XMPP Service Operators - 2024-03-30


  1. TheCoffeMaker

    didnt have time to read, which services does this affect ?

  2. moparisthebest

    TheCoffeMaker: ssh is the main one but if you are on a rpm or Deb distro with these versions you are running a backdoor

  3. TheCoffeMaker

    shit

  4. amarachi

    https://github.com/libarchive/libarchive/pull/1609

  5. Polarian

    > looks like arch is *probably* ok/unaffected https://www.openwall.com/lists/oss-security/2024/03/29/11 For once running Arch Linux on server came in handy

  6. Polarian

    not because it was better, but because nobody is stupid enough to run rolling release on servers

  7. Polarian

    (well most people)

  8. amarachi

    Something to note, even if us end users weren't impacted directly, a significant amount of distro packagers and maintainers do run the unstable & impacted versions.

  9. Polarian

    > Something to note, even if us end users weren't impacted directly, a significant amount of distro packagers and maintainers do run the unstable & impacted versions. they are worse to compromise though...

  10. Polarian

    get a packagers key and you can destroy the distribution

  11. deimosBSD

    fwiw, my free/open/net bsd servers are not affected

  12. deimosBSD

    not just mine, pretty much any of them

  13. rewtkid

    amarachi: you would need something vulnerable exposed to the internet for it to do any harm. not like they were building some kind of botnet.

  14. amarachi

    rewtkid: the full scope of the payload is still unclear, so we can't assume that

  15. rewtkid

    it doesnt automatically compromise you, but if you had something like SSH on your machine exposed to the internet, it could be an issue

  16. amarachi

    And this person/group has made many suspicious changes to dozens of other projects as well

  17. rewtkid

    yep

  18. Polarian

    > fwiw, my free/open/net bsd servers are not affected BSD ftw

  19. rewtkid

    nuegia.net: one of your moderators in your chat are abusing perms because i cracked a joke at him, (not even an offensive one), think its JSJ and his friends singling me out again, when you have time could you please look into it? ive been in your chat for years with no issues, can tell you my old names, not a trouble maker.

  20. ernst.on.tour

    Maybe some of us should have a look about their servers https://www.openwall.com/lists/oss-security/2024/03/29/4

  21. MattJ

    Sure, see the discussion here yesterday 🙂

  22. ernst.on.tour

    Okay, sorry to disturbe 😉

  23. mathieui

    I also sent an email to operators@ in the off chance someone affected has not been reading the news but still reads their email

  24. roughnecks

    > I also sent an email to operators@ in the off chance someone affected has not been reading the news but still reads their email is that a mailing list or something?

  25. roughnecks

    ah, it's in the topic

  26. Polarian

    >> I also sent an email to operators@ in the off chance someone affected has not been reading the news but still reads their email > is that a mailing list or something? yes

  27. amarachi

    Should port knockers make a comeback?

  28. Licaon_Kter

    That's like a Shodan update away lol

  29. spyro

    Worlio.com is entirely down for the moment and it is unknown when it'll come back up. I'm facing issues with the hosting provider that'll hopefully be resolved soon.

  30. Licaon_Kter

    '(

  31. Licaon_Kter

    ;(

  32. nuegia.net

    Consider hosting it yourself

  33. spyro

    Yes, I'm sure my users would love using the slowest XMPP server around.

  34. nuegia.net

    Xmpp daemons do not require much and server grade hardware isn't unobtainium

  35. nuegia.net

    Even for me and i'm in poverty right now

  36. spyro

    Hardware isn't the issue.

  37. nuegia.net

    What is

  38. spyro

    I live in a very rural area and my internet is DSL. That isn't very ideal for hosting a server, especially since my server isn't just an XMPP server, but also a webserver, a mumble server, an email server, and a file server.

  39. spyro

    My Internet cannot take that much. It is not feasible for me to self-host.

  40. nuegia.net

    Xmpp is low bandwidth

  41. spyro

    » [17:31:01] <nuegia.net> Xmpp is low bandwidth "but also a webserver, a mumble server, an email server, and a file server. "

  42. nuegia.net

    Consider moving the xmpp, mumble, and email server locally

  43. fireburner

    What about renting a server/vserver and host there?

  44. nuegia.net

    Unless your webserver is serving lots of bloat, consider moving that too

  45. spyro

    » [17:31:32] <fireburner> What about renting a server/vserver and host there? I already do that. I rent from Frantech. Frantech is having issues.

  46. fireburner

    Sry didn't read the whole conversation. What about moving to a different one?

  47. spyro

    Someone downloads a single file from my webserver and my own home Internet is at a crawl. Self-hosting is not feasible and to suggest it can be on my own network when I know what my own network is capable of is ignorance.

  48. spyro

    » [17:32:41] <fireburner> Sry didn't read the whole conversation. » What about moving to a different one? I'm hoping that I won't have to resort to it and that this is a temporary issue.

  49. nuegia.net

    It is you who are the ignorant one.

  50. nuegia.net

    That just means you need to learn how to do active queue management

  51. rewtkid

    unless you have the bandwith, locally hosting services is a bad idea, not to mention security risks if you dont have proper network segmentation etc.

  52. rewtkid

    its probably best to stick with a VPS, i agree with you.

  53. nuegia.net

    A single TCP connection should not be able to slow other traffic to a crawl

  54. amarachi

    wasn't frantech bought out? also you can't really host email on residential IP

  55. nuegia.net

    That's what AQM is for

  56. spyro

    Limit your download and upload speed to 1M/s and run all of what I run, then try to do anything on the Internet. Have fun.

