Topic: ERA - security question

[Ephraim]

I'm getting ready to start a campaign with some friends using ERA-RMFRP. The friends are scattered allover so we will be using ERA for the combat/manuever/character management and rptools for  actual play. Due to the scattered nature and the fact that my public IPs are probed about a million times every day by foreign IPs, I'm wondering what sore of security protocols are in place. Specifically:

Can ERA be made to use a password to gain access?
Can the port number used be changed in a setting?

You know, those sorts of things. I don't think anyone is specifically targeting my IPs for hacking, I think it's just the general probes to see what access can easily be gained.

Thanks

[Jenkyna]

That's one I've thought about, and I came up with two possible options. Unfortunately both cost money.

The big problem in my mind is that if you open ports it's almost certain someone is going to get in eventually. The best solution is keep the ERA system isolated from your own network.

One option is to create a DMZ on the home network using two firewall routers, and then host ERA on an old system attached to the outward facing firewall with the appropriate rules to publish in place. This can be done with old equipment if you have it. The downside is if someone compromises that system they will probably be able to monitor everything that goes out to the internet from inside your network.

The other option is to use a cloud hosted vm. It wouldn't really need to be very powerful, and it would keep the risk external to your own network. You can get them through game hosting services, but it's going to have a monthly fee, and even a low powered VM may be $20 - $30 a month. ERA can run on Linux, so you might be able to do it for less as long as you are ok working with a NIX OS.

There are cloud hosting services that only charge you for the VMs up-time, but I can't give you any recommendations for a service.

Either option could also be used to host your virtual tabletop software if you use one, but AFAIK Fantasy Grounds is windows / mac only. Any service that offers windows VMs will likely charge you a fee for the windows license.

Personally I prefer the cloud host solution since it keeps it completely separate from the home network. A hosted VM can be easily re-initialized, and ERA is like a  max 5 minute install even with all the books, and any customization files.

[Ephraim]

Yeah, Iv'e thought about those solutions too. My router is an 8 port Ubiquity ER-Pro so it's no big deal to make a DMZ that is completely isolated from the home system. I was going to run ERA on a raspberry pi on that network and set the firewall so the raspberry pi is seen as external to the home network. If it's compromised, it's the only system that could be compromised.

But that doesn't really fix my problem. My preference is to just have a password protected entry. Perhaps I should set up a proxy on one of the router ports that could be password protected which would then forward to an internal ERA server. (But that's starting to get really complicated).

[Peter R]

I have never used era but can you not put a .htaccess file in the public facing folder and set the passworded access there?

[Ephraim]

Not unless ERA understands what a .htaccess file is. It provides its own web server rather than using apache or one of the other standard ones. It's simplistic in what it does, but security doesn't seem to be a design concern.

I think it excels on a closed network (like running off of a laptop for a local game or a raspberry Pi with wifi, but an open platform on the wild Internet is just asking for problems.

[Ephraim]

I found this blog for configuring a password protected proxy on a raspberry Pi. I think it will fit the bill. It uses squid on raspbian.
https://raspiblog.noblogs.org/post/2018/02/21/squid-as-public-proxy-server/

it is a caching proxy, but if the expire is set sufficiently short, it shouldn't matter. It may be possible to just pass straight through and not cache, but I'm not that familiar with squid. I'll have to play around with it.

The plan is to place the proxy in a DMZ on the local net and only alow public access to it. Then all Internet users will have to access ERA through it. Local users will just access ERA directly.

[Voriig Kye]

It's nice to see so many options being discussed.

Remember that the Linux and Raspberry Pi installers are not the same. Both exist, and both are always updated, but you must download the correct one.
ERA for Raspberry is not included in the RPGNow product, you can download it here.

Regarding the security issues, I can confirm that ERA is not developed (so far) with the focus of using it outside the local network.

You can change the server port if you need to, just add:
ServerPort = WHATEVER_NUMBER_YOU_NEED
in the settings file (ERA/RMC/ERA-RMC-Settings.conf or ERA/RMFRP/ERA-RMFRP-Settings.conf)
Then start the server.

[Jenkyna]

I found this blog for configuring a password protected proxy on a raspberry Pi. I think it will fit the bill. It uses squid on raspbian.
https://raspiblog.noblogs.org/post/2018/02/21/squid-as-public-proxy-server/

it is a caching proxy, but if the expire is set sufficiently short, it shouldn't matter. It may be possible to just pass straight through and not cache, but I'm not that familiar with squid. I'll have to play around with it.

The plan is to place the proxy in a DMZ on the local net and only alow public access to it. Then all Internet users will have to access ERA through it. Local users will just access ERA directly.

A proxy sounds like the best solution to the password issue. I've only worked with TMG & Netscaler, so I am not as familiar with other options. Windows server does have a web proxy application, but it's pretty simplistic, and I have no idea if you can password protect it.