XMPP Service Operators - 2022-02-06


  1. Maranda

    Menel: I think it's this

  2. Maranda

    presence_broadcast: [moderator | participant | visitor, ...] List of roles for which presence is broadcasted. The list can contain one or several of: moderator, participant, visitor. The default value is shown in the example below: Example: presence_broadcast: - moderator - participant - visitor

  3. Maranda

    https://docs.ejabberd.im/admin/configuration/modules/#mod-muc

  4. Maranda

    Tbh the room is half borked like that and will cause Bifrost issues

  5. Maranda

    (They already prohibit IQs to occupante)

  6. Maranda

    (They already prohibit IQs to occupants)

  7. Maranda

    So... As long as they're aware 🤷

  8. Menel

    Well. They fixes the presence sometimes today in the morning /last night. Its as it was now.. I didn't realize it was a config option.

  9. Licaon_Kter

    > all ~300,000 XMPP servers found on Shodan yay https://bishopfox.com/blog/xmpp-underappreciated-attack-surface nay 🙁 Stay safe... fix stuff!

  10. mjk

    the whole "vulnerability" is "oops we forgot to disable IBR on our private instance" 🙄

  11. Licaon_Kter

    yes, also some anon logins

  12. moparisthebest

    Signal/Slack/Teams: can't run your own infrastructure poorly if you can't run your own infrastructure 🤔

  13. Menel

    Without knowing how many of the scanned servers have anon and open registration because its intended, any conclusion there (in the last sentence) is worthless IMHO

  14. Menel

    (Not a bug, but a feature)

  15. moparisthebest

    I like the # of servers though, that's huge

  16. mjk

    Hmmmnope, still dead

  17. moparisthebest

    Hmm it'd be pretty easy to write a script to harvest all publicly federated XMPP servers but is that a good idea or not :/

  18. moparisthebest

    Monitor cert renewals since they are all public, check each domain for XMPP service

  19. mjk

    Since many of those don't federate _intentionally_ it would be pretty bad for those

  20. moparisthebest

    You'd have most XMPP serving domains within 60 days and all of them within a year

  21. moparisthebest

    Oh and I shouldn't have said federated, they still may not federate, but rather "on the internet with trusted TLS cert"

  22. mjk

    Yea, I mean many are probably in the internet by virtue of misconfiguration :shrug:

  23. mjk

    Probably not nice to list indiscriminately

  24. moparisthebest

    It's already public though?

  25. mjk

    Mmhyeah

  26. mjk

    A script registering on every public IBR-supporting server to say "I'm in ur server, versioning ur rosterz" to everyone in the default roster might be funny, useful and kinda ethical

  27. moparisthebest

    No that's not what I'm saying

  28. mjk

    Nah, my thought just wandered

  29. mjk

    I see your point, I'm just not sure all server operators would be okay with what practically is scraping. S.j.n. requires operators' consent for a reason

  30. mjk

    Xmpp really needs robots.txt equivalent :)

  31. moparisthebest

    They might not be happy but they probably don't realize that info is already just there for bad actors already

  32. Licaon_Kter

    Why X on 198 and 352 and 411 though? https://compliance.conversations.im/server/jabberfr.org/

  33. Menel

    well the 411 might be because of the new modue that obsoletes that.. its the compliance tester thats outdated there.. but for mobile devices 198 and 352 are nice...

  34. Maranda

    I wanted to add Bifrost on disco on lightwitch.org, but that'll cause it to lower the score... Apparently if you advertise multiple MUC services it wants all of 'em to be supporting MAM.

  35. Maranda

    (although it also advertises the gateway category so it could be a bit more assertive, if it's not the only MUC service there)

  36. Menel

    it just wants you to get mam support to the bridge ;)

  37. Maranda shows a long TODO list to Menel before that's going to even be taken in consideration.

  38. Maranda

    .. and finally if they would stop the annoying DDoSes, that would help on stopping to waste time on tweaking infrastructure configuration, role placement and applying mitigations and leave more to actually code.

  39. Maranda

    .. and finally if they would stop the annoying DDoSes, that would help on not wasting time on tweaking infrastructure configuration, role placement and applying mitigations and leave more to actually code.

  40. Menel

    xmpp ddos or matrix? is there a post somewhere, does anyody know who and why?

  41. Maranda

    Matrix mostly

  42. Maranda

    Some more chipping over XMPP, but nothing of note. And initially it was trolls from stopdronebl.org, now it's just trolls following the tail period.

  43. Menel

    I didnt know, people woud do it without agenda

  44. rozzin

    mjk: > the whole "vulnerability" is "oops we forgot to disable IBR on our private instance" 🙄 Well, they also mention other stuff like user-search, and mismatched user-expectations about MUC default settings?

  45. mjk

    rozzin: those seem like deliberate things for an internal company server that go horribly wrong once registration is free for all

  46. rozzin

    mjk: yeah, or if you just make them available to external users with no local registration required. So you can mess those up without having IBR or anonymous login.

  47. rozzin

    They didn't really show all of the angles very clearly....

  48. mjk

    ah, it seemed they were talking in a context of non-federating services, so I didn't consider external users, yes