Andreas/evennia
1
0
Fork 0
mirror of https://github.com/evennia/evennia.git synced 2026-03-18 13:56:30 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
evennia/docs/3.x/Setup/Security-Practices.html
Griatch a2f5d016d4 Fix 3.x legacy doc versioning
2023-12-21 00:12:31 +01:00

260 lines
No EOL
17 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />
<title>Security Hints and Practices &#8212; Evennia 3.x documentation</title>
<link rel="stylesheet" href="../_static/nature.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<script id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script>
<script src="../_static/jquery.js"></script>
<script src="../_static/underscore.js"></script>
<script src="../_static/doctools.js"></script>
<script src="../_static/language_data.js"></script>
<link rel="shortcut icon" href="../_static/favicon.ico"/>
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="next" title="Configuring HAProxy" href="Config-HAProxy.html" />
<link rel="prev" title="Client Support Grid" href="Client-Support-Grid.html" />
</head><body>
<div class="admonition important">
<p class="first admonition-title">Note</p>
<p class="last">You are reading an old version of the Evennia documentation. <a href="https://www.evennia.com/docs/latest/index.html">The latest version is here</a></p>.
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../genindex.html" title="General Index"
accesskey="I">index</a></li>
<li class="right" >
<a href="../py-modindex.html" title="Python Module Index"
>modules</a> |</li>
<li class="right" >
<a href="Config-HAProxy.html" title="Configuring HAProxy"
accesskey="N">next</a> |</li>
<li class="right" >
<a href="Client-Support-Grid.html" title="Client Support Grid"
accesskey="P">previous</a> |</li>
<li class="nav-item nav-item-0"><a href="../index.html">Evennia 3.x</a> &#187;</li>
<li class="nav-item nav-item-1"><a href="Setup-Overview.html" accesskey="U">Server Setup and Life</a> &#187;</li>
<li class="nav-item nav-item-this"><a href="">Security Hints and Practices</a></li>
</ul>
</div>
<div class="document">
<div class="documentwrapper">
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<p class="logo"><a href="../index.html">
<img class="logo" src="../_static/evennia_logo.png" alt="Logo"/>
</a></p>
<div id="searchbox" style="display: none" role="search">
<h3 id="searchlabel">Quick search</h3>
<div class="searchformwrapper">
<form class="search" action="../search.html" method="get">
<input type="text" name="q" aria-labelledby="searchlabel" />
<input type="submit" value="Go" />
</form>
</div>
</div>
<script>$('#searchbox').show(0);</script>
<h3><a href="../index.html">Table of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">Security Hints and Practices</a><ul>
<li><a class="reference internal" href="#know-your-logs">Know your logs</a></li>
<li><a class="reference internal" href="#disable-development-debugging-options">Disable development/debugging options</a></li>
<li><a class="reference internal" href="#handle-user-uploaded-images-with-care">Handle user-uploaded images with care</a></li>
<li><a class="reference internal" href="#disable-the-web-interface-if-you-only-want-telnet">Disable the web interface (if you only want telnet)</a></li>
<li><a class="reference internal" href="#change-your-ssh-port">Change your ssh port</a></li>
<li><a class="reference internal" href="#set-up-a-firewall">Set up a firewall</a></li>
<li><a class="reference internal" href="#use-an-external-webserver-proxy">Use an external webserver / proxy</a></li>
</ul>
</li>
</ul>
<h4>Previous topic</h4>
<p class="topless"><a href="Client-Support-Grid.html"
title="previous chapter">Client Support Grid</a></p>
<h4>Next topic</h4>
<p class="topless"><a href="Config-HAProxy.html"
title="next chapter">Configuring HAProxy</a></p>
<div role="note" aria-label="source link">
<!--h3>This Page</h3-->
<ul class="this-page-menu">
<li><a href="../_sources/Setup/Security-Practices.md.txt"
rel="nofollow">Show Page Source</a></li>
</ul>
</div><h3>Links</h3>
<ul>
<li><a href="https://www.evennia.com/docs/latest/index.html">Documentation Top</a> </li>
<li><a href="https://www.evennia.com">Evennia Home</a> </li>
<li><a href="https://github.com/evennia/evennia">Github</a> </li>
<li><a href="http://games.evennia.com">Game Index</a> </li>
<li>
<a href="https://discord.gg/AJJpcRUhtF">Discord</a> -
<a href="https://github.com/evennia/evennia/discussions">Discussions</a> -
<a href="https://evennia.blogspot.com/">Blog</a>
</li>
</ul>
</div>
</div>
<div class="bodywrapper">
<div class="body" role="main">
<section class="tex2jax_ignore mathjax_ignore" id="security-hints-and-practices">
<h1>Security Hints and Practices<a class="headerlink" href="#security-hints-and-practices" title="Permalink to this headline"></a></h1>
<p>Hackers these days arent discriminating, and their backgrounds range from bored teenagers to international intelligence agencies. Their scripts and bots endlessly crawl the web, looking for vulnerable systems they can break into. Who owns the system is irrelevant it doesnt matter if it belongs to you or the Pentagon, the goal is to take advantage of poorly-secured systems and see what resources can be controlled or stolen from them.</p>
<p>If youre considering deploying to a cloud-based host, you have a vested interest in securing your applications you likely have a credit card on file that your host can freely bill. Hackers pegging your CPU to mine cryptocurrency or saturating your network connection to participate in a botnet or send spam can run up your hosting bill, get your service suspended or get your address/site
blacklisted by ISPs. It can be a difficult legal or political battle to undo this damage after the
fact.</p>
<p>As a developer about to expose a web application to the threat landscape of the modern internet,
here are a few tips to consider to increase the security of your Evennia install.</p>
<section id="know-your-logs">
<h2>Know your logs<a class="headerlink" href="#know-your-logs" title="Permalink to this headline"></a></h2>
<p>In case of emergency, check your logs! By default they are located in the <code class="docutils literal notranslate"><span class="pre">server/logs/</span></code> folder.
