Metalab Services: Unterschied zwischen den Versionen

aus Metalab Wiki, dem offenen Zentrum für meta-disziplinäre Magier und technisch-kreative Enthusiasten.
Zur Navigation springenZur Suche springen
K
 
(17 dazwischenliegende Versionen von 7 Benutzern werden nicht angezeigt)
Zeile 3: Zeile 3:
 
{{Projekt
 
{{Projekt
 
|image=Metalab Atomic ASCII.png
 
|image=Metalab Atomic ASCII.png
|involved=[[User:Pepi|Pepi]]
+
|involved=
 
|startdate=2013-11-18
 
|startdate=2013-11-18
|status=in progress
+
|status=deceased
 
|wtf=Fixing, Securing and updating Metalab Services
 
|wtf=Fixing, Securing and updating Metalab Services
 
|lastupdate=21.01.2013 <!-- if lastupdate is not set manually, the date will be set automatically to the date of the latest wikiapage -->
 
|lastupdate=21.01.2013 <!-- if lastupdate is not set manually, the date will be set automatically to the date of the latest wikiapage -->
Zeile 16: Zeile 16:
 
* Website: http(80)/https(443) metalab.at (www.metalab.at)
 
* Website: http(80)/https(443) metalab.at (www.metalab.at)
 
* Website: http(80)/https(443) lists.metalab.at
 
* Website: http(80)/https(443) lists.metalab.at
* XMPP/Jabber: xmpp(5222, 5223, 5269, 7777) jabber.metalab.at (also hosts jabber.hackerspaces.org)
+
* XMPP/Jabber: xmpp(5222, 5269) jabber.metalab.at
 
* Incoming Email: SMTP(25) mail.metalab.at (MX 10)
 
* Incoming Email: SMTP(25) mail.metalab.at (MX 10)
 
* Outgoing Email: SMTP(25)
 
* Outgoing Email: SMTP(25)
Zeile 23: Zeile 23:
 
* MediaWiki [https://metalab.at/wiki/|Metalab Wiki]
 
* MediaWiki [https://metalab.at/wiki/|Metalab Wiki]
 
* Trac [https://metalab.at/issues|Issue Tracker]
 
* Trac [https://metalab.at/issues|Issue Tracker]
* WEL-Labelz
+
* [https://metalab.at/wel/ WEL-Labelz]
  
 
== Broken Web-Apps and Services to be removed ==
 
== Broken Web-Apps and Services to be removed ==
Zeile 30: Zeile 30:
 
* awstats
 
* awstats
 
* svn
 
* svn
 +
** Last time I checked, someone surprisingly still used that - it's been a while though - should pull a backup with git and publish that statically over https --[[Benutzer:Mzeltner|Mzeltner]] ([[Benutzer Diskussion:Mzeltner|Diskussion]])
 
* convergence
 
* convergence
 
* webalizer
 
* webalizer
Zeile 35: Zeile 36:
 
== Whishlist (Services Not Currently Active) ==
 
== Whishlist (Services Not Currently Active) ==
 
* Any Submission Services? (587)
 
* Any Submission Services? (587)
- against [[Benutzer:hop]]
+
** against [[Benutzer:hop]]
 +
** against [[Benutzer:mzeltner]] - not because of technical reasons, but ones that I'd prefer Metalab not have infrastructure set up in which someone speaks for or as the organisation.
 +
** [[Benutzer:reox]] icbw but submission should be used for mailservers that hold mailboxes, not for relays. they should use port 25. only use it if pop/imap is implemented
 +
** for [[Benutzer:reckoner]] - Could be just mail forwarding service without storage attached to mailbox.
 
* POP(110, 995) or IMAP(143, 993) Services?
 