  57. nuegia.net

    spyro:

  58. spyro

    Okay, then you ruin the quality of service for your users.

  59. nuegia.net

    Aqm is not qos

  60. nuegia.net

    Nor bandwidth reservation

  61. spyro

    I'm not saying it was. Do I want my users to suffer large latency because I self-host?

  62. nuegia.net

    It's about when to drop packets and how, as well as when to mark tcp sessions

  63. nuegia.net

    To reduce their window size

  64. nuegia.net

    If you deployed AQM properly you wouldn't have latency issues

  65. spyro

    It doesn't matter how you swing it, there is no way I can feasibly host my server entirely at my own network and have it be reliable, stable, and efficient, especially considering the services and community I maintain.

  66. nuegia.net

    That's what i'm saying. Your meager home connection is a lot more capable then you think. You just need to learn how to make the most out of it.

  67. spyro

    To claim otherwise is complete lunacy.

  68. nuegia.net

    Oh really? What is a datacenter exactly? Quantify it

  69. nuegia.net

    Reliable power? Get a UPS

  70. nuegia.net

    Reliable storage? Get a second ssd and configure it

  71. nuegia.net

    Reliable cpu? Get a second computer and replicate to it

  72. spyro

    We'll talk when you can provide a decent service running all I run, being crawled as often as I'm crawled, and being limited at the speeds and network reliability as I have to deal with on a daily basis.

  73. rewtkid

    doesnt really matter what a datacenter is, i get around 2gbps upload and download on average from speedtest-cli on my server in amsterdam, on my home network i get around 4mbps upload and download, not to mention running it on your own network could pose more significant security / anonymity and privacy risks, which may only be a concern for me and not other people, in my opinion though i think for the average person its best not to host on your home network.

  74. nuegia.net

    Reliable network? Get a managed switch and learn how to configure LACP and STP

  75. amarachi

    nuegia.net, one kid with mommies credit card booting you and now you have no internet there are valid reasons to not host at home

  76. rewtkid

    amarachi: exactly.

  77. nuegia.net

    There are ways to metigate that

  78. nuegia.net

    It's called a reverse proxy

  79. nuegia.net

    And a firewall

  80. amarachi

    but then you're back to the start where you need eg. a vps somewhhere

  81. rewtkid

    lol

  82. amarachi

    at that point why not host there?

  83. nuegia.net

    You'll need a lot less of a VPS and you can switch providers very easily

  84. nuegia.net

    Or even have multiple for redundancy with the extra money you saved

  85. moparisthebest

    > Should port knockers make a comeback? amarachi: no because today we have wireguard that's invisible unless you have the right key

  86. rewtkid

    also spyro, they did not give me a clear answer. Mateus just said "we will answer his ticket as soon as possible, thanks for understanding"

  87. rewtkid

    so looks like they are dodging your ticket, for some reason. sketchy

  88. amarachi

    moparisthebest, so all management access should be done through vpn?

  89. nuegia.net

    Your fault for trusting a scummy borderline criminal organization for hosting your important stuff

  90. rewtkid

    how is frantech a borderline criminal organization, or scummy? do you even know them or anything about how their service operates? well this is not a good look, in any case. but still

  91. nuegia.net

    Yes, they delete your vps and ask questions later. Their well known for hosting nazis and other unsavory types

  92. nuegia.net

    Lots of bullying

  93. spyro

    Lol ok

  94. rewtkid

    personally ive had 0 problems with them and theyve defended me in the past from other actual scummy companys like when i was being attacked by Privex.

  95. rewtkid

    and so what? they let people host what they want? seems good to me. i dont stand for censorship

  96. moparisthebest

    amarachi: I mean, if you want... I'm just saying it's better than port knocking

  97. rewtkid

    just because you dont agree with someone doesnt mean they arent allowed to have a voice.

  98. nuegia.net

    Have fun getting your servers raided by the feds

  99. rewtkid

    Lol, ok

  100. rewtkid

    hasnt happened yet, atleast in their luxembourg location.

  101. rewtkid

    they dont allow any actual illegal content or activity afaik, so i doubt it will happen any time soon. theres a fine line between what you deem to be acceptable and actual laws

  102. spyro

    They aren't a criminal operation whatsoever. They abide by the laws and court orders.

  103. rewtkid

    but now tom, i do see what other people have been saying about you, i did even try to defend you, but i completely get where other people are coming from. you are very unreasonable and if anyone wants to be even nuetral with you, they have to tip toe around your nonsense and virtue signalling. i cant even make a non offensive joke in your chat without you blowing up on me. anyways, this is not the chat to discuss this kind of stuff, so i will leave it there.

  104. nuegia.net

    That datacenter glows like a nuclear pile. I wouldn't be suprised if they've got deals with several cybersecurity companies to sniff all their traffic so they can monitor botnet C&C activity.

  105. nuegia.net

    You do you, but personally I wouldn't use any datacenter that has a 'Ready, Fire, Aim' policy instead of an SLA or at least a 48 hour notice.

  106. rewtkid

    they do not allow C2's or scanning or anything of the sort last i checked. you are pulling things out of your ass. the owner is a decent guy and doesnt stand for anything like that, their service is very pro freedom, but they still operate within the boundarys of the law. anyways like i said, this is not the chat for this kind of discussion, if you want to continue it move it over to yours. otherwise we can leave it at that.

  107. amarachi

    so is knockd actually safe in 2024?

  108. moparisthebest

    It never was, now there's 0 reason to use it