DEV Community

Cover image for Building PteroProtect: A Multi-Layer Security Stack for Pterodactyl
HexZo Network
HexZo Network

Posted on

Building PteroProtect: A Multi-Layer Security Stack for Pterodactyl

#ai #security #showdev #devops

PteroProtect (Danex): A Defense-in-Depth Security Layer for Pterodactyl

PteroProtect is a security platform designed for Pterodactyl deployments, combining Web Application Firewall (WAF), DDoS mitigation, abuse detection, and host-level protection into a unified stack.

Unlike traditional reverse-proxy protection, PteroProtect extends visibility beyond HTTP traffic by correlating application behavior, container activity, resource consumption, and network telemetry to identify malicious or abusive workloads.

Key Features

Multi-Layer Traffic Protection

Traffic is evaluated through multiple independent security layers:

Nginx → ModSecurity + OWASP CRS
      → Challenge Guard
      → Laravel WAF
      → Pterodactyl
Enter fullscreen mode Exit fullscreen mode

This architecture provides layered request validation, challenge-based verification, fingerprint analysis, and adaptive mitigation policies.

Host & Runtime Security

  • Dynamic firewall enforcement (iptables/ipset)
  • IPv4 and IPv6 protection parity
  • Fail2Ban integration
  • SYN flood mitigation
  • Docker resource containment
  • OOM protection for critical services
  • Runtime process monitoring

Abuse Detection

PteroProtect continuously monitors:

  • CPU and memory abuse
  • Disk and filesystem abuse
  • Self-DDoS behavior
  • Container runtime anomalies
  • Network abuse patterns

Detection decisions use a multi-signal approach to reduce false positives.

Adaptive Resilience

Protection levels automatically adjust according to infrastructure health and attack intensity:

  • Normal
  • Elevated
  • Constrained
  • Emergency

This allows the platform to preserve core functionality during resource exhaustion or attack scenarios.

Architecture

The platform consists of two primary C++ daemons:

Component Responsibility
dann_guard Resource monitoring, abuse detection, enforcement
challenge_guard Challenge validation, token verification, admission control

Supporting services are implemented as Python sidecars responsible for orchestration, monitoring, firewall management, and recovery workflows.

Security Principles

  • Defense-in-depth architecture
  • Fail-closed request validation
  • Multi-signal threat detection
  • Host-level and application-level enforcement
  • IPv4/IPv6 parity
  • Systemd service sandboxing

Conclusion

I’ve built this primarily for Node.js and Python eggs so far. For those running large Pterodactyl clusters, what are your biggest pain points regarding node abuse or L7 attacks?

🧪 Testing Results

  • Attacks Tested: H2 Flood, UAM Bypass, UDP Flood.
  • Environment: DigitalOcean Intel Premium (8GB vCPU4).
  • Result: Global rate limit (429) triggered successfully; attacking host was blacklisted.

Screenshot of the PteroProtect dashboard showing mitigation logs and a blocked attack status, take form a mobile phone

Project Status & Tech Stack
This project is currently a "labor of love" and is about 30-40% AI-assisted (we used Claude for frontend work and code reviews).

Current Limitations:

  • Currently supports single-node setups.
  • Optimized specifically for Node.js and Python eggs.
  • Added some "fun" side features like mini-games just for testing!


Top comments (0)