XMPP Service Operators - 2024-07-29

Jjj333_p are you gay?

> ban registration from conversations web This doesn't make a lot of sense, Conversations just uses the standard registration page, same as everyone. If this person uses a static IP address then they'll already find they're unable to register again, but beyond that we'll just have to be reactive, same as any other case of a spammer etc

> > ban registration from conversations web > > This doesn't make a lot of sense, Conversations just uses the standard registration page, same as everyone. If this person uses a static IP address then they'll already find they're unable to register again, but beyond that we'll just have to be reactive, same as any other case of a spammer etc hm this is what the yax.im admin said he did i think ↺

the troll basically just registers from tor i think

> Jjj333_p are you gay? yes? what does that have to do with anything ↺

> the troll basically just registers from tor i think also the trolls use an autohotkey script made for ConverseJS, so if they ban regs on ConverseJS then that may slow them down given I dont think they have all used XMPP before. ↺

jjj333_p [pain.agency]:

> jjj333_p [pain.agency]: ?? ↺

R u gay?

i already answered you literally 2 messages before you just pinged me > yes? what does that have to do with anything

Sorry I didn't get them

why are you asking random people in an unrelated if theyre gay anyways? i dont see why that would matter to you

I was worried someone might of defaced your avatar

> I was worried someone might of defaced your avatar how would they do that ↺

I'm not sure what someone's sexual orientation has to do with XMPP service operations

> I'm not sure what someone's sexual orientation has to do with XMPP service operations same here ↺

Someone photoshopped a pride flag on your forehead that says gay meter

> Someone photoshopped a pride flag on your forehead that says gay meter yes how would anyone other than me or my sysadmin (so me) put that there? ↺

If you got hacked

you know i can see my own profile picture, yes?

Some clients are delayed refreshing avatars

nuegia.net: I believe this is offtopic. Their server (and potential contact info) is available from their display name. That concern could've been brought up here using their contact info.

^ you could have dmed me. my domain is in my nick and it has various places to contact me including my full jid

Your website wouldn't load

lets drop the homophobia... or at least not use the terms in a derogatory manner. jjj333_p [pain.agency]: you _could_ ban tor exit nodes... but a lot of people would complain about invasion of privacy

(i have no idea how to pull the contact info set in prosody, but i did set that to my jid as well)

Oh puh-lease Polarian.

> lets drop the homophobia... or at least not use the terms in a derogatory manner. > > jjj333_p [pain.agency]: you _could_ ban tor exit nodes... but a lot of people would complain about invasion of privacy oh i wouldnt even ban tor nodes. one sysadmin claimed to have blocked all registrations from conversations web and that took care of it (these are not very inteligent spammers) ↺

> Your website wouldn't load works on my machine 🤷‍♂️ ↺

https://downloadable.pain.agency/file_share/Y6kWfk3z7oDrlaeOf2kK3-4i/works.png

works just fine from London, UK

jjj333_p [pain.agency]: Your website seems to only function under HTTPS. HTTP times out.

> jjj333_p [pain.agency]: Your website seems to only function under HTTPS. HTTP times out. likely blocking port 80 ↺

Usual practice to atleast make HTTP reply with a redirect to HTTPS.

> jjj333_p [pain.agency]: Your website seems to only function under HTTPS. HTTP times out. oh this may be. i believe i just use fairly stock caddy, and fairly stock whatever ↺

i also have firefox in https only mode so it makes sense i wouldnt have seen this

worlio.com: did you telnet 80?

No, I went to http://pain.agency/ through my browser.

or is this done in a web browser?

> No, I went to http://pain.agency/ through my browser. i am on my phone so I cant test it, but telnet/netcat port 80 and see... just to eliminate browser related probpems ↺

you can also nmap but thats redundant for a single port ✏

jjj333_p [pain.agency]: you running a firewall (I would hope)?

i seem to be allowing port 80 in hetzner firewall but im not sure if i allowed it in ufw

https://downloadable.pain.agency/file_share/OcqWASiX6e6s5df_Axs8ExYQ/f1ade3f2-d6f3-4022-9f0d-464ff93c5bc3.png

caddy might have bound to 80 but the firewall could be blocking it preventing http redirect

> jjj333_p [pain.agency]: you running a firewall (I would hope)? yes both one on the vps level and the provider level ↺

> i seem to be allowing port 80 in hetzner firewall but im not sure if i allowed it in ufw ufw status ↺

(I think thats the command, too used to pf :P)

Check ipv6

i just did this ``` joseph@snapshot-115842185-debian-2gb-hil-1:~$ sudo ufw allow 80 [sudo] password for joseph: Rule added Rule added (v6) joseph@snapshot-115842185-debian-2gb-hil-1:~$ ```

My phone only has v6

> i just did this > ``` > joseph@snapshot-115842185-debian-2gb-hil-1:~$ sudo ufw allow 80 > [sudo] password for joseph: > Rule added > Rule added (v6) > joseph@snapshot-115842185-debian-2gb-hil-1:~$ > ``` welp that works \o/ ↺

jjj333_p [pain.agency]: That did the trick.

> Check ipv6 oh i dont think my domain is set to point to my ipv6 addr ↺

Cool

>> Check ipv6 > oh i dont think my domain is set to point to my ipv6 addr you use hetzner it should be as simple as AAAA record ↺

then problem solved... (hopefully)

IPv6? *vomit*

https://downloadable.pain.agency/file_share/5ZjoGACu1EQksruBLC_ILveB/c2f28d83-a07b-4070-8648-94f967990c38.png

great job porkbun

nuegia.net: no NAT64?

Yes

Well I dont think you can blame jjj333_p [pain.agency] then... seen as its a limitation you have imposed :)

although IPv6 support is appreciated :)

oh huh, aparently i was allowing port 80 on ipv4 but not ipv6

lmao

Polarian: your offtopic

> jjj333_p [pain.agency]: > 2024-07-29 12:02 (CDT) > oh huh, aparently i was allowing port 80 on ipv4 but not ipv6 > lmao That would do it. It's a common mistake

nuegia.net: You're*

doesnt ufw add both v4 and v6 rules by default... surely it wouldnt be common then?

> doesnt ufw add both v4 and v6 rules by default... surely it wouldnt be common then? i think i had used a different tool before. im not exactly a good sysadmin 😅 ↺

It's fine

i had probably followed a guide back when i set up my matrix server, then i discovered i didnt know what firewall solution i was using when i tried to set up prosody

definitely would be useful if the providers list included IP protocol info (dual stack, or single stack v4 ot v6)...

https://downloadable.pain.agency/file_share/Xn3cZBHkbQ0AW9lBRyT9V1dE/5fc8b6c7-36d9-4608-a167-2399cc1a0afe.png

great

fucking hell

jjj333_p [pain.agency]: why are you using caddy?

Raw handle everything. Absolutely no tools. Firewalls? Pathetic. I secure my server with barbed wire and rusty nails. If anyone touches the ethernet cable, they get electrocuted. Some voices in the server should only be in its head, no 0.0.0.0 nonsense. Panels are for kids who can't fit the square peg in the square hole.

Menel: I believe you have a lot of peers... could you do me a favour for a general view of IPv6 adoption. Could you filter all the s2s and see what % is IPv6? (also will help as it always seem my s2s is v4)

IPv4 > IPv6. IPv6 is an over-engineered annoying solution to a problem that could've had better solutions.

> worlio.com: > 2024-07-29 12:08 (CDT) > Raw handle everything. Absolutely no tools. Firewalls? Pathetic. I secure my server with barbed wire and rusty nails. If anyone touches the ethernet cable, they get electrocuted. Some voices in the server should only be in its head, no 0.0.0.0 nonsense. Panels are for kids who can't fit the square peg in the square hole. Physical security is important

Polarian, caddy is modern and memory safe

ukko: wrong person :)

Putting on the security bezel prevents people yanking your drives if they get in the room

sorry, wrong tab

I use the key that came with the rack.

All the data is safe :)

> Putting on the security bezel prevents people yanking your drives if they get in the room you would likely want to keep them out of the room in the first place ;) ↺

That is what the door-activated flamethrowers are for.

> jjj333_p [pain.agency]: why are you using caddy? because it is very simple ↺

Did you consider haproxy?

i did not

i used caddy because it was in a setup guide and ive had no reason to switch

Ok

This person attempted to retract a previous message, but it's unsupported by your client.

Polarian: about 80%, for outgoing s2s is ipv6. You can increase your incoming ratio if you setup a ipv6 only domain with only an AAAA record and give that higher priority as srv record. Like xmpp6.yourdomain.net as srv target for your domain ✏

Because some software just prefers ipv4, or as some call it, legacy IP, without reason

Reason: IPv4 Superiority.

I don't see the benifit that basically all clients first need to pass through a 6in4 tunnel to connect to a sever. I'll drag ipv4 with me as long as some backwater parts of the world only have ipv4, but then I can kill it.

No, I don't think you understand: I wish for the annihilation of IPv6.

Yeah I understand. But that's a dinosaur view

I don't think you understand how cool that sounds.

Or just say. We both wish for something else and we both don't get what we want

Instead, IPv8 gets released and we connect to servers through a list of colors instead.

Polarian, on sjn, we see 786 IPv4 and 888 IPv6 connections at this time (outbound + inbound). Outbound it is 286 IPv4 vs. 564 IPv6 and inbound it is 499 IPv4 vs. 324 IPv6.

