Metalab Services: Unterschied zwischen den Versionen
aus Metalab Wiki, dem offenen Zentrum für meta-disziplinäre Magier und technisch-kreative Enthusiasten.
Zur Navigation springenZur Suche springenPepi (Diskussion | Beiträge) (→Things that need to be done: DNS aufgeräumt!) |
|||
Zeile 43: | Zeile 43: | ||
* gitweb.cgi | * gitweb.cgi | ||
** for [[Benutzer:mzeltner]] - give people the option to avoid GitHub? Decentralised structure and all… With <code>git http-push</code> (WebDAV) support that uses the same credentials as the wiki or mos? Because we don't need lots of people with shell access. | ** for [[Benutzer:mzeltner]] - give people the option to avoid GitHub? Decentralised structure and all… With <code>git http-push</code> (WebDAV) support that uses the same credentials as the wiki or mos? Because we don't need lots of people with shell access. | ||
+ | * [http://www.exim.org/exim-html-current/doc/html/spec_html/ch-support_for_dkim_domainkeys_identified_mail.html DKIM] | ||
+ | ** for [[Benutzer:mzeltner]] | ||
+ | |||
Anything missing? Please [https://metalab.at/wiki/index.php?title=Metalab_Services&action=edit§ion=1 add] it! | Anything missing? Please [https://metalab.at/wiki/index.php?title=Metalab_Services&action=edit§ion=1 add] it! | ||
Zeile 56: | Zeile 59: | ||
** wheezy wheezy wheezy see [http://packages.debian.org/wheezy/apache2 this] and [http://ftp-master.metadata.debian.org/changelogs//main/a/apache2/apache2_2.2.22-13_changelog this] - it's hard enough as it is to keep the machine running (thx thx hop) ---[[Benutzer:Mzeltner|Mzeltner]] ([[Benutzer Diskussion:Mzeltner|Diskussion]]) | ** wheezy wheezy wheezy see [http://packages.debian.org/wheezy/apache2 this] and [http://ftp-master.metadata.debian.org/changelogs//main/a/apache2/apache2_2.2.22-13_changelog this] - it's hard enough as it is to keep the machine running (thx thx hop) ---[[Benutzer:Mzeltner|Mzeltner]] ([[Benutzer Diskussion:Mzeltner|Diskussion]]) | ||
* Update to eJabberd 13.10 (current as of 2013-11-19) or switch to prosody | * Update to eJabberd 13.10 (current as of 2013-11-19) or switch to prosody | ||
− | ** prosody nightly builds for 0.9 are stable and have reasonable SSL settings --[[Benutzer:Mzeltner|Mzeltner]] ([[Benutzer Diskussion:Mzeltner|Diskussion]]) | + | ** prosody nightly builds for 0.9 are stable and have reasonable SSL settings - ah, but: [http://web.jabber.ccc.de/?p=440 Prosody is still single-threaded, which makes it impossible to use for large server deployments] --[[Benutzer:Mzeltner|Mzeltner]] ([[Benutzer Diskussion:Mzeltner|Diskussion]]) |
* Check ALL the Certificates for ALL the services. Acquire certificates for services that do not yet have one. (Basically do not host any unencrypted services anymore) | * Check ALL the Certificates for ALL the services. Acquire certificates for services that do not yet have one. (Basically do not host any unencrypted services anymore) | ||
** I don't think *we* do that (hackerspaces.org does) --[[Benutzer:Mzeltner|Mzeltner]] ([[Benutzer Diskussion:Mzeltner|Diskussion]]) | ** I don't think *we* do that (hackerspaces.org does) --[[Benutzer:Mzeltner|Mzeltner]] ([[Benutzer Diskussion:Mzeltner|Diskussion]]) |
Version vom 19. November 2013, 17:59 Uhr
Language: | English |
---|
Subpages:
Metalab_Services hat keine Unterseiten.
