XMPP Service Operators - 2024-04-03


  1. b1t.rip admin

    Wirlaburla: whats up. joined here to antagonize me some more i suppose??

  2. b1t.rip admin

    ignored.

  3. Wirlaburla

    I've been here for quite awhile.

  4. rewtkid

    dont care, save your sly remarks for some other place. no one wants to hear it

  5. rewtkid

    ignored here aswell

  6. luca

    My certificates will expire soon. What will happen federation wise with my server?

  7. rewtkid

    depends on configuration of other servers, some servers like mine will accept "invalid" certs. others will not.

  8. rewtkid

    just renew your certs?

  9. luca

    Work in progress

  10. luca

    > depends on configuration of other servers, some servers like mine will accept "invalid" certs. others will not. Will all users in a muc recieve my messages? Only some? Will the whole muc not see my messages?

  11. rewtkid

    most will probably get a certificate error

  12. rewtkid

    meaning they will not even be able to connect to your server

  13. rewtkid

    but like i said it depends on the configuration of whatever server they are using, aswell

  14. Guus

    luca: I'm not sure. It will likely differ from client to client. I don't expect that users that are idle will receive a warning. Users that try to send a message may receive errors like 'service unavailable'

  15. luca

    What about federated mucs like this one? Assuming xmpp.org allows expired certs, will everything work as usual? Or it's still client dependent

  16. ernst.on.tour

    My server will drop your connection. Your clients/member will got no msg anymore

  17. snikket dot deeeeee

    Yes, we all will see your messages here. Because xmpp.org is the relevant server, and it allows that

  18. snikket dot deeeeee

    The rest of us here is also only connected to xmpp.org, not to your sever. So I'll see your messages here. If we would try to talk 1:1, not in this channel, then it wouldn't work. Because my sever would reject the connection

  19. luca

    Ok, thanks!

  20. ernst.on.tour

    *This* server will work on, but others not. What is the problem to get a new cert ?

  21. moparisthebest

    > My server will drop your connection. > Your clients/member will got no msg anymore ernst.on.tour: most (all?) servers (and clients) won't actually drop active connections when a cert expires, they just won't successfully connect again when they get disconnected

  22. ernst.on.tour

    For sure, but my line is dropped once a night 😉

  23. snikket dot deeeeee

    > What about federated mucs like this one? Assuming xmpp.org allows expired certs, will everything work as usual? Or it's still client dependent Clients only ever connect to your own server, so this behavior is not client dependent. The only client dependent thing is: if your own clients will connect to your server with an expired cert

  24. luca

    > *This* server will work on, but others not. What is the problem to get a new cert ? Some authentication issue from acme.sh (the script) to cloudflare. I'll find a fix for it eventually, but it might take a while

  25. Guus

    Many servers will drop server-to-server connections after a time of inactivity. With an expired cert, those connections won't be re-established.

  26. ernst.on.tour

    Didn't know acme.sh, I'm using getssl.sh

  27. moparisthebest

    I'm happily using acme.sh for many years

  28. ernst.on.tour

    Same for me with getssl.sh 😉

  29. luca

    > Didn't know acme.sh, I'm using getssl.sh Thanks, I might switch if I don't figure this out :P

  30. snikket dot deeeeee

    Then there is dehydrated too, that's my favorite. I hope we have all relevant shell clients covered then 😊

  31. Polarian

    > https://b1t.rip/xmpp.php rewtkid is it really wise to have no logs, and no way of seeing how your service is being used... I get privacy and everything but this leaves you open to nasty allegations... how do you know the service isn't being exploited?

  32. moparisthebest

    Well he has no proof it is right? ;)

  33. Polarian

    > Well he has no proof it is right? ;) Well as soon as I saw "Anarchism now" I kinda figured it all out 🙂

  34. mirux

    Establishing a secure connection to chat.cluxia.eu failed. Certificate hash: ff7670eb77c7a3f65d589252906b52ea1ffc00e5. Error with certificate 0: certificate has expired.

  35. mirux

    operator around from that server?

  36. rewtkid

    Polarian: if abuse is reported to the admin account, i can block it then. as of right now ive had no issues.

  37. rewtkid

    Polarian: hey whats wrong with the anarchism blinkie?

  38. rewtkid

    oh and, i do get a message when someones registered, however it only includes their username and timestamp, not anything else. i guess i should add that there

  39. rewtkid

    so if someone starts creating tons of accounts to spam or whatever, it wouldnt be hard to find which ones are them and block them.

  40. rewtkid

    the service is relatively new, (started in 2023), so i havent faced any issues like this, yet.

  41. Polarian

    > Polarian: if abuse is reported to the admin account, i can block it then. as of right now ive had no issues. hmmm

  42. Polarian

    > Polarian: hey whats wrong with the anarchism blinkie? let's not get political :)

  43. Polarian

    it just explains the... point of view let's just say

  44. rewtkid

    dont worry, im not all leftist anarchist-antifa or anything, i just dont like the idea of a central authority :D

  45. rewtkid

    but yes, lets not get politial, probably not the place

  46. rewtkid

    s/politial/political

  47. moparisthebest

    rewtkid: it's crystal clear to anyone paying attention that data is toxic, so less is better, and none is best, keep it up https://www.schneier.com/essays/archives/2016/03/data_is_a_toxic_asse.html

  48. opinionplatform.org

    Data is not the new gold or oil?