How much of that is bidi?

not sure how to ask prosody that

oh also mod_bidi isn't loaded

so I guess it's 0%

We're currently struggling with another crawler-related issue though. To avoid making things worse accidentally, I'm not going to start any experiments with bidi now.

Oh, totally understandable. I just assumed it was already enabled.

decided to go ahead and add aaaaa records, i may be stupid but what am i supposed to put for i guess the last two segments?

https://downloadable.pain.agency/file_share/0J2FtMACaRsvB0FYw8VsUiU5/b6211af9-e08e-48b2-988c-817f86e682bf.png

that is just what hetzner gives me

https://downloadable.pain.agency/file_share/3FzOFZCXFjXNxHVaTWz2iXs_/917e8de7-4a36-42ad-aafe-767a6bb47c8c.png

> ``` > 28/07/2024 22:59:19 - querybot: > roughnecks: contact addresses for chinwag.im are > - abuse-addresses : mailto:admin@chinwag.im , xmpp:mike@chinwag.im > - admin-addresses : mailto:admin@chinwag.im , xmpp:mike@chinwag.im > - feedback-addresses : > - sales-addresses : > - security-addresses : > - support-addresses : mailto:admin@chinwag.im > ``` how do i do this? ↺

You put c2f2::1

you put whatever you have configured in your server

this is ..::1 by default, but it could be anything

Make it match what you have in nano /etc/network/interfaces For ipv6

(better look at what `ip -6 a` says)

(in case netplan is involved instead of ifupdown)

I don't remember the Hetzner default choice. I've edited it manually a long time ago

> how do i do this? it's a bot doing the queries. It's available here: xmpp:bots@chat.woodpeckersnest.space?join ↺

> Make it match what you have in > nano /etc/network/interfaces > For ipv6 ill check in a bit ↺

thanks

> Reason: IPv4 Superiority. there is no benefit to IPv4 ↺

> Polarian, on sjn, we see 786 IPv4 and 888 IPv6 connections at this time (outbound + inbound). Outbound it is 286 IPv4 vs. 564 IPv6 and inbound it is 499 IPv4 vs. 324 IPv6. interesting so you have a lot more v4 ↺

Err, no? Roughly equal (47% ipv4)

Maybe we can say that while SJN prefers IPv6 when establishing a connection, its peers generally seem to prefer IPv4.

> Err, no? Roughly equal (47% ipv4) than Menel ↺

thats what I meant... my maths isnt that bad 😁

> Maybe we can say that while SJN prefers IPv6 when establishing a connection, its peers generally seem to prefer IPv4. Setting Java to prefer IPv6 seems to work, but this doesnt ensure other servers connect via IPv6 ↺

I wonder if a standard should be written for dual stack... gajim uses happy eyeballs to pick... but I prefer the idea of IPv6 being default and v4 only used for fallback. I wonder how prosody or ejabberd decides...

I think "whatever works" is most sensible

happy eyeballs is important to connect dualstack setups to setups which have only IPv4 or only IPv6

encoding a preference for one or the other will unduely penalize remote stations which don't have it

ejabberd makes it configurable, the default is now v6 but was v4 in the past. Not too long ago v6 was way more error-prone in practice, as v6 services and/or IP routes weren't properly monitored.

> happy eyeballs is important to connect dualstack setups to setups which have only IPv4 or only IPv6 works with priority too... if IPv6 only its the default, if IPv4 only, it falls back, if its both it ALWAYS picks IPv6 ↺

a lot of providers make you pay for IPv4... so its beneficial to push IPv6 from a monetary point of view

It's cause it's legacy cruft and there's not enough legacy addresses to go around. In addition to paying more money for that you usually also need to provide a need justification when you request one and their given out on a fcfs basis. Usually the requests are only granted if your using the legacy ipv4 address for transition purposes.

If it wasn't for the dot com boom we would all be on v6 already.

There isn't going to be an ipv7 or ipv8. Ipv6 is final.

Even though it may be scary for some if you learn it with an open mind and without bringing preconceptions about the way ipv4 works with you you'll find ipv6 to be simpler and more efficient

Especially for routers

And bringing v6 to you lan you can get rid of DHCP and other stateful automatic configuration. Multihoming and privacy becomes easier as well

It works similar to the way we did things before the shortage. If you have ever been on MIT's wifi it works similar to that.

> And bringing v6 to you lan you can get rid of DHCP and other stateful automatic configuration. Multihoming and privacy becomes easier as well how does privacy become easier ↺

every device is uniquely identifiable

If you setup your network segments properly your clients can implement ipv6 privacy

It uses different addresses for outgoing connections vs incoming, and their periodically shuffled

yeaaaah problem

/64 is assumed :)

you block /64 blocks of addresses as its the smallest block within the standardisation

/128 you know is likely a single device