Metalab Services | |
Gestartet: | 2013-11-18 |
Involvierte: | Pepi |
Status: | in progress |
Beschreibung: | Fixing, Securing and updating Metalab Services |
Shutdownprozedur: | |
Zuletzt aktualisiert: | 21.01.2013 |
Existing Services
- Website: http(80)/https(443) metalab.at (www.metalab.at)
- Website: http(80)/https(443) lists.metalab.at
- XMPP/Jabber: xmpp(5222, 5223, 5269, 7777) jabber.metalab.at (also hosts jabber.hackerspaces.org)
- Incoming Email: SMTP(25) mail.metalab.at (MX 10)
- Outgoing Email: SMTP(25)
Web-Apps and -Services
- MediaWiki Wiki
- Trac Tracker
- WEL-Labelz
Broken Web-Apps and Services to be removed
- enki ???
- metasense
- awstats
- svn
- Last time I checked, someone surprisingly still used that - it's been a while though - should pull a backup with git and publish that statically over https --Mzeltner (Diskussion)
- convergence
- webalizer
Whishlist (Services Not Currently Active)
- Any Submission Services? (587)
- against Benutzer:hop
- against Benutzer:mzeltner - not because of technical reasons, but ones that I'd prefer Metalab not have infrastructure set up in which someone speaks for or as the organisation.
- POP(110, 995) or IMAP(143, 993) Services?
- against Benutzer:hop
- against Benutzer:mzeltner - adding complexity
- gitweb.cgi
- for Benutzer:mzeltner - give people the option to avoid GitHub? Decentralised structure and all… With
git http-push
(WebDAV) support that uses the same credentials as the wiki or mos? Because we don't need lots of people with shell access.
- for Benutzer:mzeltner - give people the option to avoid GitHub? Decentralised structure and all… With
- DKIM
Anything missing? Please add it!
Things that need to be done
This is a DRAFT list meant to aggregate things that likely should be looked at if they need any relevant updates. Known security issues should be regarded as relevant.
- Document all changes, updates, etc.
- Already done in
/root/CHANGES
- is there any reason for this to be particularly public? If so, I'd suggest publishing it via HTTPS --Mzeltner (Diskussion)
- Already done in
- Update Apache to 2.2.26 (current as of 2013-11-19) or switch to nginx
- wheezy wheezy wheezy see this and this - it's hard enough as it is to keep the machine running (thx thx hop) ---Mzeltner (Diskussion)
- Update to eJabberd 13.10 (current as of 2013-11-19) or switch to prosody
- prosody nightly builds for 0.9 are stable and have reasonable SSL settings - ah, but: Prosody is still single-threaded, which makes it impossible to use for large server deployments --Mzeltner (Diskussion)
- Check ALL the Certificates for ALL the services. Acquire certificates for services that do not yet have one. (Basically do not host any unencrypted services anymore)
- I don't think *we* do that (hackerspaces.org does) --Mzeltner (Diskussion)
- Provide forward secrecy for all services by using modern ciphers (EDH)
- Discuss the use of ECC as the only widely implemented curves are known and deliberately weakened curves specified by NIST. (secp256r1, secp385r1). Pepi recommends not to use ECC with NIST curves if possible but provide (p)fs by using DHE (works with all current browsers except for Internet Explorer which only supports forward secrecy using ECDHE on Vista an newer.)
- Update Mediawiki to the current release
- Update Trac to the current release
- Check validity of ALL certificates and set up reminders to renew them. Find at least two persons who are volunteering to take care of that as well!
- Reminders I have in my calendar, though hop did the last one --Mzeltner (Diskussion)
- Get certificates for services that lack encryption
- Add SRV Records to DNS for Jabber/XMPP Server federation and Clients discovery
- Add SPF/TXT Records to DNS for Email
- Keep in mind: some people occasionally send email as core@metalab.at from GMail servers (with regards to my comment from above, yes I don't like that either) --Mzeltner (Diskussion)
- Do TLSA records make any sense without DNSSec?
- Test all the services, document how to test them
- Test all the security things, document how to test them
- Check to see if TLS works on the SMTP service:
openssl s_client -starttls smtp -connect metalab.at:25
--Mzeltner (Diskussion)
- Check to see if TLS works on the SMTP service: