FeministWiki:Technical documentation: Difference between revisions

Mention IPv6 issues and Fail2ban.
(Mention IPv6 issues and Fail2ban.)
Line 38: Line 38:


As you can see, all services are on the same server for now.  However, it should be kept as an open possibility that the hosts are split across different IPs.  When done so, the <code>ldap</code> host should listen on 636 for LDAPS connections.
As you can see, all services are on the same server for now.  However, it should be kept as an open possibility that the hosts are split across different IPs.  When done so, the <code>ldap</code> host should listen on 636 for LDAPS connections.
There are no AAAA entries in the DNS because we only allow IPv4 for incoming connections.  This simplifies security auditing.


== Firewall ==
== Firewall ==


The simple <code>ufw</code> firewall-frontend is used to trivially limit all network I/O to the ports you can see in the host table above, plus port 22 for ssh and scp.
The simple <code>ufw</code> firewall-frontend is used to trivially limit all network I/O to the ports you can see in the host table above, plus port 22 for ssh and scp.
UFW adds IPv6 rules by default, which can be prevented by using more explicit rules.  Consider the following rule:
  ufw allow 12345/tcp  # will allow TCP connections to port 12345 via IPv4 and IPv6
To limit this to IPv4 you can instead use this:
  ufw allow proto tcp to 0.0.0.0/0 port 12345  # will allow TCP connections to port 12345 via IPv4 only
== Fail2ban ==
We use <code>fail2ban</code> to detect brute force attempts on some services.  The git repository for scripts and config contains the relevant Fail2ban configuration under <code>etc/fail2ban</code>.


== Special DNS entries ==
== Special DNS entries ==