* POP(110, 995) or IMAP(143, 993) Services?
  - against [[Benutzer:hop]]
+
** against [[Benutzer:hop]]
 +
** against [[Benutzer:mzeltner]] - adding complexity
 +
** for [[Benutzer:red667]] -  mailserverice for members, so less people use gmail, hotmail, ... - cryptohardening is useless if the data is at a place without control
 +
** for [[Benutzer:reckoner]] - only in the form of super-encrypted paid-only mailboxes for paranoid members with funds going to Metalab support.  
 +
* gitweb.cgi
 +
** for [[Benutzer:mzeltner]] - give people the option to avoid GitHub? Decentralised structure and all… With <code>git http-push</code> (WebDAV) support that uses the same credentials as the wiki or mos? Because we don't need lots of people with shell access.
 +
** for [[Benutzer:reox]]
 +
** against [[Benutzer:reckoner]] - using [https://github.com/metalab/ Github Metalab org. account] motivates people to participate in projects, provides better visibility.
 +
* [http://www.exim.org/exim-html-current/doc/html/spec_html/ch-support_for_dkim_domainkeys_identified_mail.html DKIM]
 +
** for [[Benutzer:mzeltner]]
 +
** for [[Benutzer:reox]]
 +
** for [[Benutzer:reckoner]] - and SPF, and DMARC
 +
* LDAP
 +
** for [[Benutzer:red667]] - i now its a pain in the ass but would be beneficial for a lot of other services
 +
** for [[Benutzer:reckoner]] - definitely
 +
* MediaWiki
 +
** for [[Benutzer:reckoner]] - Use MediaWiki as the only CMS for the website, including front-page, calendar and users. Leave MOS as legacy administration backend only.
  
 
Anything missing? Please [https://metalab.at/wiki/index.php?title=Metalab_Services&action=edit&section=1 add] it!
 
Anything missing? Please [https://metalab.at/wiki/index.php?title=Metalab_Services&action=edit&section=1 add] it!
 +
  
  
 
=== Things that need to be done ===
 
=== Things that need to be done ===
 +
This is a DRAFT list meant to aggregate things that likely should be looked at if they need any relevant updates. Known security issues should be regarded as relevant.
 +
 
* Document all changes, updates, etc.
 
* Document all changes, updates, etc.
- Changes are currently documented to the best of our ability. Anyone suggesting a "better way" will have to demonstrate the magical power of changing people's behaviour(tm) first
+
** Already done in <code>/root/CHANGES</code> - is there any reason for this to be particularly public? If so, I'd suggest publishing it via HTTPS --[[Benutzer:Mzeltner|Mzeltner]] ([[Benutzer Diskussion:Mzeltner|Diskussion]])
 
* Update Apache to 2.2.26 (current as of 2013-11-19) or switch to nginx
 
* Update Apache to 2.2.26 (current as of 2013-11-19) or switch to nginx
- Why??? [[Benutzer:hop]]
+
** wheezy wheezy wheezy see [http://packages.debian.org/wheezy/apache2 this] and [http://ftp-master.metadata.debian.org/changelogs//main/a/apache2/apache2_2.2.22-13_changelog this] - it's hard enough as it is to keep the machine running (thx thx hop) ---[[Benutzer:Mzeltner|Mzeltner]] ([[Benutzer Diskussion:Mzeltner|Diskussion]])
 
* Update to eJabberd 13.10 (current as of 2013-11-19) or switch to prosody
 
* Update to eJabberd 13.10 (current as of 2013-11-19) or switch to prosody
 +
** prosody nightly builds for 0.9 are stable and have reasonable SSL settings - ah, but: [http://web.jabber.ccc.de/?p=440 Prosody is still single-threaded, which makes it impossible to use for large server deployments] --[[Benutzer:Mzeltner|Mzeltner]] ([[Benutzer Diskussion:Mzeltner|Diskussion]])
 
* Check ALL the Certificates for ALL the services. Acquire certificates for services that do not yet have one. (Basically do not host any unencrypted services anymore)
 