Here are some of the more important ones and why you should care:</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">http_requests.log</span></code> will show you what HTTP requests have been made against Evennias built-in webserver (TwistedWeb). This is a good way to see if people are innocuously browsing your site or trying to break it through code injection.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">portal.log</span></code> will show you various networking-related information. This is a good place to check for odd or unusual types or amounts of connections to your game, or other networking-related issues like when users are reporting an inability to connect.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">server.log</span></code> is the MUX administrators best friend. Here is where youll find information pertaining to whos trying to break into your system by guessing at passwords, who created what objects, and more. If your game fails to start or crashes and you cant tell why, this is the first place you should look for answers. Security-related events are prefixed with an <code class="docutils literal notranslate"><span class="pre">[SS]</span></code> so when theres a problem you might want to pay special attention to those.</p></li>
</ul>
</section>
<section id="disable-development-debugging-options">
<h2>Disable development/debugging options<a class="headerlink" href="#disable-development-debugging-options" title="Permalink to this headline"></a></h2>
<p>There are a few Evennia/Django options that are set when you first create your game to make it more obvious to you where problems arise. These options should be disabled before you push your game into production leaving them on can expose variables or code someone with malicious intent can easily abuse to compromise your environment.</p>
<p>In <code class="docutils literal notranslate"><span class="pre">server/conf/settings.py</span></code>:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span># Disable Django&#39;s debug mode
DEBUG = False
# Disable the in-game equivalent
IN_GAME_ERRORS = False
# If you&#39;ve registered a domain name, force Django to check host headers. Otherwise leave this as-is.
# Note the leading period-- it is not a typo!
ALLOWED_HOSTS = [&#39;.example.com&#39;]
</pre></div>
</div>
</section>
<section id="handle-user-uploaded-images-with-care">
<h2>Handle user-uploaded images with care<a class="headerlink" href="#handle-user-uploaded-images-with-care" title="Permalink to this headline"></a></h2>
<p>If you decide to allow users to upload their own images to be served from your site, special care must be taken. Django will read the file headers to confirm its an image (as opposed to a document or zip archive), but <a class="reference external" href="https://insinuator.net/2014/05/django-image-validation-vulnerability/">code can be injected into an image file</a> <em>after</em> the headers that can be interpreted as HTML and/or give an attacker a web shell through which they can access
other filesystem resources.</p>
<p><a class="reference external" href="https://docs.djangoproject.com/en/4.1/topics/security/#user-uploaded-content-security">Django has a more comprehensive overview of how to handle user-uploaded files</a>, but
in short you should take care to do one of two things:</p>
<ul class="simple">
<li><p>Serve all user-uploaded assets from a <em>separate</em> domain or CDN (<em>not</em> a subdomain of the one you already have!). For example, you may be browsing <code class="docutils literal notranslate"><span class="pre">reddit.com</span></code> but note that all the user-submitted images are being served from the <code class="docutils literal notranslate"><span class="pre">redd.it</span></code> domain. There are both security and performance benefits to this (webservers tend to load local resources one-by-one, whereas they will request external resources in bulk).</p></li>
<li><p>If you dont want to pay for a second domain, dont understand what any of this means or cant be bothered with additional infrastructure, then simply reprocess user images upon receipt using an image library. Convert them to a different format, for example. <em>Destroy the originals!</em></p></li>
</ul>
</section>
<section id="disable-the-web-interface-if-you-only-want-telnet">
<h2>Disable the web interface (if you only want telnet)<a class="headerlink" href="#disable-the-web-interface-if-you-only-want-telnet" title="Permalink to this headline"></a></h2>
