Metalab Services
aus Metalab Wiki, dem offenen Zentrum für meta-disziplinäre Magier und technisch-kreative Enthusiasten.
Version vom 19. November 2013, 13:32 Uhr von Pepi (Diskussion | Beiträge) (→Things that need to be done: +DNS)
| Language: | English |
|---|
Subpages:
Metalab_Services hat keine Unterseiten.
| Metalab Services | |
| |
| Gestartet: | 2013-11-18 |
| Involvierte: | Pepi |
| Status: | in progress |
| Beschreibung: | Fixing, Securing and updating Metalab Services |
| Shutdownprozedur: | |
| Zuletzt aktualisiert: | 21.01.2013 |
Existing Services
- Website: http(80)/https(443) metalab.at (www.metalab.at)
- Website: http(80)/https(443) lists.metalab.at
- XMPP/Jabber: xmpp(5222, 5223, 5269, 7777) jabber.metalab.at (also hosts jabber.hackerspaces.org)
- Incoming Email: SMTP(25) mail.metalab.at (MX 10)
- Outgoing Email: SMTP(25)
Web-Apps and -Services
Broken Web-Apps and Services to be removed
- enki ???
- metasense
- awstats
- svn
- convergence
- webalizer
Whishlist (Services Not Currently Active)
- Any Submission Services? (587)
- against Benutzer:hop
- POP(110, 995) or IMAP(143, 993) Services?
- against Benutzer:hop
Anything missing? Please add it!
Things that need to be done
This is a DRAFT list meant to aggregate things that likely should be looked at if they need any relevant updates. Known security issues should be regarded as relevant.
- Document all changes, updates, etc.
- Update Apache to 2.2.26 (current as of 2013-11-19) or switch to nginx
- Update to eJabberd 13.10 (current as of 2013-11-19) or switch to prosody
- Check ALL the Certificates for ALL the services. Acquire certificates for services that do not yet have one. (Basically do not host any unencrypted services anymore)
- Provide forward secrecy for all services by using modern ciphers (EDH)
- Discuss the use of ECC as the only widely implemented curves are known and deliberately weakened curves specified by NIST. (secp256r1, secp385r1). Pepi recommends not to use ECC with NIST curves if possible but provide (p)fs by using DHE (works with all current browsers except for Internet Explorer which only supports forward secrecy using ECDHE on Vista an newer.)
- Update Mediawiki to the current release
- Update Trac to the current release
- Check validity of ALL certificates and set up reminders to renew them. Find at least two persons who are volunteering to take care of that as well!
- Get certificates for services that lack encryption
- Add SRV Records to DNS for Jabber/XMPP Server federation and Clients discovery
- Add SPF/TXT Records to DNS for Email
- Do TLSA records make any sense without DNSSec?
- Test all the services, document how to test them
- Test all the security things, document how to test them
- Clean up cruft in the DNS
