XMPP Service Operators - 2021-01-27

sudo package update in Debian, Ubuntu and CentOS at the same time. FYI

yeah, unauthenticated local root exploit ✏

edhelas: > I have this theory that if we continue to block the dumb bots and scripts that are creating fake accounts on our servers, after a while they will have to make accounts that are more and more realistic until a point where we're not able anymore to differentiate from a real one. If they also send messages that could not be differentiated from a real conversation (instead of spam), it would be for good ;-) At least there will always be some pattern to fight spam after account creation like same messages / lots of messages to contacts not in roster / or rely on spam reports.

Hi, does anyone uses lxqt vor servers?

I don’t run GUIs on servers.

I on devuan and it uses xfce as standard but I thought about a more lightweight environment..

GUIs are waaaaay too much attack surface

yes sure

and ssh?

hm?

and sudo

:D

> https://upload.esaanchez.net/716b9766f49b549c3916d680ca95e63cbc4e715d/MLDhdja7abyhepCVkqbAa7LGX9Rd1ZwbWL2gAdNB/Xg_3o5MPRdql5py6YwnhYg.jpg > and the winner of the contest for the longest http upload URL iiiiiiiisss .... tom! thats standard ejabberd url format, isn't it? 😀

yeah, thinking about that it’s probably safer, trusted-computing-base-wise, to log in as root with key authentication than as normal user with sudo :) ✏

normaly I didn't use any desktop environment on my main server and also no ssh

x'D

But when sudo became a thing we were told the opposite, root accessible over ssh is terrible!

Also you often want to give multiple people root access on a server anyway, and then giving them a normal user account makes auditing and access control simpler

Compared to dropping a bunch of keys in ~root's .ssh

MattJ, ssh CAs?

MattJ, agreed

mathieui, revoking the signatures is no fun

So I was told

still the best is no ssh and no desktop environment I guess, hehe.

arne, what would one use instead? telnet ;D

arne, if you can afford it, sure

I guess you can use hashicorp vault to manage ssh certs, though, jonas’

not sure if it helps with revoking otoh

na I'm selfhosting so I can just use a monitor :D

ah, hosting at home doesn’t work well with the high availability I want to achieve :)

mh, didn't you see my project jonas' ?

my little data center is nearly autarkic with backup connection

if you can do it, a dedicated network interface on a separate (private) network for ssh is probably the best you can achieve

yes this would be possible mathieui

arne: > mh, didn't you see my project jonas' ? Link?

https://monocles.de/more/

but still not finished, waiting for some recycled batteries

Hi

Any one try to build xmpp server at his home ?

https://jabber.hot-chilli.net/jabberupload/share_v2.php/f177caf4-d444-4dec-8812-6834a31fbcf7/RECORDING_20210127_233231923.m4a

sure, easy to do. just set up a dynDNS and run it on a cheap SBC ✏

Yep, very doable.

Has anyone installed Salut à Toi core using something like Ansible?

I run ejabberd on a thinkpad x230 in my living room

works great

What you mean run it in cheap SBC ?

I try to run xmpp server from android app in playstore but i cant know how to run

I will post link for that app

https://play.google.com/store/apps/details?id=com.icecoldapps.serversultimatepro

https://jabber.hot-chilli.net/jabberupload/share_v2.php/f5d15772-9c88-4606-b30d-3410cf7160e6/aBOOWXPvRFCsscMDdsa6zA.jpg

But i cant make it success to run server in local lan or wan

mwk: sooo... you wanna run it on a phone, or you have a googlified android installed on an sbc such as raspberry pi?

On my phone

Brows the app in playstore and read details about it

I put playstore link for it

mwk: software probably violating open source licenses. Then, all-in one soft is probably the worst thing to have... Security holes, ...

That's... unusual, but with power plugged, I guess it can work out

Make sure android doesn't kill the server every once in a while

I success ftp server and make dynamic dns and success login to my phone server from different city

But i cant make xmpp server

https://jabber.hot-chilli.net/jabberupload/share_v2.php/45f67894-f38c-4670-8bc7-e5be1efa798c/qzGT8h-bTgmbPDtus3onMQ.jpg

https://jabber.hot-chilli.net/jabberupload/share_v2.php/4d66295d-75cb-44d9-99fb-664e96e5ef81/_RuO-HzMTz2uOjUmoPx35A.jpg

In server name what should i put ? Any thing like test .

?

And in domain name put my home external ip adress ?

https://jabber.hot-chilli.net/jabberupload/share_v2.php/fee73464-6f05-4a96-b5b1-898f493b09aa/EWt5mYvqR1O0N0jIg7nX1Q.jpg

In user what should add ? The same server name like test

mwk: This is a commercial app, please contact related support.

mwk: You should consult the app's documentation or seek support from the developers.

How to login ? Like test@ipadress

Is there recommended xmpp server for raspberry pi ?

I don't think anyone here has experience with it, and tgere's certainly no psychics here to guess what 'server name' means :)

Ok , no problem , any experience with setup pi as a server

> Is there recommended xmpp server for raspberry pi ? ejabberd and prosody come to mind first ✏

And login to that server from here , from conversation app

Login on local lan and from outside to pi

> any experience with setup pi as a server Just general linux stuff, nothing specific for the pi, except if you expect a lot of users, maybe put the databases on an external drive, not the microsd. And maybe logs too.

Is there ready to use tool in github xmpp server ?

Here's one good guide https://www.process-one.net/blog/how-to-move-the-office-to-real-time-im-on-ejabberd/

> Login on local lan ...may require you to specify connection address manually in your client (Conversations does support that). But it's probably better to just let the router do its job: to route packets locally

Disclaimer: I have no first-hand experience with xmpp servers, others here would be able to help much more

And from external connection ? Does i need to call ISP to open port 5222 for external ? Or no need for that ?

Yes, you need 5222 open for client connections from outside

And 5223 (was it?) for server-to-server connections. Unless you don't want to federate

5443 for http file uploads & downloads ✏

I call isp to open all ports , but when i test it it open ports 21 , 22 , 80 , 8080 just !

> And 5223 (was it?) for server-to-server connections. Sorry, that's wrong. The guide I linked has it all anyway, just read it :)