Topic: Securing a publicly accessible ERA server?

[Agrikk]

I run a Rolemaster campaign for my friends via Roll20.net and I am considering adopting ERA.

The problem I have is creating a public server accessible by my players scattered across the United States. Has anyone written an authentication system for ERA so I can avoid having my player data accessible to the entire internet? I could protect it by putting it behind a VPN server, but that would cause a whole set of other problems and I want to avoid that.

[Voriig Kye]

What kind of ERA player data would be dangerous to have accessible?
I agree that setting up a public, unsecure server might not be the greatest idea. But if you only start it up and open the corresponding port when you are playing or a player needs to check their character or level up, do you think it that harmful?
I do not want to dismiss your question, I want to understand the context in which you would be using ERA.

On that line, I've started developing an ERA online server, since it was the most requested feature in a recent poll.
There's an ongoing offer to receive economic support for that effort, and consider the donations at double the rate once the server is running.
Check this thread if you haven't already: https://ironcrown.co.uk/ICEforums/index.php?topic=21004.0

At the moment, the idea is to host a modified version of ERA on Digital Ocean, that would be always online, and each subscriber would get to manage their gaming group content, even allowing installing custom content.
It would most likely offer some sort of user management feature, so that you could give specific access to your players to the different modules.

If you want, feel free to comment on the use cases you would want supported, so that they may be considered in the design.
That also goes to anyone reading this thread. It is obviously of great interest to me to understand how people would use an online ERA server.
This will help prioritize the most expected features, without delays to wait for stuff that nobody needs nor wants.

Thanks for your interest in ERA!

[nash]

What kind of ERA player data would be dangerous to have accessible?
I agree that setting up a public, unsecure server might not be the greatest idea. But if you only start it up and open the corresponding port when you are playing or a player needs to check their character or level up, do you think it that harmful?

Having random people on the internet access a service of any sort is a bad idea.  If you have any buffer overflows, SQL vulnerabilities, script problems or any other service problem you could have a really bad time.   Yes, ERA data may not be particularly sensitive (but then again it may be useful in some strange blackmail or other issues in certain legal jurisdictions), but essentially you want to keep random peoples access to your computer (server) as low as possible.

* nash could give you a really really long list of possible attack surfaces & vectors - worrying about services connected to the internet is my day job.