How to Configure Advanced Anticheat on MU Online Server
Learn to configure advanced anticheat protection on your MU Online server with packet filters, SQL validations and real-time monitoring.
Protecting a private MU Online server against cheating is one of the biggest administration challenges. Speed hacks, packet injection, item duplication, and automated bots destroy the experience for legitimate players. This guide covers configuring multiple layers of protection — from configuration file level to SQL validations — for servers running MuServer Season 6.
Why a Single Protection Layer Is Not Enough
Single-layer anticheat solutions are easily bypassed. The effective approach combines:
- GameServer-side validation (packet filters, position checks)
- Client integrity verification (file hashing at the ConnectServer)
- SQL-based detection (anomalous transaction auditing in the database)
- Real-time log monitoring (automated alerts)
Each layer covers gaps left by the others. Configure all of them before opening the server to the public.
Step 1 — Configure Packet Filters on the GameServer
The GameServer processes every packet sent by clients. Enabling the packet filter automatically rejects malformed or out-of-sequence packets.
File: GameServer/Data/Config/GameServerInfo.ini
; Packet filter — 0 = disabled, 1 = basic, 2 = advanced
PacketFilterLevel=2
; Reject packets with invalid size
PacketSizeCheck=1
; Maximum packets per second per connection (recommended: 150–300)
PacketRateLimit=200
; Block IPs after X consecutive invalid packets
PacketInvalidLimit=10
; Temporary ban duration in seconds
PacketBanTime=300
PacketRateLimit values below 150 may cause legitimate disconnections during high-population events. Test in a staging environment before applying to production.Restart the GameServer after editing. Check GameServer/Log/PacketFilter.log to confirm the filter is active.
Step 2 — Enable Client Integrity Verification
The ConnectServer can verify the hash of core client files before authorizing a connection. This prevents modified clients from connecting.
File: ConnectServer/Data/CSConfig.ini
; Enable client hash verification
ClientHashCheck=1
HashMethod=SHA256
; List of verified files (comma-separated)
HashFileList=main.exe,data\Monster.bmd,data\Item.bmd,data\Skill.bmd
; Path to the expected hash list file
HashListFile=ConnectServer/Data/ClientHashList.txt
Generate the hash file using PowerShell on the server:
Get-FileHash "C:\MuClient\main.exe" -Algorithm SHA256 | Select-Object Hash
Get-FileHash "C:\MuClient\data\Monster.bmd" -Algorithm SHA256 | Select-Object Hash
Format of ClientHashList.txt:
main.exe=A3F2C1D4E5B6...full_sha256_hash...
data\Monster.bmd=7B8C9D0E1F2A...full_sha256_hash...
data\Item.bmd=4D5E6F7A8B9C...full_sha256_hash...
data\Skill.bmd=1E2F3A4B5C6D...full_sha256_hash...
ClientHashList.txt every time you release a client patch. Stale hashes will lock out all players on the next update.Step 3 — Configure Anti Speed Hack Protection
Edit the skill delay file to set minimum time limits between actions:
File: GameServer/Data/Config/SkillDelay.ini
; Minimum delay between attacks per class (in milliseconds)
[SkillDelay]
DarkKnight=400
DarkWizard=450
FairyElf=350
MagicGladiator=420
DarkLord=400
Summoner=460
RageFighter=380
; Minimum movement delay (below this = speed hack)
MovementDelayMin=100
; Enable speed hack detection log
SpeedHackLog=1
SpeedHackLogFile=GameServer/Log/SpeedHackDetect.log
Enable position logging in GameServerInfo.ini:
MoveLogSave=1
MoveLogFile=GameServer/Log/MoveLog.txt
SpeedHackDetect.log daily during the first weeks after setup. Players with high-latency connections may trigger false positives — raise MovementDelayMin if needed.Step 4 — SQL Validations to Detect Item Duplication
Create a view in SQL Server to monitor anomalous transactions across warehouses and inventories:
USE MuOnline
GO
-- View to detect duplicated items (same serial in multiple inventories)
CREATE OR ALTER VIEW V_ItemDuplicateDetect AS
SELECT
i.Serial,
COUNT(*) AS TotalOccurrences,
STRING_AGG(i.AccountID + '/' + i.CharacterName, ', ') AS Owners,
i.ItemIndex,
i.ItemLevel
FROM (
SELECT Serial, AccountID, CharacterName, ItemIndex, ItemLevel
FROM InventoryItems
UNION ALL
SELECT Serial, AccountID, CharacterName, ItemIndex, ItemLevel
FROM WarehouseItems
UNION ALL
SELECT Serial, AccountID, CharacterName, ItemIndex, ItemLevel
FROM PersonalShopItems
) i
GROUP BY i.Serial, i.ItemIndex, i.ItemLevel
HAVING COUNT(*) > 1;
GO
-- Audit query — run daily
SELECT * FROM V_ItemDuplicateDetect
ORDER BY TotalOccurrences DESC;
To detect abnormal Zen accumulation (possible duplication exploit):
SELECT
AccountID,
CharacterName,
Money,
GETDATE() AS CheckedAt
FROM Character
WHERE Money > 2000000000 -- 2 billion zen
ORDER BY Money DESC;