* Check ALL the Certificates for ALL the services. Acquire certificates for services that do not yet have one. (Basically do not host any unencrypted services anymore)
 +
** I don't think *we* do that (hackerspaces.org does) --[[Benutzer:Mzeltner|Mzeltner]] ([[Benutzer Diskussion:Mzeltner|Diskussion]])
 
* Provide forward secrecy for all services by using modern ciphers (EDH)
 
* Provide forward secrecy for all services by using modern ciphers (EDH)
* Discuss the use of ECC as the only widely implemented curves are known and deliberately weakened curves specified by NIST. (secp256r1, secp385r1). [[User:Pepi|Pepi]] recommends not to use ECC if possible but provide (p)fs by using EDH.
+
* Discuss the use of ECC as the only widely implemented curves are known and deliberately weakened curves specified by NIST. (secp256r1, secp385r1). [[User:Pepi|Pepi]] recommends not to use ECC with NIST curves if possible but provide (p)fs by using DHE (works with all current browsers except for Internet Explorer which only supports forward secrecy using ECDHE on Vista an newer.)
 
* Update Mediawiki to the current release
 
* Update Mediawiki to the current release
- WTF are you on about? We are tracking git and missing _one_ point release that has no security relevant changes. [[Benutzer:hop]]
 
 
* Update Trac to the current release
 
* Update Trac to the current release
 
* Check validity of ALL certificates and set up reminders to renew them. Find at least two persons who are volunteering to take care of that as well!
 
* Check validity of ALL certificates and set up reminders to renew them. Find at least two persons who are volunteering to take care of that as well!
 +
** Reminders I have in my calendar, though hop did the last one --[[Benutzer:Mzeltner|Mzeltner]] ([[Benutzer Diskussion:Mzeltner|Diskussion]])
 
* Get certificates for services that lack encryption
 
* Get certificates for services that lack encryption
 
* Add SRV Records to DNS for Jabber/XMPP Server federation and Clients discovery
 
* Add SRV Records to DNS for Jabber/XMPP Server federation and Clients discovery
 
* Add SPF/TXT Records to DNS for Email
 
* Add SPF/TXT Records to DNS for Email
* Do [http://tools.ietf.org/html/draft-ietf-dane-protocol-03 TLSA] records make any sense without DNSSec?
+
** Keep in mind: some people occasionally send email as [[Bild:core.png]] from GMail servers (with regards to my comment from above, yes I don't like that either) --[[Benutzer:Mzeltner|Mzeltner]] ([[Benutzer Diskussion:Mzeltner|Diskussion]])
 
* Test all the services, document how to test them
 
* Test all the services, document how to test them
 
* Test all the security things, document how to test them
 
* Test all the security things, document how to test them
 +
 +
== Things DONE ==
 +
* 2015-07-01: STARTTLS on SMTP supported. Check to see if TLS works on the SMTP service: <code>openssl s_client -starttls smtp -connect mail.metalab.at:25</code>
 +
* Cleaned up most cruft in the DNS - Did [[User:Pepi|I]] break anything? I'm sorry, [[User:Pepi|tell me]] what and why you need it so I can reinstate it!

Aktuelle Version vom 11. September 2017, 16:45 Uhr

Language: English
Subpages:
Metalab_Services hat keine Unterseiten.



Metalab Services
Metalab Atomic ASCII.png
Gestartet: 2013-11-18
Status: deceased
Beschreibung: Fixing, Securing and updating Metalab Services
Shutdownprozedur:
Zuletzt aktualisiert: 21.01.2013



Existing Services

  • Website: http(80)/https(443) metalab.at (www.metalab.at)
  • Website: http(80)/https(443) lists.metalab.at
  • XMPP/Jabber: xmpp(5222, 5269) jabber.metalab.at
  • Incoming Email: SMTP(25) mail.metalab.at (MX 10)
  • Outgoing Email: SMTP(25)

