XMPP Service Operators - 2022-05-01


  1. ij

    FYI: hookipa.net/xmpp.social will shut down for maintenance (relocation to a new server)

  2. аноним

    Hello

  3. аноним

    We hello

  4. Menel

    Hi

  5. smooth_operator

    hello. basic xmpp question:

  6. smooth_operator

    if a user joins a muc on a brand new server, and then leaves the muc, does the s2s connection stay open?

  7. Link Mauve

    smooth_operator, it depends™.

  8. Link Mauve

    Some servers (Ejabberd for instance) like to close s2s connections when no stanza has been exchanged in some time, some other (Prosody for instance) don’t.

  9. Link Mauve

    The trade-offs are that it takes a few seconds to open a connection, so the next message you send might get delayed a bit if the connection got closed.

  10. smooth_operator

    makes sense. so in the case of prosody, surely there is an eventual timeout?

  11. Link Mauve

    On the other hand, it takes a few KiB of memory to have an open connection, so for resource reasons it might be preferable to close the connections on servers starved for RAM.

  12. Link Mauve

    Not that I know of, the s2s connection gets closed only when the other end closes it, or when the server gets restarted.

  13. smooth_operator

    hmmm

  14. Menel

    Or ip change, TCP time out

  15. Link Mauve

    I have never found this problematic, but if you have very little RAM and a lot of idle s2s you might want to change that.

  16. smooth_operator

    so the scenario i have is, if a user on my muc joins all these random mucs just to browse, but then leaves them all, all of those connections stay open indefinitely

  17. Link Mauve

    There is mod_s2s_idle_timeout in prosody-modules to do that.

  18. smooth_operator

    oh cool, perfect

  19. Link Mauve

    smooth_operator, is that an issue though?

  20. Link Mauve

    As I said, it only takes a few KiB of memory to keep a TCP + TLS connection open.

  21. smooth_operator

    not really, im just micromanaging since im new to xmpp

  22. Link Mauve

    And as Menel said, you will get timeouts for other reasons anyway.

  23. Link Mauve

    smooth_operator, note that it has nothing to do with MUC, the s2s doesn’t care what gets transmitted over it.

  24. smooth_operator

    yeah that makes sense

  25. Link Mauve

    smooth_operator, and be aware of the time it takes to reestablish a connection, especially if you have a weak CPU, especially if the other end uses a large certificate (4096 bits RSA for instance).

  26. Menel

    If you are less new, in time, you'll notice the defaults are there for a reason and most micromanagement not useful.

  27. Link Mauve

    Yup. ^^

  28. smooth_operator

    yeah i bet. i just like knowing what traffic my server is doing, is all

  29. Link Mauve

    By definition, an idle connection will have almost no traffic.

  30. smooth_operator

    yeah im not concerned about amount of traffic. just the various connections my server holds open and if they are solicited or not

  31. Link Mauve

    All connections are solicited. :D

  32. Link Mauve

    No server goes “nothing asked me to, but I’ll open a connection anyway!” :D

  33. smooth_operator

    lol i mean like all the internet scanners scanning for 5269, i wanna know if that connection is because a user is doing something with the server or not, i guess

  34. Link Mauve

    Those probably close it right after they’ve done their scanning.

  35. Link Mauve

    It would be too expensive on their end not to.

  36. smooth_operator

    well that's only stage 1 :)

  37. smooth_operator

    stage 2 is fingerprinting

  38. smooth_operator

    stage 3 is hacking

  39. Link Mauve

    I’ve only ever seen DoS over unauthenticated streams, never hacking.

  40. Link Mauve

    Doesn’t mean it doesn’t happen, but I am not aware of any case in the past fifteen years I’ve been following XMPP stuff.

  41. smooth_operator

    okay, so another xmpp noob question: is there actually authentication over s2s aside from cert validation?

  42. Link Mauve

    If the certificate is valid, that is authentication.

  43. Link Mauve

    Presenting a valid certificate for a domain is kind of a proof that you do own said domain.

  44. Link Mauve

    There are other ways to prove it, but that’s the current most accepted one.

  45. smooth_operator

    yeah that's what i was thinking. all they need is a domain and cert which isn't hard to get

  46. smooth_operator

    so maybe a more useful question is, are there any good guides for hardening our servers?

  47. smooth_operator

    or at least best practices

  48. Link Mauve

    What do you want to harden it against?

  49. Link Mauve

    As Menel said earlier, “in time, you'll notice the defaults are there for a reason”. :)

  50. smooth_operator

    minimizing attack surface

  51. Menel

    smooth_operator: best practice is use the software.. I'm not aware of any xmpp "hack" beside DOS. The attach surface is with the default very small as far as I see. There are endless servers out there.. But has any been hacked via xmpp?

  52. Menel

    Ever?

  53. Link Mauve

    Probably, don’t load random community modules that haven’t been vetted by the devs of your server or reviewed by you, would be the best answer I could give you.

  54. smooth_operator

    Menel: i don't know of xmpp server hacking either, but that doesn't mean it doesn't happen. and if it's normal for the server to hold open tons of idle connections, how would operators know those aren't malicious or not

  55. smooth_operator

    and i'm just being theoretical here. anytime i expose something to the internet i just like knowing what i'm exposing

  56. smooth_operator

    so things like bosh, websocket, proxy65: i have no idea what those are for so i just disable them

  57. Licaon_Kter

    smooth_operator: > so things like bosh, websocket, proxy65: i have no idea what those are for so i just disable them you can read...

  58. Licaon_Kter

    Web client old standard, new standard, file transfer helper, etc

  59. smooth_operator

    well yeah i can look them all up and spend hours reading xeps, but the argument was about not messing with defaults. now that i think about it, it's impossible for me to _not_ mess with defaults lol. character flaw. so never mind my rambling :)

  60. Menel

    Well, if you are like that you'll _have_ to read about it or never sleep well 😀

  61. Menel

    I just don't think its a big difference if your s2s closes connections or not. If the open connection is used by a malicious actor.. They will just hold it open. And a timeout will not help with security

  62. Menel

    As you already discoverd a server will happily listen to a valid connection

  63. smooth_operator

    yeah, you're right

  64. Licaon_Kter

    smooth_operator: either accept defaults or read, and you'll read anyway when stuff is not working lol

  65. smooth_operator

    yeah. i'm just looking for the easy button first ;)

  66. Licaon_Kter

    Make default working, then read and prune what's not wanted.

  67. Licaon_Kter

    No need for s2s or proxy65 at start, no one would use them when you start, since no one knows your server yet.

  68. Menel

    Before reading xeps, I would start with the prosody doc from the top, and then all the modules you use.. Xeps are a bit abstract..

  69. ij

    hookipa.net/xmpp.social is online again (since a few hours)