl_certificate /path/to/certificate.crt;
ssl_certificate_key /path/to/private.key;
# FiveM server proxy
location / {
proxy_pass http://127.0.0.1:30120;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
}
# Rate limiting
limit_req_zone $binary_remote_addr zone=fivem:10m rate=10r/s;
limit_req zone=fivem burst=20 nodelay;
}HAProxy Load Balancing (Multiple Servers)
haproxy.cfg
global
daemon
maxconn 4096
defaults
mode tcp
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend fivem_frontend
bind *:30120
default_backend fivem_servers
backend fivem_servers
balance roundrobin
server fivem1 192.168.1.10:30120 check
server fivem2 192.168.1.11:30120 check
server fivem3 192.168.1.12:30120 check backupCloudflare Proxy Configuration
Cloudflare Setup for DDoS Protection
- Add your domain to Cloudflare
- Set DNS record:
A @ your-server-ip(Orange cloud enabled) - Configure Cloudflare settings:
- SSL/TLS: Full (strict)
- Security Level: High
- Bot Fight Mode: On
- Under Attack Mode: When needed
- Create firewall rules for additional protection
Firewall Configuration
UFW (Ubuntu Firewall)
UFW Setup
# Enable UFW
sudo ufw enable
# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# SSH access (change port if needed)
sudo ufw allow 22/tcp
# HTTP/HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# FiveM server ports
sudo ufw allow 30120/tcp
sudo ufw allow 30120/udp
# MySQL (only from specific IPs if needed)
sudo ufw allow from 192.168.1.0/24 to any port 3306
# Check status
sudo ufw status verboseWindows Defender Firewall
PowerShell
# FiveM inbound rules
New-NetFirewallRule -DisplayName "FiveM Server TCP" -Direction Inbound -Protocol TCP -LocalPort 30120 -Action Allow
New-NetFirewallRule -DisplayName "FiveM Server UDP" -Direction Inbound -Protocol UDP -LocalPort 30120 -Action Allow
# HTTP/HTTPS rules
New-NetFirewallRule -DisplayName "HTTP" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow
New-NetFirewallRule -DisplayName "HTTPS" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow
# Block specific IPs (example)
New-NetFirewallRule -DisplayName "Block Malicious IP" -Direction Inbound -RemoteAddress "1.2.3.4" -Action BlockAdvanced iptables Rules (Linux)
iptables
#!/bin/bash
# Advanced iptables configuration for FiveM
# Flush existing rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# SSH (change port as needed)
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
# HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# FiveM server
iptables -A INPUT -p tcp --dport 30120 -j ACCEPT
iptables -A INPUT -p udp --dport 30120 -j ACCEPT
# Rate limiting for FiveM port
iptables -A INPUT -p tcp --dport 30120 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
# Drop invalid packets
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
# Protection against port scans
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A INPUT -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A INPUT -m recent --name portscan --set -j DROP
# Save rules
iptables-save > /etc/iptables/rules.v4DDoS Protection
Fail2Ban Configuration
Install Fail2Ban
# Ubuntu/Debian
sudo apt install fail2ban
# CentOS/RHEL
sudo yum install epel-release
sudo yum install fail2ban
# Start and enable
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
/etc/fail2ban/jail.local
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
backend = auto
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400
[fivem-flood]
enabled = true
port = 30120
filter = fivem-flood
logpath = /var/log/fivem/server.log
maxretry = 20
findtime = 60
bantime = 600
[nginx-req-limit]
enabled = true
filter = nginx-req-limit
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/error.log
findtime = 600
bantime = 7200
maxretry = 10Custom FiveM Fail2Ban Filter
/etc/fail2ban/filter.d/fivem-flood.conf
[Definition]
failregex = ^.*Dropping client :.*flood.*$
^.*Received too many packets from .*$
^.*Suspicious activity from .*$