Web-Apps and -Services

Broken Web-Apps and Services to be removed

  • enki ???
  • metasense
  • awstats
  • svn
    • Last time I checked, someone surprisingly still used that - it's been a while though - should pull a backup with git and publish that statically over https --Mzeltner (Diskussion)
  • convergence
  • webalizer

Whishlist (Services Not Currently Active)

  • Any Submission Services? (587)
    • against Benutzer:hop
    • against Benutzer:mzeltner - not because of technical reasons, but ones that I'd prefer Metalab not have infrastructure set up in which someone speaks for or as the organisation.
    • Benutzer:reox icbw but submission should be used for mailservers that hold mailboxes, not for relays. they should use port 25. only use it if pop/imap is implemented
    • for Benutzer:reckoner - Could be just mail forwarding service without storage attached to mailbox.
  • POP(110, 995) or IMAP(143, 993) Services?
    • against Benutzer:hop
    • against Benutzer:mzeltner - adding complexity
    • for Benutzer:red667 - mailserverice for members, so less people use gmail, hotmail, ... - cryptohardening is useless if the data is at a place without control
    • for Benutzer:reckoner - only in the form of super-encrypted paid-only mailboxes for paranoid members with funds going to Metalab support.
  • gitweb.cgi
    • for Benutzer:mzeltner - give people the option to avoid GitHub? Decentralised structure and all… With git http-push (WebDAV) support that uses the same credentials as the wiki or mos? Because we don't need lots of people with shell access.
    • for Benutzer:reox
    • against Benutzer:reckoner - using Github Metalab org. account motivates people to participate in projects, provides better visibility.
  • DKIM
  • LDAP
  • MediaWiki
    • for Benutzer:reckoner - Use MediaWiki as the only CMS for the website, including front-page, calendar and users. Leave MOS as legacy administration backend only.

Anything missing? Please add it!


Things that need to be done

This is a DRAFT list meant to aggregate things that likely should be looked at if they need any relevant updates. Known security issues should be regarded as relevant.

  • Document all changes, updates, etc.
    • Already done in /root/CHANGES - is there any reason for this to be particularly public? If so, I'd suggest publishing it via HTTPS --Mzeltner (Diskussion)
  • Update Apache to 2.2.26 (current as of 2013-11-19) or switch to nginx
    • wheezy wheezy wheezy see this and this - it's hard enough as it is to keep the machine running (thx thx hop) ---Mzeltner (Diskussion)
  • Update to eJabberd 13.10 (current as of 2013-11-19) or switch to prosody
  • Check ALL the Certificates for ALL the services. Acquire certificates for services that do not yet have one. (Basically do not host any unencrypted services anymore)
  • Provide forward secrecy for all services by using modern ciphers (EDH)
  • Discuss the use of ECC as the only widely implemented curves are known and deliberately weakened curves specified by NIST. (secp256r1, secp385r1). Pepi recommends not to use ECC with NIST curves if possible but provide (p)fs by using DHE (works with all current browsers except for Internet Explorer which only supports forward secrecy using ECDHE on Vista an newer.)
  • Update Mediawiki to the current release
  • Update Trac to the current release
  • Check validity of ALL certificates and set up reminders to renew them. Find at least two persons who are volunteering to take care of that as well!
  • Get certificates for services that lack encryption
  • Add SRV Records to DNS for Jabber/XMPP Server federation and Clients discovery
  • Add SPF/TXT Records to DNS for Email
    • Keep in mind: some people occasionally send email as Core.png from GMail servers (with regards to my comment from above, yes I don't like that either) --Mzeltner (Diskussion)
  • Test all the services, document how to test them
  • Test all the security things, document how to test them

Things DONE

  • 2015-07-01: STARTTLS on SMTP supported. Check to see if TLS works on the SMTP service: openssl s_client -starttls smtp -connect mail.metalab.at:25
  • Cleaned up most cruft in the DNS - Did I break anything? I'm sorry, tell me what and why you need it so I can reinstate it!