1,084
edits
Technician (talk | contribs) (Mention IPv6 issues and Fail2ban.) |
Technician (talk | contribs) (→IRC) |
||
(One intermediate revision by the same user not shown) | |||
Line 40: | Line 40: | ||
There are no AAAA entries in the DNS because we only allow IPv4 for incoming connections. This simplifies security auditing. | There are no AAAA entries in the DNS because we only allow IPv4 for incoming connections. This simplifies security auditing. | ||
== Special DNS entries == | == Special DNS entries == | ||
Line 102: | Line 86: | ||
|TXT || @ || google-site-verification=<key> | |TXT || @ || google-site-verification=<key> | ||
|} | |} | ||
== Firewall == | |||
The simple <code>ufw</code> firewall-frontend is used to trivially limit all network I/O to the ports you can see in the host table above, plus port 22 for ssh and scp. | |||
UFW adds IPv6 rules by default, which can be prevented by using more explicit rules. Consider the following rule: | |||
ufw allow 12345/tcp # will allow TCP connections to port 12345 via IPv4 and IPv6 | |||
To limit this to IPv4 you can instead use this: | |||
ufw allow proto tcp to 0.0.0.0/0 port 12345 # will allow TCP connections to port 12345 via IPv4 only | |||
== Fail2ban == | |||
We use <code>fail2ban</code> to detect brute force attempts on some services. The git repository for scripts and config contains the relevant Fail2ban configuration under <code>etc/fail2ban</code>. | |||
== SSH access == | == SSH access == | ||
Line 255: | Line 255: | ||
Software: InspIRCd | Software: InspIRCd | ||
FeministIRC uses the [http://www.inspircd.org/ InspIRCd] IRC server with the <code>ldapauth</code> module for LDAP authentication. | FeministIRC uses the [http://www.inspircd.org/ InspIRCd] IRC server with the <code>ldapauth</code> module for LDAP authentication. The client is authenticated via the combination of the NICK and PASS provided upon connection, which must correspond to the FeministWiki credentials. | ||
=== Account operations === | === Account operations === |