evennia/docs/1.0-dev/Setup/Security.html

<!DOCTYPE html>

<html>
  <head>
    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>Security &#8212; Evennia 1.0-dev documentation</title>
    <link rel="stylesheet" href="../_static/nature.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    <script id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script>
    <script src="../_static/jquery.js"></script>
    <script src="../_static/underscore.js"></script>
    <script src="../_static/doctools.js"></script>
    <script src="../_static/language_data.js"></script>
    <link rel="shortcut icon" href="../_static/favicon.ico"/>
    <link rel="index" title="Index" href="../genindex.html" />
    <link rel="search" title="Search" href="../search.html" /> 
  </head><body>
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="../genindex.html" title="General Index"
             accesskey="I">index</a></li>
        <li class="right" >
          <a href="../py-modindex.html" title="Python Module Index"
             >modules</a> |</li>
        <li class="nav-item nav-item-0"><a href="../index.html">Evennia 1.0-dev</a> &#187;</li>
        <li class="nav-item nav-item-this"><a href="">Security</a></li> 
      </ul>
      <div class="develop">develop branch</div>
    </div>  

    <div class="document">
      <div class="documentwrapper">
        <div class="bodywrapper">
          <div class="body" role="main">
            
  <div class="section" id="security">
<h1>Security<a class="headerlink" href="#security" title="Permalink to this headline">¶</a></h1>
<p>Hackers these days aren’t discriminating, and their backgrounds range from bored teenagers to
international intelligence agencies. Their scripts and bots endlessly crawl the web, looking for
vulnerable systems they can break into. Who owns the system is irrelevant– it doesn’t matter if it
belongs to you or the Pentagon, the goal is to take advantage of poorly-secured systems and see what
resources can be controlled or stolen from them.</p>
<p>If you’re considering deploying to a cloud-based host, you have a vested interest in securing your
applications– you likely have a credit card on file that your host can freely bill. Hackers pegging
your CPU to mine cryptocurrency or saturating your network connection to participate in a botnet or
send spam can run up your hosting bill, get your service suspended or get your address/site
blacklisted by ISPs. It can be a difficult legal or political battle to undo this damage after the
fact.</p>
<p>As a developer about to expose a web application to the threat landscape of the modern internet,
here are a few tips to consider to increase the security of your Evennia install.</p>
<div class="section" id="know-your-logs">
<h2>Know your logs<a class="headerlink" href="#know-your-logs" title="Permalink to this headline">¶</a></h2>
<p>In case of emergency, check your logs! By default they are located in the <code class="docutils literal notranslate"><span class="pre">server/logs/</span></code> folder.
Here are some of the more important ones and why you should care:</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">http_requests.log</span></code> will show you what HTTP requests have been made against Evennia’s built-in
webserver (TwistedWeb). This is a good way to see if people are innocuously browsing your site or
trying to break it through code injection.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">portal.log</span></code> will show you various networking-related information. This is a good place to check
for odd or unusual types or amounts of connections to your game, or other networking-related
issues– like when users are reporting an inability to connect.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">server.log</span></code> is the MUX administrator’s best friend. Here is where you’ll find information
pertaining to who’s trying to break into your system by guessing at passwords, who created what
objects, and more. If your game fails to start or crashes and you can’t tell why, this is the first
place you should look for answers. Security-related events are prefixed with an <code class="docutils literal notranslate"><span class="pre">[SS]</span></code> so when
there’s a problem you might want to pay special attention to those.</p></li>
</ul>
</div>
<div class="section" id="disable-development-debugging-options">
<h2>Disable development/debugging options<a class="headerlink" href="#disable-development-debugging-options" title="Permalink to this headline">¶</a></h2>
<p>There are a few Evennia/Django options that are set when you first create your game to make it more
obvious to you where problems arise. These options should be disabled before you push your game into
production– leaving them on can expose variables or code someone with malicious intent can easily
abuse to compromise your environment.</p>
<p>In <code class="docutils literal notranslate"><span class="pre">server/conf/settings.py</span></code>:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># Disable Django&#39;s debug mode</span>
<span class="n">DEBUG</span> <span class="o">=</span> <span class="kc">False</span>
<span class="c1"># Disable the in-game equivalent</span>
<span class="n">IN_GAME_ERRORS</span> <span class="o">=</span> <span class="kc">False</span>
<span class="c1"># If you&#39;ve registered a domain name, force Django to check host headers. Otherwise leave this</span>
</pre></div>
</div>
<p>as-is.
# Note the leading period– it is not a typo!
ALLOWED_HOSTS = [‘.example.com’]</p>
</div>
<div class="section" id="handle-user-uploaded-images-with-care">
<h2>Handle user-uploaded images with care<a class="headerlink" href="#handle-user-uploaded-images-with-care" title="Permalink to this headline">¶</a></h2>
<p>If you decide to allow users to upload their own images to be served from your site, special care
must be taken. Django will read the file headers to confirm it’s an image (as opposed to a document
or zip archive), but <a class="reference external" href="https://insinuator.net/2014/05/django-image-validation-vulnerability/">code can be injected into an image
file</a> <em>after</em> the headers
that can be interpreted as HTML and/or give an attacker a web shell through which they can access
other filesystem resources.</p>
<p><a class="reference external" href="https://docs.djangoproject.com/en/dev/topics/security/#user-uploaded-content-security">Django has a more comprehensive overview of how to handle user-uploaded
files</a>, but
in short you should take care to do one of two things–</p>
<ul class="simple">
<li><p>Serve all user-uploaded assets from a <em>separate</em> domain or CDN (<em>not</em> a subdomain of the one you