ignoreregex = Network-Level DDoS Protection
Recommended DDoS Protection Services
- Cloudflare: Free tier provides basic protection, Pro+ for advanced features
- OVH Game DDoS Protection: Specialized for gaming servers
- AWS Shield: For servers hosted on AWS
- Path.net: Gaming-focused DDoS protection
Server-Side Rate Limiting
server.cfg (Rate Limiting)
# Network security settings
sv_netTimeout 60000
sv_maxPacketSize 1200
sv_rateLimitEnabled true
sv_rateLimitThreshold 5000
# Connection limiting
sv_maxClients 128
sv_endpointPrivacy true
# Anti-cheat settings
sv_enforceGameBuild 2944
sv_scriptHookAllowed falseSecurity Hardening
System Security
System Hardening
# Create dedicated user for FiveM
sudo adduser fivem --disabled-password --gecos ""
sudo usermod -aG sudo fivem
# Set file permissions
sudo chown -R fivem:fivem /home/fivem-server
sudo chmod -R 750 /home/fivem-server
# Disable root login
sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
# Change SSH port (optional)
sudo sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config
# Restart SSH
sudo systemctl restart sshFiveM Security Configuration
Secure server.cfg
# Strong RCON password
rcon_password "$(openssl rand -base64 32)"
# Disable unnecessary features
sv_scriptHookAllowed false
sv_enableNetworkStacks false
# Resource security
set mysql_connection_string "mysql://user:password@localhost/database?charset=utf8mb4"
# Admin whitelist
add_ace group.admin command allow
add_ace identifier.steam:110000103fd1bb1 group.admin
# Secure communication
sv_endpointPrivacy true
sv_enforceGameBuild 2944
# Logging
con_logFile "server.log"
set sv_logLevel 2Database Security
MySQL Security
# Secure MySQL configuration
[mysqld]
bind-address = 127.0.0.1
port = 3306
max_connections = 100
max_user_connections = 50
# Security settings
local-infile = 0
secure-file-priv = "/var/lib/mysql-files/"
# Log suspicious activity
log-error = /var/log/mysql/error.log
general_log = 1
general_log_file = /var/log/mysql/general.log
# SSL configuration (recommended)
ssl-ca = /etc/mysql/ssl/ca-cert.pem
ssl-cert = /etc/mysql/ssl/server-cert.pem
ssl-key = /etc/mysql/ssl/server-key.pemResource Validation
Resource Security Checklist
- Only install resources from trusted sources
- Review Lua code before adding new resources
- Use resource encryption for sensitive scripts
- Regularly update all resources
- Monitor resource performance and behavior
- Use ACL (Access Control Lists) for admin resources
Monitoring & Logs
Log Configuration
Logging Setup
# Create log directories
mkdir -p /var/log/fivem
chown fivem:fivem /var/log/fivem
# Logrotate configuration
cat > /etc/logrotate.d/fivem << 'EOF'
/var/log/fivem/*.log {
daily
missingok
rotate 14
compress
delaycompress
notifempty
copytruncate
su fivem fivem
}
EOFSystem Monitoring Script
monitor.sh
#!/bin/bash
# FiveM Server Monitoring Script
LOG_FILE="/var/log/fivem/monitor.log"
SERVER_PID=$(pgrep -f "FXServer")
# Function to log with timestamp
log_message() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" >> $LOG_FILE
}
# Check if server is running
if [ -z "$SERVER_PID" ]; then
log_message "ERROR: FiveM server is not running"
# Restart server
systemctl restart fivem
log_message "INFO: Attempted to restart FiveM server"
else
# Get resource usage
CPU_USAGE=$(ps -p $SERVER_PID -o %cpu --no-headers)
MEM_USAGE=$(ps -p $SERVER_PID -o %mem --no-headers)
log_message "INFO: Server running - PID: $SERVER_PID, CPU: ${CPU_USAGE}%, Memory: ${MEM_USAGE}%"
# Check if resource usage is too high
if (( $(echo "$CPU_USAGE > 80" | bc -l) )); then
log_message "WARNING: High CPU usage detected: ${CPU_USAGE}%"
fi
if (( $(echo "$MEM_USAGE > 80" | bc -l) )); then
log_message "WARNING: High memory usage detected: ${MEM_USAGE}%"
fi
fi
# Check disk space
DISK_USAGE=$(df /home/fivem-server | awk 'NR==2 {print $5}' | sed 's/%//')
if [ $DISK_USAGE -gt 85 ]; then
log_message "WARNING: High disk usage: ${DISK_USAGE}%"
fi
