XMPP Service Operators - 2021-01-27

sudo package update in Debian, Ubuntu and CentOS at the same time. FYI

yeah, unauthenticated local root exploit ✏

edhelas: > I have this theory that if we continue to block the dumb bots and scripts that are creating fake accounts on our servers, after a while they will have to make accounts that are more and more realistic until a point where we're not able anymore to differentiate from a real one. If they also send messages that could not be differentiated from a real conversation (instead of spam), it would be for good ;-) At least there will always be some pattern to fight spam after account creation like same messages / lots of messages to contacts not in roster / or rely on spam reports.

Hi, does anyone uses lxqt vor servers?

I don’t run GUIs on servers.

I on devuan and it uses xfce as standard but I thought about a more lightweight environment..

GUIs are waaaaay too much attack surface

yes sure

and ssh?

hm?

and sudo

:D

> https://upload.esaanchez.net/716b9766f49b549c3916d680ca95e63cbc4e715d/MLDhdja7abyhepCVkqbAa7LGX9Rd1ZwbWL2gAdNB/Xg_3o5MPRdql5py6YwnhYg.jpg > and the winner of the contest for the longest http upload URL iiiiiiiisss .... tom! thats standard ejabberd url format, isn't it? 😀

yeah, thinking about that it’s probably safer, trusted-computing-base-wise, to log in as root with key authentication than as normal user with sudo :) ✏

normaly I didn't use any desktop environment on my main server and also no ssh

x'D

But when sudo became a thing we were told the opposite, root accessible over ssh is terrible!

Also you often want to give multiple people root access on a server anyway, and then giving them a normal user account makes auditing and access control simpler

Compared to dropping a bunch of keys in ~root's .ssh

MattJ, ssh CAs?

MattJ, agreed

mathieui, revoking the signatures is no fun

So I was told

still the best is no ssh and no desktop environment I guess, hehe.

arne, what would one use instead? telnet ;D

arne, if you can afford it, sure

I guess you can use hashicorp vault to manage ssh certs, though, jonas’

not sure if it helps with revoking otoh

na I'm selfhosting so I can just use a monitor :D

ah, hosting at home doesn’t work well with the high availability I want to achieve :)

mh, didn't you see my project jonas' ?

my little data center is nearly autarkic with backup connection

if you can do it, a dedicated network interface on a separate (private) network for ssh is probably the best you can achieve

yes this would be possible mathieui

arne: > mh, didn't you see my project jonas' ? Link?

https://monocles.de/more/

but still not finished, waiting for some recycled batteries

Hi

Any one try to build xmpp server at his home ?

https://jabber.hot-chilli.net/jabberupload/share_v2.php/f177caf4-d444-4dec-8812-6834a31fbcf7/RECORDING_20210127_233231923.m4a

sure, easy to do. just set up a dynDNS and run it on a cheap SBC ✏

Yep, very doable.

Has anyone installed Salut à Toi core using something like Ansible?

I run ejabberd on a thinkpad x230 in my living room

works great

What you mean run it in cheap SBC ?

I try to run xmpp server from android app in playstore but i cant know how to run

I will post link for that app

https://play.google.com/store/apps/details?id=com.icecoldapps.serversultimatepro

https://jabber.hot-chilli.net/jabberupload/share_v2.php/f5d15772-9c88-4606-b30d-3410cf7160e6/aBOOWXPvRFCsscMDdsa6zA.jpg

But i cant make it success to run server in local lan or wan

mwk: sooo... you wanna run it on a phone, or you have a googlified android installed on an sbc such as raspberry pi?

On my phone

Brows the app in playstore and read details about it

I put playstore link for it

mwk: software probably violating open source licenses. Then, all-in one soft is probably the worst thing to have... Security holes, ...

That's... unusual, but with power plugged, I guess it can work out

Make sure android doesn't kill the server every once in a while

I success ftp server and make dynamic dns and success login to my phone server from different city

But i cant make xmpp server

https://jabber.hot-chilli.net/jabberupload/share_v2.php/45f67894-f38c-4670-8bc7-e5be1efa798c/qzGT8h-bTgmbPDtus3onMQ.jpg

https://jabber.hot-chilli.net/jabberupload/share_v2.php/4d66295d-75cb-44d9-99fb-664e96e5ef81/_RuO-HzMTz2uOjUmoPx35A.jpg

In server name what should i put ? Any thing like test .

