SentinelCore
SentinelCore 4.0 - Server Security Plugin
Tired of blindly trusting plugins on your server? SentinelCore is a security-focused plugin manager that scans, monitors, and protects your Minecraft server from malicious plugins before they can do damage.
I originally built this because I got tired of downloading sketchy plugins and having no way to know what was actually inside them. There are a lot of good plugins out there, but there's also a lot of garbage — backdoored jars, crypto miners, OP escalation exploits, you name it. SentinelCore gives you actual visibility into what's running on your server.
What it does:
Malware & Threat Detection
- ASM bytecode scanning — actually reads the bytecode inside plugin jars, not just file names or descriptions
- Detects common attack patterns: Runtime.exec(), ProcessBuilder, System.exit(), OP escalation (setOp(true)), crypto mining pool connections, reverse shells, you get the idea
- String constant scanning for shell commands, destructive patterns (/bin/bash, cmd.exe, rm -rf), C2 URLs (pastebin, webhook.site)
- Shannon entropy analysis for obfuscated code detection — if someone's hiding something, this catches it
- SHA-256 hash caching so it doesn't waste time re-scanning plugins that haven't changed
Pre-Load Scanning & Auto-Quarantine
- Scans JAR files BEFORE Bukkit even loads them
- Watches your plugins/ folder in real-time — drop a new jar in and it gets scanned automatically
- If something malicious somehow gets through and loads anyway, it gets immediately disabled and quarantined
- Quarantined plugins can be restored or permanently deleted from in-game
False Positive Reduction
Let's be real — not every plugin that uses reflection or opens a file is malicious. SentinelCore uses a confidence scoring system (0-100) that takes into account:
- Known safe packages (Bukkit/Spigot/Paper APIs get a pass)
- Common safe patterns (config classes, update checkers, metrics)
- Per-plugin and global whitelists you can manage in-game
- Multiple detections of the same type increase confidence
- Trusted plugin list you control
This means Vault, WorldEdit, ProtocolLib etc. won't get flagged just because they use reflection. The system actually thinks before it flags something.
Auto-Updating Threat Database
- Pulls known malware hashes from a remote database
- Stay protected against newly discovered threats without updating the plugin itself
- Check threat database status and trigger manual updates with /pm threatupdate
Plugin Sandbox
- Per-plugin resource limits: memory, threads, execution timeouts
- Sandboxed ClassLoader that blocks reflection and sun/jdk internal packages for untrusted plugins
- Built-in profiles for common plugins (WorldEdit, Vault, ProtocolLib, Essentials) so they work out of the box
- Auto-disables plugins that violate resource limits 3 times in a row
- Configurable per-plugin in sandbox-config.yml
Network Security
- Domain allowlisting — only approved domains can be connected to
- Blocks known tunneling services (ngrok, serveo, etc.)
- Connection rate limiting with auto-ban
- Direct IP access blocking (domains only, no raw IPs)
- Protocol validation (HTTP/HTTPS/FTP only)
Brute Force Protection
- Configurable max attempts before lockout
- Exponential backoff (doubles each time, up to 32x)
- IP/CIDR whitelist for trusted networks
- GeoIP-based country blocking
- Persistent lockout data that survives restarts
VPN & Proxy Detection
- Three-layer detection: local CIDR matching, reverse DNS analysis, and external API lookup
- 60+ datacenter/hosting provider keywords detected (AWS, GCP, Azure, OVH, Hetzner, NordVPN, ExpressVPN, Tor exit nodes...)
- Auto-kick VPN users (configurable)
- IP-specific checks with /pm vpncheck <ip>
]Zero-Day & Behavior Monitoring
- Monitors plugin behavior at runtime for suspicious activity
- Tracks reflection usage, class loading patterns, and network connections
- Detects threats that bytecode scanning alone can't catch
- Behavior profiling that learns normal patterns and flags anomalies
Other Features
- Plugin update checking via Spiget API (check individual or all plugins)
- One-click plugin updates and downloads
- Plugin backup and restore system
- File integrity monitoring
- Persistent audit logging with search
- Dependency graph analysis
- Player session threat scoring
- Discord webhook alerts for security events
- Hot-reload configuration with /pm reloadconfig
Commands
Main command: /pm or /sentinel or /pluginmanager
/pm list — List installed plugins
/pm scan — Scan all plugins for malicious code
/pm prescan — Pre-load scan all JARs
/pm risk <plugin> — Analyze a plugin's risk level
/pm confidence <plugin> — Show confidence scores
/pm risky — List all high-risk plugins
/pm status — Show all plugin statuses
/pm info <plugin> — Show plugin information
/pm sandbox — Show sandbox status
/pm security — Show security config
/pm threats — Show threat database info
/pm quarantine — Show quarantine status
/pm quarantinelist — List quarantined plugins
/pm quarantinerestore <plugin> — Restore from quarantine
/pm quarantinedelete <plugin> — Permanently delete quarantined plugin
/pm vpncheck <ip> — Check if an IP is a VPN/proxy
/pm vpnauto — Show VPN auto-detection status
/pm zeroday — Show zero-day monitoring status
/pm auditlog [count] — Show recent security events
/pm auditsearch [source] [target] — Search audit logs
/pm session [player] — Show player session threat scores
/pm depgraph [plugin] — Show dependency graph
/pm integrity — Show file integrity status
/pm scanstatus — Show scheduled scan status
/pm trusted — Show trusted plugins list
/pm fpwhitelist [add|remove|list] [pattern] — Manage false positive whitelist
/pm threatupdate — Update threat database
/pm threatstatus — Show threat database status
/pm webhook — Show webhook alert status
/pm check <plugin> — Check for updates
/pm checkall — Check updates for all plugins
/pm update <plugin> — Update a plugin
/pm updateall — Update all plugins
/pm backup — Backup all plugins
/pm restore <plugin> — Restore a plugin from backup
/pm reloadconfig — Hot-reload configuration
/pm toggle <plugin> <enable|disable> — Enable/disable a plugin
/pm version <plugin> — Show version info
Permissions
All permissions default to OP only. See plugin.yml for the full list — they're all prefixed with pluginmanager.* (e.g. pluginmanager.scan, pluginmanager.quarantine, pluginmanager.vpncheck, etc.)
Configuration
SentinelCore generates several config files on first run:
- config.yml — General settings
- security-config.yml — Security scanning rules and thresholds
- sandbox-config.yml — Per-plugin sandbox limits
- plugin-threats.yml — Threat definitions
Everything is designed to work out of the box with sensible defaults. You can tweak thresholds, add trusted plugins, adjust sandbox limits, and manage whitelists as needed.
Requirements
- Spigot/Paper 1.20+
- Java 8+
Installation
Just drop the jar in your plugins folder and restart. SentinelCore will generate default configs and start scanning automatically. I'd recommend running /pm prescan first to check your existing plugins, then reviewing anything flagged with /pm risk <plugin> before deciding what to quarantine.
---
If you find bugs or have suggestions, let me know. I've been using this on my own servers for a while now and it's caught a couple of suspicious plugins I wouldn't have noticed otherwise. Hopefully it helps you too.