  49. Polarian

    > rewtkid: it's crystal clear to anyone paying attention that data is toxic, so less is better, and none is best, keep it up https://www.schneier.com/essays/archives/2016/03/data_is_a_toxic_asse.html Don't confuse data required to provide a service, and data required to protect yourself the same as data harvesting

  50. Polarian

    keeping logs is important

  51. Polarian

    One of the most important parts of security is monitoring logs for bad actors... no logs... no ability to do so

  52. Polarian

    its got a name, I forgot it... but you get the point

  53. rewtkid

    Polarian: my XMPP server is not a huge attack surface, its in its own container with nothing else besides the XMPP daemon. i also have low and high interaction honeypots set up on my server, for any possible threats. the logs for all of those get sent to an XMPP muc on my server.

  54. Polarian

    > Polarian: my XMPP server is not a huge attack surface, its in its own container with nothing else besides the XMPP daemon. i also have low and high interaction honeypots set up on my server, for any possible threats. the logs for all of those get sent to an XMPP muc on my server. but then you quote ZERO log storage

  55. Polarian

    and yet you send them to a muc

  56. rewtkid

    i actually have honeypots set up on my backend and all my frontend round robin servers.

  57. rewtkid

    yes, the XMPP server keeps not logs.

  58. rewtkid

    no*

  59. Polarian

    but you said you send the logs to a muc

  60. rewtkid

    meaning the XMPP service only. i never claimed there werent other services running on the same server that keeps logs.

  61. Polarian is confused

  62. rewtkid

    you can disable logs for the XMPP daemon and have other services still keep logs.

  63. Polarian

    hmmm

  64. rewtkid

    normal XMPP users wont have anything logged. any threat actors scanning or trying to hack into my box will likely get caught in a pot and i will see it.

  65. Polarian

    No IPv6 support?

  66. Polarian

    damn

  67. rewtkid

    soon there will be. not yet, though.

  68. Polarian

    also server info is unsupported

  69. Polarian

    I assume that is intentional though

  70. Polarian

    hmm

  71. Polarian

    rewtkid, you proxy your traffic through someone else though

  72. Polarian

    rewtkid, you proxy your traffic through someone else though?

  73. rewtkid

    no, the round robin servers are also ran by me. i dont use anything like cloudflare

  74. Polarian

    > no, the round robin servers are also ran by me. i dont use anything like cloudflare CGI global limited? thats you?

  75. rewtkid

    that is the ISP.

  76. Polarian

    or they provide hardware?

  77. Polarian

    oh

  78. Polarian

    they are a ISP

  79. Polarian

    what if your ISP logs your packets, then surely there is logging 😉

  80. Polarian

    no srv records?

  81. rewtkid

    thats what encryption is for, also as far as i know there is nothing like this going on. however you cant be too sure.

  82. Polarian

    well the ISP owns no IPv6 blocks

  83. Polarian

    so... you will need to proxy for IPv6 support

  84. rewtkid

    when it comes to privacy its probably safe to assume everything is being intercepted or logged on the internet, so just use encryption. theres a reason encryption is standard in everything now.

  85. Polarian

    which thus means you got a third party to worry about too 🙂

  86. Polarian

    welp im done being nosy... see it as some friendly karma for /info'ing me 🙂

  87. Polarian

    > no srv records? Why no srv records though?

  88. Polarian

    doesn't hurt to have them?

  89. rewtkid

    what exactly do i need them for?

  90. Polarian

    standardisation I guess

  91. rewtkid

    i guess i can add them, i just didnt see a reason to.

  92. Polarian

    technically you don't need tcp round robin if you used srv records

  93. Polarian

    wait no you

  94. Polarian

    but also yes

  95. Polarian

    it allows flexibility, put a higher weight in

  96. rewtkid

    also i dont see it as karma, its all public information, as is anything i can get by /info'ing you. so i dont mind

  97. Polarian

    also multiple A records already have a similar affect as round robin too

  98. Polarian

    clients tend to pick a random address but I guess its on implementation

  99. Polarian

    meh if it works it works, I was just curious why there was no srv records

  100. Polarian

    it was not criticism

  101. rewtkid

    i understand

  102. rewtkid

    mainly the only reason i have it set up like that, is because we were under DDoS attacks in the past. and the way i set it up seemed to distribute their attack across all servers, and prevented downtime.

  103. rewtkid

    im sure there is a better way to handle it, thats just how i set it up in a pinch, and it certainly does need improvement. im still yet to get moparisthebest's xmpp-proxy set up properly with prosody. tried before, but couldnt seem to get it to work properly.

  104. rewtkid

    it would work for some users, then for some reason others would not be able to connect. so im still yet to get that part figured out

  105. rewtkid

    actually, i did have it properly set up. but it was s2s_proxy module that would not work properly, for some reason, i could not establish any outbound connections to other servers when using it.