1,084
edits
Technician (talk | contribs) (Mention IPv6 issues and Fail2ban.) |
Technician (talk | contribs) (→Hosts) |
||
(4 intermediate revisions by the same user not shown) | |||
Line 30: | Line 30: | ||
|85.214.101.34 || smtp.feministwiki.org || smtp || SMTP || 25, 465, 587 | |85.214.101.34 || smtp.feministwiki.org || smtp || SMTP || 25, 465, 587 | ||
|- | |- | ||
|85.214.101.34 || xmpp.feministwiki.org || xmpp || XMPP || 5222, 5269, | |85.214.101.34 || xmpp.feministwiki.org || xmpp || XMPP || 5222, 5223, 5269, 5270, 5443, 7777 | ||
|- | |- | ||
|85.214.101.34 || irc.feministwiki.org || irc || IRC || 6697 | |85.214.101.34 || irc.feministwiki.org || irc || IRC || 6697 | ||
Line 40: | Line 40: | ||
There are no AAAA entries in the DNS because we only allow IPv4 for incoming connections. This simplifies security auditing. | There are no AAAA entries in the DNS because we only allow IPv4 for incoming connections. This simplifies security auditing. | ||
== Special DNS entries == | == Special DNS entries == | ||
Line 93: | Line 77: | ||
|- | |- | ||
|SRV || _xmpp-server || _tcp || @ || xmpp.feministwiki.org || 5269 | |SRV || _xmpp-server || _tcp || @ || xmpp.feministwiki.org || 5269 | ||
|- | |||
|SRV || _xmpps-client || _tcp || @ || xmpp.feministwiki.org || 5223 | |||
|- | |||
|SRV || _xmpps-server || _tcp || @ || xmpp.feministwiki.org || 5270 | |||
|} | |} | ||
Line 102: | Line 90: | ||
|TXT || @ || google-site-verification=<key> | |TXT || @ || google-site-verification=<key> | ||
|} | |} | ||
== Firewall == | |||
The simple <code>ufw</code> firewall-frontend is used to trivially limit all network I/O to the ports you can see in the host table above, plus port 22 for ssh and scp. | |||
UFW adds IPv6 rules by default, which can be prevented by using more explicit rules. Consider the following rule: | |||
ufw allow 12345/tcp # will allow TCP connections to port 12345 via IPv4 and IPv6 | |||
To limit this to IPv4 you can instead use this: | |||
ufw allow proto tcp to 0.0.0.0/0 port 12345 # will allow TCP connections to port 12345 via IPv4 only | |||
== Fail2ban == | |||
We use <code>fail2ban</code> to detect brute force attempts on some services. The git repository for scripts and config contains the relevant Fail2ban configuration under <code>etc/fail2ban</code>. | |||
== SSH access == | == SSH access == | ||
Line 255: | Line 259: | ||
Software: InspIRCd | Software: InspIRCd | ||
FeministIRC uses the [http://www.inspircd.org/ InspIRCd] IRC server with the <code>ldapauth</code> module for LDAP authentication. | FeministIRC uses the [http://www.inspircd.org/ InspIRCd] IRC server with the <code>ldapauth</code> module for LDAP authentication. The client is authenticated via the combination of the NICK and PASS provided upon connection, which must correspond to the FeministWiki credentials. | ||
=== Account operations === | === Account operations === |