Jump to content

FeministWiki:Technical documentation: Difference between revisions

FeministWiki:Technical documentation (view source)

Revision as of 04:03, 19 May 2020

151 bytes added ,  19 May 2020
→‎IRC
(Mention IPv6 issues and Fail2ban.)
(One intermediate revision by the same user not shown)
Line 40: Line 40:


There are no AAAA entries in the DNS because we only allow IPv4 for incoming connections.  This simplifies security auditing.
There are no AAAA entries in the DNS because we only allow IPv4 for incoming connections.  This simplifies security auditing.
== Firewall ==
The simple <code>ufw</code> firewall-frontend is used to trivially limit all network I/O to the ports you can see in the host table above, plus port 22 for ssh and scp.
UFW adds IPv6 rules by default, which can be prevented by using more explicit rules.  Consider the following rule:
  ufw allow 12345/tcp  # will allow TCP connections to port 12345 via IPv4 and IPv6
To limit this to IPv4 you can instead use this:
  ufw allow proto tcp to 0.0.0.0/0 port 12345  # will allow TCP connections to port 12345 via IPv4 only
== Fail2ban ==
We use <code>fail2ban</code> to detect brute force attempts on some services.  The git repository for scripts and config contains the relevant Fail2ban configuration under <code>etc/fail2ban</code>.


== Special DNS entries ==
== Special DNS entries ==
Line 102: Line 86:
|TXT  || @              || google-site-verification=<key>
|TXT  || @              || google-site-verification=<key>
|}
|}
== Firewall ==
The simple <code>ufw</code> firewall-frontend is used to trivially limit all network I/O to the ports you can see in the host table above, plus port 22 for ssh and scp.
UFW adds IPv6 rules by default, which can be prevented by using more explicit rules.  Consider the following rule:
  ufw allow 12345/tcp  # will allow TCP connections to port 12345 via IPv4 and IPv6
To limit this to IPv4 you can instead use this:
  ufw allow proto tcp to 0.0.0.0/0 port 12345  # will allow TCP connections to port 12345 via IPv4 only
== Fail2ban ==
We use <code>fail2ban</code> to detect brute force attempts on some services.  The git repository for scripts and config contains the relevant Fail2ban configuration under <code>etc/fail2ban</code>.


== SSH access ==
== SSH access ==
Line 255: Line 255:
Software: InspIRCd
Software: InspIRCd


FeministIRC uses the [http://www.inspircd.org/ InspIRCd] IRC server with the <code>ldapauth</code> module for LDAP authentication.
FeministIRC uses the [http://www.inspircd.org/ InspIRCd] IRC server with the <code>ldapauth</code> module for LDAP authentication.  The client is authenticated via the combination of the NICK and PASS provided upon connection, which must correspond to the FeministWiki credentials.


=== Account operations ===
=== Account operations ===
Retrieved from "https://feministwiki.org/wiki/Special:MobileDiff/917...920"