-
ij
FYI: hookipa.net/xmpp.social will shut down for maintenance (relocation to a new server)
-
аноним
Hello
-
аноним
We hello
-
Menel
Hi
-
smooth_operator
hello. basic xmpp question:
-
smooth_operator
if a user joins a muc on a brand new server, and then leaves the muc, does the s2s connection stay open?
-
Link Mauve
smooth_operator, it depends™.
-
Link Mauve
Some servers (Ejabberd for instance) like to close s2s connections when no stanza has been exchanged in some time, some other (Prosody for instance) don’t.
-
Link Mauve
The trade-offs are that it takes a few seconds to open a connection, so the next message you send might get delayed a bit if the connection got closed.
-
smooth_operator
makes sense. so in the case of prosody, surely there is an eventual timeout?
-
Link Mauve
On the other hand, it takes a few KiB of memory to have an open connection, so for resource reasons it might be preferable to close the connections on servers starved for RAM.
-
Link Mauve
Not that I know of, the s2s connection gets closed only when the other end closes it, or when the server gets restarted.
-
smooth_operator
hmmm
-
Menel
Or ip change, TCP time out
-
Link Mauve
I have never found this problematic, but if you have very little RAM and a lot of idle s2s you might want to change that.
-
smooth_operator
so the scenario i have is, if a user on my muc joins all these random mucs just to browse, but then leaves them all, all of those connections stay open indefinitely
-
Link Mauve
There is mod_s2s_idle_timeout in prosody-modules to do that.
-
smooth_operator
oh cool, perfect
-
Link Mauve
smooth_operator, is that an issue though?
-
Link Mauve
As I said, it only takes a few KiB of memory to keep a TCP + TLS connection open.
-
smooth_operator
not really, im just micromanaging since im new to xmpp
-
Link Mauve
And as Menel said, you will get timeouts for other reasons anyway.
-
Link Mauve
smooth_operator, note that it has nothing to do with MUC, the s2s doesn’t care what gets transmitted over it.
-
smooth_operator
yeah that makes sense
-
Link Mauve
smooth_operator, and be aware of the time it takes to reestablish a connection, especially if you have a weak CPU, especially if the other end uses a large certificate (4096 bits RSA for instance).
-
Menel
If you are less new, in time, you'll notice the defaults are there for a reason and most micromanagement not useful.
-
Link Mauve
Yup. ^^
-
smooth_operator
yeah i bet. i just like knowing what traffic my server is doing, is all
-
Link Mauve
By definition, an idle connection will have almost no traffic.
-
smooth_operator
yeah im not concerned about amount of traffic. just the various connections my server holds open and if they are solicited or not
-
Link Mauve
All connections are solicited. :D
-
Link Mauve
No server goes “nothing asked me to, but I’ll open a connection anyway!” :D
-
smooth_operator
lol i mean like all the internet scanners scanning for 5269, i wanna know if that connection is because a user is doing something with the server or not, i guess
-
Link Mauve
Those probably close it right after they’ve done their scanning.
-
Link Mauve
It would be too expensive on their end not to.
-
smooth_operator
well that's only stage 1 :)
-
smooth_operator
stage 2 is fingerprinting
-
smooth_operator
stage 3 is hacking
-
Link Mauve
I’ve only ever seen DoS over unauthenticated streams, never hacking.
-
Link Mauve
Doesn’t mean it doesn’t happen, but I am not aware of any case in the past fifteen years I’ve been following XMPP stuff.
-
smooth_operator
okay, so another xmpp noob question: is there actually authentication over s2s aside from cert validation?
-
Link Mauve
If the certificate is valid, that is authentication.
-
Link Mauve
Presenting a valid certificate for a domain is kind of a proof that you do own said domain.
-
Link Mauve
There are other ways to prove it, but that’s the current most accepted one.
-
smooth_operator
yeah that's what i was thinking. all they need is a domain and cert which isn't hard to get
-
smooth_operator
so maybe a more useful question is, are there any good guides for hardening our servers?
-
smooth_operator
or at least best practices
-
Link Mauve
What do you want to harden it against?
-
Link Mauve
As Menel said earlier, “in time, you'll notice the defaults are there for a reason”. :)
-
smooth_operator
minimizing attack surface
-
Menel
smooth_operator: best practice is use the software.. I'm not aware of any xmpp "hack" beside DOS. The attach surface is with the default very small as far as I see. There are endless servers out there.. But has any been hacked via xmpp?
-
Menel
Ever?
-
Link Mauve
Probably, don’t load random community modules that haven’t been vetted by the devs of your server or reviewed by you, would be the best answer I could give you.
-
smooth_operator
Menel: i don't know of xmpp server hacking either, but that doesn't mean it doesn't happen. and if it's normal for the server to hold open tons of idle connections, how would operators know those aren't malicious or not
-
smooth_operator
and i'm just being theoretical here. anytime i expose something to the internet i just like knowing what i'm exposing
-
smooth_operator
so things like bosh, websocket, proxy65: i have no idea what those are for so i just disable them
-
Licaon_Kter
smooth_operator: > so things like bosh, websocket, proxy65: i have no idea what those are for so i just disable them you can read...
-
Licaon_Kter
Web client old standard, new standard, file transfer helper, etc
-
smooth_operator
well yeah i can look them all up and spend hours reading xeps, but the argument was about not messing with defaults. now that i think about it, it's impossible for me to _not_ mess with defaults lol. character flaw. so never mind my rambling :)
-
Menel
Well, if you are like that you'll _have_ to read about it or never sleep well 😀
-
Menel
I just don't think its a big difference if your s2s closes connections or not. If the open connection is used by a malicious actor.. They will just hold it open. And a timeout will not help with security
-
Menel
As you already discoverd a server will happily listen to a valid connection
-
smooth_operator
yeah, you're right
-
Licaon_Kter
smooth_operator: either accept defaults or read, and you'll read anyway when stuff is not working lol
-
smooth_operator
yeah. i'm just looking for the easy button first ;)
-
Licaon_Kter
Make default working, then read and prune what's not wanted.
-
Licaon_Kter
No need for s2s or proxy65 at start, no one would use them when you start, since no one knows your server yet.
-
Menel
Before reading xeps, I would start with the prosody doc from the top, and then all the modules you use.. Xeps are a bit abstract..
-
ij
hookipa.net/xmpp.social is online again (since a few hours)