<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 07/30/2016 11:24 PM, coadde wrote:<br>
</div>
<blockquote
cite="mid:58c496d7-bf56-a3ea-7224-115a1714c6c5@riseup.net"
type="cite">
<pre wrap="">Hi guys, i would make some changes in the new server, however i would
propose it to be discussed under consensus first:
* Remove SSL certificates to be more KISS and adhocratic.</pre>
</blockquote>
No idea what this means, but we should keep our TLS certs and all
mirrors should be required to have HTTPS.<br>
Would also be nice to have a means of verifying the fingerprint of
the certs.<br>
<blockquote
cite="mid:58c496d7-bf56-a3ea-7224-115a1714c6c5@riseup.net"
type="cite">
<pre wrap="">
* Use a TOX server as XMPP replacement.</pre>
</blockquote>
+1. Simple to use, works on my slow internet, and doesn't require a
central server (XMPP does require a centralized server, although it
is "federated" meaning we could setup our own. Tox is still more
reliable imo.)<br>
<blockquote
cite="mid:58c496d7-bf56-a3ea-7224-115a1714c6c5@riseup.net"
type="cite">
<pre wrap="">
* Use our own DNS server.</pre>
</blockquote>
+1, but you have to make sure it isn't publicly accessible otherwise
we'll be getting hammered with random reflection attacks. We could
include any of the public OpenNIC non-logging servers as default in
/etc/resolv.conf.<br>
<blockquote
cite="mid:58c496d7-bf56-a3ea-7224-115a1714c6c5@riseup.net"
type="cite">
<pre wrap="">
* Use NetworkManager (CLI) instead of Netctl.</pre>
</blockquote>
Netctl is pretty solid, I no longer use network manager on anything
other than my laptop due to the heavy bloatware.<br>
<br>
<blockquote
cite="mid:58c496d7-bf56-a3ea-7224-115a1714c6c5@riseup.net"
type="cite">
<pre wrap="">
* Improve IPv6 security against IoT and RFID (keep link-local IPv6 in
anonymous -> "fe80::")</pre>
</blockquote>
Not sure what RFID has to do with our Parabola server? But improving
IPv6 security sounds good.<br>
<blockquote
cite="mid:58c496d7-bf56-a3ea-7224-115a1714c6c5@riseup.net"
type="cite">
<pre wrap="">
* Add firewall</pre>
</blockquote>
+1 - IPTables should be setup to prevent at least basic
script-kiddie DDoS attempts.<br>
<blockquote
cite="mid:58c496d7-bf56-a3ea-7224-115a1714c6c5@riseup.net"
type="cite">
<pre wrap="">
* Add TOR, DNSCrypt and VPN to increase security.</pre>
</blockquote>
I could see a TOR Hidden Service and/or VPN into the server for
developers as being useful. However, unless we are planning to surf
around using the main server as a VPN (probably not a good idea?)
there isn't much need for DNSCrypt as others mentioned. This can be
done client-side.<br>
<blockquote
cite="mid:58c496d7-bf56-a3ea-7224-115a1714c6c5@riseup.net"
type="cite">
<pre wrap="">
* Testing against all type of attacks to check our security settings is ok.</pre>
</blockquote>
+1. We should have someone audit the server for any vulnerabilities.
<br>
<blockquote
cite="mid:58c496d7-bf56-a3ea-7224-115a1714c6c5@riseup.net"
type="cite">
<pre wrap="">
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Dev@lists.parabola.nu">Dev@lists.parabola.nu</a>
<a class="moz-txt-link-freetext" href="https://lists.parabola.nu/mailman/listinfo/dev">https://lists.parabola.nu/mailman/listinfo/dev</a>
</pre>
</blockquote>
<p><br>
</p>
</body>
</html>