[Dev] [consensus][due: 2016-08-10] increasing security in Parabola, servers

André Silva emulatorman at riseup.net
Mon Aug 1 22:23:29 GMT 2016


On 08/01/2016 06:52 PM, Luke wrote:
> On 07/30/2016 11:24 PM, coadde wrote:
>> Hi guys, i would make some changes in the new server, however i would
>> propose it to be discussed under consensus first:
>>
>> * Remove SSL certificates to be more KISS and adhocratic.
> No idea what this means, but we should keep our TLS certs and all
> mirrors should be required to have HTTPS.
> Would also be nice to have a means of verifying the fingerprint of the
> certs.

+1 about Luke opinion.

>> * Use a TOX server as XMPP replacement.
> +1. Simple to use, works on my slow internet, and doesn't require a
> central server (XMPP does require a centralized server, although it is
> "federated" meaning we could setup our own. Tox is still more reliable imo.)

I think TOX has option to register account to toxme.io. Since i don't
know about it, could be it useful to create a server?

>> * Use our own DNS server.
> +1, but you have to make sure it isn't publicly accessible otherwise
> we'll be getting hammered with random reflection attacks. We could
> include any of the public OpenNIC non-logging servers as default in
> /etc/resolv.conf.

+1

>> * Use NetworkManager (CLI) instead of Netctl.
> Netctl is pretty solid, I no longer use network manager on anything
> other than my laptop due to the heavy bloatware.

Netctl is pretty solid, but no portable since it is adapted only for
systemd. If we have plans to move to OpenRC or another one (eg. gnudmd
(called now as GNU Shepherd)), we should looking for alternatives (eg.
NetworkManager).

>> * Improve IPv6 security against IoT and RFID (keep link-local IPv6 in
>> anonymous -> "fe80::")
> Not sure what RFID has to do with our Parabola server? But improving
> IPv6 security sounds good.

+1

>> * Add firewall
> +1 - IPTables should be setup to prevent at least basic script-kiddie
> DDoS attempts.

+1

>> * Add TOR, DNSCrypt and VPN to increase security.
> I could see a TOR Hidden Service and/or VPN into the server for
> developers as being useful. However, unless we are planning to surf
> around using the main server as a VPN (probably not a good idea?) there
> isn't much need for DNSCrypt as others mentioned. This can be done
> client-side.

+1

>> * Testing against all type of attacks to check our security settings is ok.
> +1. We should have someone audit the server for any vulnerabilities.

+1, i suggest use linux-libre-audit for it.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20160801/77c261ce/attachment.sig>


More information about the Dev mailing list