INSERT INTO ItemQuarantine SELECT * FROM InventoryItems WHERE Serial = 'xxx' before any removal.Step 5 — Create an Automated Audit Stored Procedure
USE MuOnline
GO
CREATE OR ALTER PROCEDURE SP_AuditSuspiciousActivity
AS
BEGIN
SET NOCOUNT ON;
-- Log accounts with multiple simultaneous logins from the same IP
INSERT INTO AuditLog (Type, Description, DateTime)
SELECT
'MultiLogin',
'IP: ' + IP + ' | Accounts: ' + STRING_AGG(AccountID, ', '),
GETDATE()
FROM ConnectLog
WHERE DateTime >= DATEADD(MINUTE, -5, GETDATE())
GROUP BY IP
HAVING COUNT(DISTINCT AccountID) > 3;
-- Log item drops with abnormally high value in a short period
INSERT INTO AuditLog (Type, Description, DateTime)
SELECT
'AnomalousItemDrop',
'Char: ' + CharacterName + ' | Drops: ' + CAST(TotalDrops AS VARCHAR),
GETDATE()
FROM (
SELECT CharacterName, COUNT(*) AS TotalDrops
FROM ItemDropLog
WHERE DateTime >= DATEADD(MINUTE, -10, GETDATE())
GROUP BY CharacterName
HAVING COUNT(*) > 50
) t;
END;
GO
-- Schedule the procedure via SQL Server Agent (every 5 minutes)
-- In SQL Server Agent > New Job > Step, run:
EXEC SP_AuditSuspiciousActivity;
Step 6 — Configure Automatic Banning Rules
File: GameServer/Data/Config/AutoBan.ini
[AutoBan]
; Enable automatic ban system
Enabled=1
; Temporary ban in minutes for confirmed speed hack
SpeedHackBanMinutes=1440
; Permanent ban after X temporary bans
PermanentBanAfterCount=3
; Notify GM via special channel when a ban is applied
NotifyGM=1
GMNotifyChannel=1
Step 7 — Monitoring with an Alert Script
Create C:\MuServer\Scripts\monitor_anticheat.bat for periodic alerts:
@echo off
:: Check speed hack log size and alert if it grows too large
set LOG_FILE=C:\MuServer\GameServer\Log\SpeedHackDetect.log
set MAX_LINES=100
for /f %%A in ('type "%LOG_FILE%" ^| find /c /v ""') do set LINE_COUNT=%%A
if %LINE_COUNT% GTR %MAX_LINES% (
echo [%date% %time%] ALERT: SpeedHackDetect.log has %LINE_COUNT% lines >> C:\MuServer\Scripts\anticheat_alerts.log
:: Add Discord Webhook or email integration here
)
Schedule this script in Windows Task Scheduler to run every 15 minutes.
curl command posting to your webhook: curl -H "Content-Type: application/json" -d "{\"content\":\"Anticheat alert triggered!\"}" https://discord.com/api/webhooks/YOUR_WEBHOOKTroubleshooting
GameServer does not start after setting PacketFilterLevel=2: Verify that your GameServer build supports this level. Older builds (S6 EP1) only support level 1. Check GameServer/Log/GS_Error.log for the exact error message.
Legitimate players are being banned for speed hack: Increase MovementDelayMin by 20ms at a time until false positives stop. Latencies above 200ms can cause incorrect detections.
The V_ItemDuplicateDetect view returns a compatibility error: STRING_AGG requires SQL Server 2017 or later. For older versions, replace it with STUFF((SELECT ...), 1, 2, '') using FOR XML PATH.
ConnectServer rejecting all clients after enabling HashCheck: Confirm that ClientHashList.txt uses UTF-8 encoding without BOM, and that hashes were generated from the exact client build distributed to players.
Final Security Checklist
Before considering the configuration complete, verify each item:
PacketFilterLevel=2active and tested inGameServerInfo.iniClientHashCheck=1with correct SHA256 hashes on the ConnectServer- Skill delays configured per class in
SkillDelay.ini V_ItemDuplicateDetectview created and returning empty resultsSP_AuditSuspiciousActivityscheduled in SQL Server Agent- Monitoring script scheduled in Windows Task Scheduler
AutoBan.iniconfigured with appropriate limits for your server- Logs rotated weekly to prevent excessive growth
Server security is an ongoing process. Review logs weekly, update client hashes with every patch, and adjust limits based on observed player behavior.
Perguntas frequentes
The GS crashes when enabling the packet filter — what should I do?
Check whether your GameServer build supports PacketFilter. Open GameServer/Data/Config/GameServerInfo.ini and confirm the PacketFilterLevel line exists. On S6 Episode 3 builds, the maximum supported value is 2.
How do I tell if a player is using a speed hack?
Enable movement logging in GameServer/Log/MoveLog.txt by setting MoveLogSave=1 in GameServerInfo.ini. Speeds above 800 units/tick indicate speed hack. You can also query the V_SpeedHackDetect view in your database if you have a SQL logging system active.
The anticheat is blocking legitimate skills — how do I adjust it?
Tune the SkillDelayMin parameter in GameServer/Data/Config/SkillDelay.ini. For classes like BK, the recommended value is 400ms; for Elf, 350ms. Reduce gradually until false positives stop.
Should I use MD5 or SHA256 for client file verification?
SHA256 is strongly preferred. Set HashMethod=SHA256 in ConnectServer/Data/CSConfig.ini. MD5 is still supported on legacy builds (S2–S4) but is vulnerable to collisions and should not be used on modern servers.