# Check network connections
CONNECTIONS=$(netstat -an | grep :30120 | grep ESTABLISHED | wc -l)
log_message "INFO: Active connections: $CONNECTIONS"Performance Monitoring
Resource Monitoring
# Install monitoring tools
sudo apt install htop iotop nethogs
# Create performance monitoring alias
echo "alias fivem-monitor='watch -n 1 \"ps aux | grep FXServer | head -10; echo; netstat -tuln | grep 30120; echo; df -h\"'" >> ~/.bashrc
# FiveM-specific monitoring command
fivem-perf() {
echo "=== FiveM Server Performance ==="
echo "Players Online: $(echo 'status' | nc localhost 30120 | grep -o 'players.*' || echo 'Unable to connect')"
echo "CPU Usage: $(ps -p $(pgrep FXServer) -o %cpu --no-headers 2>/dev/null || echo 'N/A')%"
echo "Memory Usage: $(ps -p $(pgrep FXServer) -o %mem --no-headers 2>/dev/null || echo 'N/A')%"
echo "Uptime: $(ps -p $(pgrep FXServer) -o etime --no-headers 2>/dev/null || echo 'N/A')"
}Automated Alerts
Discord Webhook Alert
#!/bin/bash
# Discord webhook alerting script
WEBHOOK_URL="https://discord.com/api/webhooks/YOUR/WEBHOOK/URL"
send_alert() {
local message="$1"
local color="$2" # 16711680 for red, 65280 for green, 16776960 for yellow
curl -H "Content-Type: application/json" \
-X POST \
-d "{
\"embeds\": [{
\"title\": \"FiveM Server Alert\",
\"description\": \"$message\",
\"color\": $color,
\"timestamp\": \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"
}]
}" \
$WEBHOOK_URL
}
# Usage examples:
# send_alert "Server is down!" 16711680
# send_alert "Server restarted successfully" 65280
# send_alert "High CPU usage detected" 16776960Troubleshooting
Common Issues and Solutions
Server Won't Start
Diagnostics
# Check server logs
tail -f /var/log/fivem/server.log
# Check for port conflicts
netstat -tuln | grep 30120
sudo lsof -i :30120
# Verify file permissions
ls -la /home/fivem-server/
chown -R fivem:fivem /home/fivem-server/
# Check server configuration
./FXServer.exe +exec server.cfg # Windows
./run.sh +exec server.cfg # LinuxConnection Issues
Network Diagnostics
# Test connectivity
nc -zv your-server-ip 30120
# Check firewall rules
sudo ufw status
sudo iptables -L -n
# Verify DNS resolution
nslookup your-domain.com
dig your-domain.com
# Test from different locations
curl -I http://your-domain.com:30120Database Connection Issues
MySQL Diagnostics
# Test MySQL connection
mysql -u fivem_user -p -h localhost fivem_db
# Check MySQL status
sudo systemctl status mysql
sudo mysqladmin -u root -p status
# View MySQL logs
sudo tail -f /var/log/mysql/error.log
# Check process list
mysql -u root -p -e "SHOW PROCESSLIST;"High Resource Usage
Performance Analysis
# Monitor resource usage
htop
iotop -a
# Check for resource-heavy processes
ps aux --sort=-%cpu | head -10
ps aux --sort=-%mem | head -10
# FiveM resource profiling (in-game console)
profiler record 30
profiler view
resmon
# Check for script errors in console
exec server.cfgLog Analysis
Log Analysis Commands
# Search for errors in logs
grep -i error /var/log/fivem/server.log | tail -20
# Monitor live logs
tail -f /var/log/fivem/server.log | grep -E "(ERROR|WARNING|FATAL)"
# Analyze connection patterns
grep "Connected" /var/log/fivem/server.log | awk '{print $1, $2}' | sort | uniq -c
# Check for suspicious activity
grep -i "flood\|attack\|ban" /var/log/fivem/server.log
# Generate log statistics
awk '/ERROR/ {errors++} /WARNING/ {warnings++} END {print "Errors:", errors, "Warnings:", warnings}' /var/log/fivem/server.logEmergency Recovery Procedures
Emergency Procedures
- Server Crash Recovery:
- Check system logs:
journalctl -xe - Verify disk space:
df -h - Restart services:
systemctl restart fivem
- Check system logs:
- Database Recovery:
- Backup current database
- Check for corruption:
mysqlcheck --all-databases - Restore from backup if necessary
- Network Attack Response:
- Enable Cloudflare "Under Attack" mode
- Block malicious IPs:
ufw deny from [IP] - Increase rate limiting temporarily