already have!). For example, you may be browsing <code class="docutils literal notranslate"><span class="pre">reddit.com</span></code> but note that all the user-submitted
images are being served from the <code class="docutils literal notranslate"><span class="pre">redd.it</span></code> domain. There are both security and performance benefits
to this (webservers tend to load local resources one-by-one, whereas they will request external
resources in bulk).</p></li>
<li><p>If you don’t want to pay for a second domain, don’t understand what any of this means or can’t be
bothered with additional infrastructure, then simply reprocess user images upon receipt using an
image library. Convert them to a different format, for example. <em>Destroy the originals!</em></p></li>
</ul>
</div>
<div class="section" id="disable-the-web-interface">
<h2>Disable the web interface<a class="headerlink" href="#disable-the-web-interface" title="Permalink to this headline">¶</a></h2>
<p>The web interface allows visitors to see an informational page as well as log into a browser-based
telnet client with which to access Evennia. It also provides authentication endpoints against which
an attacker can attempt to validate stolen lists of credentials to see which ones might be shared by
your users. Django’s security is robust, but if you don’t want/need these features and fully intend
to force your users to use traditional clients to access your game, you might consider disabling
either/both to minimize your attack surface.</p>
<p>In <code class="docutils literal notranslate"><span class="pre">server/conf/settings.py</span></code>:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># Disable the Javascript webclient</span>
<span class="n">WEBCLIENT_ENABLED</span> <span class="o">=</span> <span class="kc">False</span>
<span class="c1"># Disable the website altogether</span>
<span class="n">WEBSERVER_ENABLED</span> <span class="o">=</span> <span class="kc">False</span>
</pre></div>
</div>
</div>
<div class="section" id="change-your-ssh-port">
<h2>Change your ssh port<a class="headerlink" href="#change-your-ssh-port" title="Permalink to this headline">¶</a></h2>
<p>Automated attacks will often target port 22 seeing as how it’s the standard port for SSH traffic.
Also,
many public wifi hotspots block ssh traffic over port 22 so you might not be able to access your
server from these locations if you like to work remotely or don’t have a home internet connection.</p>
<p>If you don’t intend on running a website or securing it with TLS, you can mitigate both problems by
changing the port used for ssh to 443, which most/all hotspot providers assume is HTTPS traffic and
allows through.</p>
<p>(Ubuntu) In /etc/ssh/sshd_config, change the following variable:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># What ports, IPs and protocols we listen for</span>
<span class="n">Port</span> <span class="mi">443</span>
</pre></div>
</div>
<p>Save, close, then run the following command:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sudo</span> <span class="n">service</span> <span class="n">ssh</span> <span class="n">restart</span>
</pre></div>
</div>
</div>
<div class="section" id="set-up-a-firewall">
<h2>Set up a firewall<a class="headerlink" href="#set-up-a-firewall" title="Permalink to this headline">¶</a></h2>
<p>Ubuntu users can make use of the simple ufw utility. Anybody else can use iptables.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># Install ufw (if not already)</span>
<span class="n">sudo</span> <span class="n">apt</span><span class="o">-</span><span class="n">get</span> <span class="n">install</span> <span class="n">ufw</span>
</pre></div>
</div>
<p>UFW’s default policy is to deny everything. We must specify what we want to allow through our
firewall.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># Allow terminal connections to your game</span>
<span class="n">sudo</span> <span class="n">ufw</span> <span class="n">allow</span> <span class="mi">4000</span><span class="o">/</span><span class="n">tcp</span>
<span class="c1"># Allow browser connections to your website</span>
<span class="n">sudo</span> <span class="n">ufw</span> <span class="n">allow</span> <span class="mi">4001</span><span class="o">/</span><span class="n">tcp</span>
</pre></div>
</div>
<p>Use ONE of the next two commands depending on which port your ssh daemon is listening on:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sudo</span> <span class="n">ufw</span> <span class="n">allow</span> <span class="mi">22</span><span class="o">/</span><span class="n">tcp</span>
<span class="n">sudo</span> <span class="n">ufw</span> <span class="n">allow</span> <span class="mi">443</span><span class="o">/</span><span class="n">tcp</span>
</pre></div>
</div>
<p>Finally:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sudo</span> <span class="n">ufw</span> <span class="n">enable</span>
</pre></div>
</div>
<p>Now the only ports open will be your administrative ssh port (whichever you chose), and Evennia on
4000-4001.</p>
</div>
<div class="section" id="use-an-external-webserver">
<h2>Use an external webserver<a class="headerlink" href="#use-an-external-webserver" title="Permalink to this headline">¶</a></h2>
<p>Though not officially supported, there are some benefits to <a class="reference internal" href="Apache-Config.html"><span class="doc">deploying a webserver</span></a>
to handle/proxy traffic to your Evennia instance.</p>
<p>For example, Evennia’s game engine and webservice are tightly integrated. If you bring your game
down for maintenance (or if it simply crashes) your website will go down with it. In these cases a
standalone webserver can still be used to display a maintenance page or otherwise communicate to
your users the reason for the downtime, instead of disappearing off the face of the earth and
returning opaque <code class="docutils literal notranslate"><span class="pre">SERVER</span> <span class="pre">NOT</span> <span class="pre">FOUND</span></code> error messages.</p>
<p>Proper webservers are also written in more efficient programming languages than Python, and while
Twisted can handle its own, putting a webserver in front of it is like hiring a bouncer to deal with
nuisances and crowds before they even get in the door.</p>
<p>Many of the popular webservers also let you plug in additional modules (like
<a class="reference external" href="https://en.wikipedia.org/wiki/ModSecurity">mod_security</a> for Apache) that can be used to detect
(and block!) malicious users or requests before they even touch your game or site. There are also
automated solutions for installing and configuring TLS (via <a class="reference external" href="https://en.wikipedia.org/wiki/Let%27s_Encrypt">Certbot/Let’s
Encrypt</a>) to secure your website against hotspot and
ISP snooping.</p>
</div>
</div>


