[Dev] [consensus][due: 2016-08-10] increasing security in Parabola, servers

coadde coadde at riseup.net
Mon Aug 1 23:25:42 GMT 2016


On 08/01/2016 07:23 PM, André Silva wrote:
> On 08/01/2016 06:52 PM, Luke wrote:
>> On 07/30/2016 11:24 PM, coadde wrote:
>>> Hi guys, i would make some changes in the new server, however i would
>>> propose it to be discussed under consensus first:
>>>
>>> * Remove SSL certificates to be more KISS and adhocratic.
>> No idea what this means, but we should keep our TLS certs and all
>> mirrors should be required to have HTTPS.
>> Would also be nice to have a means of verifying the fingerprint of the
>> certs.
> 
> +1 about Luke opinion.

OK, i don't know much about tls :(

>>> * Use a TOX server as XMPP replacement.
>> +1. Simple to use, works on my slow internet, and doesn't require a
>> central server (XMPP does require a centralized server, although it is
>> "federated" meaning we could setup our own. Tox is still more reliable imo.)
> 
> I think TOX has option to register account to toxme.io. Since i don't
> know about it, could be it useful to create a server?

It could creates a user to speech in groups and conferences with TOX

And "toxcore" contains the service "tox-bootstrapd (Tox DHT Bootstrap)",
to use as node and DHT[0][1]

[0]:https://wiki.tox.chat/users/nodes
[1]:https://wiki.archlinux.org/index.php/Tox#Run_a_node

>>> * Use NetworkManager (CLI) instead of Netctl.
>> Netctl is pretty solid, I no longer use network manager on anything
>> other than my laptop due to the heavy bloatware.
> 
> Netctl is pretty solid, but no portable since it is adapted only for
> systemd. If we have plans to move to OpenRC or another one (eg. gnudmd
> (called now as GNU Shepherd)), we should looking for alternatives (eg.
> NetworkManager).

+1, NetworkManager is easy to use it with "nmcli" command and contains
most of options, example:

nmcli commands:

nmcli c add help # help to create any type of network
nmcli c add type ethernet ifname eth10 con-name "Ethernet_Server" \
            autoconnect yes \
            ip4 10.0.0.1/24 gw4 10.0.0.1 # create the "Ethernet_Server"
nmcli c show # show all networks
nmcli c edit "Ethernet_Server" # edit the selected network in
interactive mode
nmcli c up "Ethernet_Server" # to connect the selected network
nmcli c down "Ethernet_Server" # to disconnect the selected network
nmcli d status # show interfaces
nmcli d wifi   # show SSID wifis and status
nmcli -a d wifi connect "SSID" # create and enter the selected SSID wifi

configuration file like:

/etc/NetworkManager/system-connections/"Ethernet_Server"

--------------------------------------------------------

[connection]
id=Ethernet_Server
uuid=ffffffff-ffff-ffff-ffff-ffffffffffff
type=ethernet
permissions=
secondaries=

[ethernet]
mac-address-blacklist=

[ipv4]
address1=10.0.0.1/24,10.0.0.1
dns=127.0.0.1;
dns-search=
method=manual

[ipv6]
addr-gen-mode=stable-privacy
address1=fd09::/64,fd09::1
dns=
dns-search=
method=manual

--------------------------------------------------------

>>> * Testing against all type of attacks to check our security settings is ok.
>> +1. We should have someone audit the server for any vulnerabilities.
> 
> +1, i suggest use linux-libre-audit for it.
> 
> In this case, since it is a server, i could create a modified version of
> linux-libre-lts with AUDIT support called linux-libre-lts-audit, what do
> you think guys?

+1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20160801/28dc6e0a/attachment.sig>


More information about the Dev mailing list