[Dev] [consensus][due: 2016-08-10] increasing security in Parabola, servers

Luke g4jc at openmailbox.org
Mon Aug 1 21:52:32 GMT 2016


On 07/30/2016 11:24 PM, coadde wrote:
> Hi guys, i would make some changes in the new server, however i would
> propose it to be discussed under consensus first:
>
> * Remove SSL certificates to be more KISS and adhocratic.
No idea what this means, but we should keep our TLS certs and all
mirrors should be required to have HTTPS.
Would also be nice to have a means of verifying the fingerprint of the
certs.
> * Use a TOX server as XMPP replacement.
+1. Simple to use, works on my slow internet, and doesn't require a
central server (XMPP does require a centralized server, although it is
"federated" meaning we could setup our own. Tox is still more reliable imo.)
> * Use our own DNS server.
+1, but you have to make sure it isn't publicly accessible otherwise
we'll be getting hammered with random reflection attacks. We could
include any of the public OpenNIC non-logging servers as default in
/etc/resolv.conf.
> * Use NetworkManager (CLI) instead of Netctl.
Netctl is pretty solid, I no longer use network manager on anything
other than my laptop due to the heavy bloatware.

> * Improve IPv6 security against IoT and RFID (keep link-local IPv6 in
> anonymous -> "fe80::")
Not sure what RFID has to do with our Parabola server? But improving
IPv6 security sounds good.
> * Add firewall
+1 - IPTables should be setup to prevent at least basic script-kiddie
DDoS attempts.
> * Add TOR, DNSCrypt and VPN to increase security.
I could see a TOR Hidden Service and/or VPN into the server for
developers as being useful. However, unless we are planning to surf
around using the main server as a VPN (probably not a good idea?) there
isn't much need for DNSCrypt as others mentioned. This can be done
client-side.
> * Testing against all type of attacks to check our security settings is ok.
+1. We should have someone audit the server for any vulnerabilities.
>
>
>
> _______________________________________________
> Dev mailing list
> Dev at lists.parabola.nu
> https://lists.parabola.nu/mailman/listinfo/dev


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20160801/34bc1e71/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20160801/34bc1e71/attachment.sig>


More information about the Dev mailing list