            <div class="clearer"></div>
          </div>
        </div>
      </div>
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
            <p class="logo"><a href="../index.html">
              <img class="logo" src="../_static/evennia_logo.png" alt="Logo"/>
            </a></p>
<div id="searchbox" style="display: none" role="search">
  <h3 id="searchlabel">Quick search</h3>
    <div class="searchformwrapper">
    <form class="search" action="../search.html" method="get">
      <input type="text" name="q" aria-labelledby="searchlabel" />
      <input type="submit" value="Go" />
    </form>
    </div>
</div>
<script>$('#searchbox').show(0);</script>
<p><h3><a href="../index.html">Table of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Security</a><ul>
<li><a class="reference internal" href="#know-your-logs">Know your logs</a></li>
<li><a class="reference internal" href="#disable-development-debugging-options">Disable development/debugging options</a></li>
<li><a class="reference internal" href="#handle-user-uploaded-images-with-care">Handle user-uploaded images with care</a></li>
<li><a class="reference internal" href="#disable-the-web-interface">Disable the web interface</a></li>
<li><a class="reference internal" href="#change-your-ssh-port">Change your ssh port</a></li>
<li><a class="reference internal" href="#set-up-a-firewall">Set up a firewall</a></li>
<li><a class="reference internal" href="#use-an-external-webserver">Use an external webserver</a></li>
</ul>
</li>
</ul>

  <div role="note" aria-label="source link">
    <!--h3>This Page</h3-->
    <ul class="this-page-menu">
      <li><a href="../_sources/Setup/Security.md.txt"
            rel="nofollow">Show Page Source</a></li>
    </ul>
   </div>
<h3>Versions</h3>
<ul>
  <li><a href="Security.html">1.0-dev (develop branch)</a></li>
  <li><a href="../../0.9.5/index.html">0.9.5 (master branch)</a></li>
</ul>

        </div>
      </div>
      <div class="clearer"></div>
    </div>
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="../genindex.html" title="General Index"
             >index</a></li>
        <li class="right" >
          <a href="../py-modindex.html" title="Python Module Index"
             >modules</a> |</li>
        <li class="nav-item nav-item-0"><a href="../index.html">Evennia 1.0-dev</a> &#187;</li>
        <li class="nav-item nav-item-this"><a href="">Security</a></li> 
      </ul>
      <div class="develop">develop branch</div>
    </div>
    <div class="footer" role="contentinfo">
        &#169; Copyright 2020, The Evennia developer community.
      Created using <a href="https://www.sphinx-doc.org/">Sphinx</a> 3.2.1.
    </div>
  </body>
</html>