?

And in domain name put my home external ip adress ?

https://jabber.hot-chilli.net/jabberupload/share_v2.php/fee73464-6f05-4a96-b5b1-898f493b09aa/EWt5mYvqR1O0N0jIg7nX1Q.jpg

In user what should add ? The same server name like test

mwk: This is a commercial app, please contact related support.

mwk: You should consult the app's documentation or seek support from the developers.

How to login ? Like test@ipadress

Is there recommended xmpp server for raspberry pi ?

I don't think anyone here has experience with it, and tgere's certainly no psychics here to guess what 'server name' means :)

Ok , no problem , any experience with setup pi as a server

> Is there recommended xmpp server for raspberry pi ? ejabberd and prosody come to mind first ✏

And login to that server from here , from conversation app

Login on local lan and from outside to pi

> any experience with setup pi as a server Just general linux stuff, nothing specific for the pi, except if you expect a lot of users, maybe put the databases on an external drive, not the microsd. And maybe logs too.

Is there ready to use tool in github xmpp server ?

Here's one good guide https://www.process-one.net/blog/how-to-move-the-office-to-real-time-im-on-ejabberd/

> Login on local lan ...may require you to specify connection address manually in your client (Conversations does support that). But it's probably better to just let the router do its job: to route packets locally

Disclaimer: I have no first-hand experience with xmpp servers, others here would be able to help much more

And from external connection ? Does i need to call ISP to open port 5222 for external ? Or no need for that ?

Yes, you need 5222 open for client connections from outside

And 5223 (was it?) for server-to-server connections. Unless you don't want to federate

5443 for http file uploads & downloads ✏

I call isp to open all ports , but when i test it it open ports 21 , 22 , 80 , 8080 just !

> And 5223 (was it?) for server-to-server connections. Sorry, that's wrong. The guide I linked has it all anyway, just read it :)

Bad provider!

They may have some kind of user-configurable firewall that would allow you to upen all ports

If i make port forwarding in my router to 5222 to fix lan ip adress that run server , is that work ?

Or they may not

The port 5222 for my ip when i try external port test , i see it closed

Or if i make DMZ in my adsl router to server ip , does that work ?

Xmpp client connection can work on any port, actually, provided you can setup SRV records for your domain

> Or if i make DMZ in my adsl router to server ip , does that work ? Not sure I understand. Can you rephrase?

What you mean i can setup SRV record for my ip

?

Yes, you can specify connection ports in SRV records

So you can actually use any available ports

I dont know what you mean by srv record

> Xmpp ~client~ connection can work on any port Corrected ↑

Ya

Start here: https://en.m.wikipedia.org/wiki/SRV :) ✏

Then see if your dns server provider allows you to add these

If you setup server in your home , you need to make 1 user admin and password for that server like john , and how to connect from conversation app ? Like john@externalipofmyhome.

Pretty much

> Then see if your dns server provider allows you to add these I will read them ... Thanks 😊

Don't know about ejabberd but with prosody reading the manual helps and gives better understanding then a quick start guide.. And all you don't understand --> search engine.

> Don't know about ejabberd but with prosody reading the manual helps and gives better understanding then a quick start guide.. And all you don't understand --> search engine. Thanks 😊 i will

> Start here: https://en.m.wikipedia.org/wiki/SRV :) So i need to call my local ISP and request from them SRV RECORD to my ip adress ?

Thats should i need to do ?

You said you have dynamic dns setup, that means you already have an A or AAAA record with your IP address, so check with them if they allow adding SRV records

If your dns provider is your ISP, then yes, ask them

Ask them i need SRV Record ?

Yep

They know it

They add that service from there system to my ip ?

My dynamic dns on no-ip

Usually they'd give you web interface for doing that

Without srv records and without the standard server-to-server connection port number, I think you'd be unable to receive messages from other servers. But at least clients should be able to connect, by specifying the non-standard port number

Ya

> Usually they'd give you web interface for doing that Can add srv in no-ip website that i added in ddns

Good

Next, read up on the necessary xmpp srv records somewhere in the interwebs :)

If i dont need to communicate with other servers . So no need for srv record? If just me and my family connect to my host server dynamic dns ,.from lan or from outside 3g or 4g phone , so in this case , no need srv ?