<p>The web interface allows visitors to see an informational page as well as log into a browser-based telnet client with which to access Evennia. It also provides authentication endpoints against which an attacker can attempt to validate stolen lists of credentials to see which ones might be shared by your users. Djangos security is robust, but if you dont want/need these features and fully intend
to force your users to use traditional clients to access your game, you might consider disabling
either/both to minimize your attack surface.</p>
<p>In <code class="docutils literal notranslate"><span class="pre">server/conf/settings.py</span></code>:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span># Disable the Javascript webclient
WEBCLIENT_ENABLED = False
# Disable the website altogether
WEBSERVER_ENABLED = False
</pre></div>
</div>
</section>
<section id="change-your-ssh-port">
<h2>Change your ssh port<a class="headerlink" href="#change-your-ssh-port" title="Permalink to this headline"></a></h2>
<p>Automated attacks will often target port 22 seeing as how its the standard port for SSH traffic. Also, many public wifi hotspots block ssh traffic over port 22 so you might not be able to access your server from these locations if you like to work remotely or dont have a home internet connection.</p>
<p>If you dont intend on running a website or securing it with TLS, you can mitigate both problems by changing the port used for ssh to 443, which most/all hotspot providers assume is HTTPS traffic and allows through.</p>
<p>(Ubuntu) In /etc/ssh/sshd_config, change the following variable:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span># What ports, IPs and protocols we listen for
Port 443
</pre></div>
</div>
<p>Save, close, then run the following command:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>sudo service ssh restart
</pre></div>
</div>
</section>
<section id="set-up-a-firewall">
<h2>Set up a firewall<a class="headerlink" href="#set-up-a-firewall" title="Permalink to this headline"></a></h2>
<p>Ubuntu users can make use of the simple ufw utility. Anybody else can use iptables.</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span># Install ufw (if not already)
sudo apt-get install ufw
</pre></div>
</div>
<p>UFWs default policy is to deny everything. We must specify what we want to allow through our firewall.</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span># Allow terminal connections to your game
sudo ufw allow 4000/tcp
# Allow browser connections to your website
sudo ufw allow 4001/tcp
</pre></div>
</div>
<p>Use ONE of the next two commands depending on which port your ssh daemon is listening on:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>sudo ufw allow 22/tcp
sudo ufw allow 443/tcp
</pre></div>
</div>
<p>Finally:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>sudo ufw enable
</pre></div>
</div>
<p>Now the only ports open will be your administrative ssh port (whichever you chose), and Evennia on 4000-4001.</p>
</section>
<section id="use-an-external-webserver-proxy">
<h2>Use an external webserver / proxy<a class="headerlink" href="#use-an-external-webserver-proxy" title="Permalink to this headline"></a></h2>
<p>There are some benefits to deploying a <em>proxy</em> in front of your Evennia server; notably it means you can serve Evennia website and webclient data from an HTTPS: url (with encryption). Any proxy can be used, for example:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>-[HaProxy](./Config-HAProxy.md)
-[Apache as a proxy](./Config-Apache-Proxy.md)
- Nginx
- etc.
</pre></div>
</div>
</section>
</section>
</div>
</div>
</div>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../genindex.html" title="General Index"
>index</a></li>
<li class="right" >
<a href="../py-modindex.html" title="Python Module Index"
>modules</a> |</li>
<li class="right" >
<a href="Config-HAProxy.html" title="Configuring HAProxy"
>next</a> |</li>
<li class="right" >
<a href="Client-Support-Grid.html" title="Client Support Grid"
>previous</a> |</li>
<li class="nav-item nav-item-0"><a href="../index.html">Evennia 3.x</a> &#187;</li>
<li class="nav-item nav-item-1"><a href="Setup-Overview.html" >Server Setup and Life</a> &#187;</li>
<li class="nav-item nav-item-this"><a href="">Security Hints and Practices</a></li>
</ul>
</div>
<div class="admonition important">
<p class="first admonition-title">Note</p>
<p class="last">You are reading an old version of the Evennia documentation. <a href="https://www.evennia.com/docs/latest/index.html">The latest version is here</a></p>.
</div>
<div class="footer" role="contentinfo">
&#169; Copyright 2023, The Evennia developer community.
Created using <a href="https://www.sphinx-doc.org/">Sphinx</a> 3.2.1.
</div>
</body>
</html>
Reference in a new issue View git blame Copy permalink