Divested Infrastructure

Detailed on this page is technical information on the servers and services I provide for transparency purposes.

General

  • All server initialization scripts, configurations, and supporting documentation are tracked in a private git repository since 2017
  • Strong passwords are used
  • Second factor authentication (2FA) is used when available
  • Proprietary software is always avoided
  • Out-of-tree software is avoided when possible
  • SSH and GPG keys are password protected
  • Certificates are provided by Let's Encrypt and renewed manually every three months
  • All drives of physical machines are encrypted with LUKS2/AES-XTS-512/Argon2
  • Secure boot is used when available
  • Intel ME of physical machines is neutered when possible
  • Fedora Linux used across the board
  • Choice of Fedora:
    • Overall very sane Linux distribution
    • Largely secure defaults
    • Stable kernel updates usually within two days of release
    • Generally up-to-date packages
    • Packages are usually very vanilla with few added patches
    • Only includes proprietary software for firmware if required
    • Avoids patent-encumbered packages
    • Compile-time hardening of nearly all packages
    • Comprehensive SELinux policy enabled by default with most system daemons strictly confined
  • System updates:
    • Automatic daily updates via dnf-automatic-install
    • Automatic reboots after automatic updates via this hack
    • Security related updates are pulled in from updates-testing repository when available
    • Manual reboots at least once every three days
  • System hardening:
    • Various hardening (kernel/sysctl/file permissions) by Brace
    • Fedora default targeted SELinux policy confining nearly all system services
    • Most services sandboxed using systemd-exec-sandboxing
    • Only modern/secure cryptographic algorithms are enabled through Fedora's crypto-policies framework
    • No on-disk swap
  • Networking:
    • All stray traffic is default DROP via firewalld
    • Many hundred millions of "bad" IP addresses are prohibited from connecting via SCFW3

spotco.us

This is our primary web server.

  • Host: RamNode
  • Cost: $5 per month
  • Location: United States of America
  • IPv4 address: 107.161.22.194
  • IPv6 address: 2604:180:f1::76
  • Operating system: Fedora 34 Server
  • Hardware:
    • Type: KVM
    • CPU: 2 cores
    • RAM: 1GB
    • Drive: 325GB, not encrypted
    • Bandwidth: 1000Mbps, cap of 5TB transfer per month
  • Ports:
    • 22/TCP: OpenSSH
    • 80/TCP: Apache HTTP: redirects to HTTPS and serves for the Tor onion services
    • 443/TCP: Apache HTTPS
  • OpenSSH service:
    • Confined via SELinux
    • Not currently sandboxed via systemd-exec-sandbox
    • Only permits login via keys, password login is prohibited
    • All permitted keys are encrypted with a password
  • Apache service:
    • Confined via SELinux and sandboxed via systemd-exec-sandbox, including separately the PHP process
    • Provides access to divested.dev and divestos.org
    • Can only write to select web server directories enforced via SELinux
    • Excluding the Stripe library, all running PHP code is written by hand by us mostly through SBNR
    • SBNR provides input sanitization and input sanity checks.
    • SBNR provides XSS and CSRF protection
    • SBNR provides basic bot protections
    • SBNR utilizes an allow-list for alternate provided hostnames, used by eg. redirects
    • SBNR default denies or returns invalid data on failure
    • All non-onion HTTP requests are redirected to HTTPS with HSTS set and OCSP stapling
    • Index listings are only enabled for select paths
    • Rouge .git directories are not permitted to be served
    • Access out of web server directory is prohibited
    • Apache/PHP cannot read logs, only write them
    • Many debug options/outputs are disabled
    • Many dangerous PHP options are disabled both in PHP system config and by SBNR config
    • Browser is informed to disable special site permissions (location), cross-domain referrer, and embedded frames
    • All pages are served with a strict content-security-policy, largely prohibiting loading third party resources
    • Files are served with a SRI hash where possible
    • All critical files are served with cryptographic signatures allowing out-of-band verification (eg. GPG .asc, F-Droid signing)
    • TLSv1.3 records are padded out in 512 byte increments
    • Only two weeks of access logs are stored
  • Tor Service:
    • Confined via SELinux and sandboxed via systemd-exec-sandbox
    • Provides access to OpenSSH, divested.dev, and divestos.org on distinct onion version 3 addresses
    • Vanity onion addresses are generated using the mkp224o utility
  • Redis Service:
    • Confined via SELinux
    • Not currently sandboxed via systemd-exec-sandbox
    • Only available via local socket
    • Purged on reboot

konvers.me

This is our primary chat server.

  • Host: RamNode
  • Cost: $5 per month
  • Location: United States of America
  • IPv4 address: 107.161.20.252
  • IPv6 address: 2604:180:f1::70
  • Operating system: Fedora 34 Server
  • Hardware:
    • Type: KVM
    • CPU: 2 cores
    • RAM: 1GB
    • Drive: 35GB, not encrypted
    • Bandwidth: 1000Mbps, cap of 2TB transfer per month
  • Ports:
    • 22/TCP: OpenSSH
    • 5222/TCP: ejabberd server-to-client
    • 5269/TCP: ejabberd server-to-server
    • 18496/TCP: ejabberd HTTPS
    • Undisclosed: ejabberd STUN/TURN TCP/UDP, open STUN is often used for UDP amplification DoS attacks
    • 64738: Mumble TCP/UDP
  • OpenSSH service:
    • Confined via SELinux
    • Not currently sandboxed via systemd-exec-sandbox
    • Only permits login via keys, password login is prohibited
    • All permitted keys are encrypted with a password
  • ejabberd Service:
    • Confined via SELinux and sandboxed via systemd-exec-sandbox
    • Account registration is disabled
    • Account registration is captcha protected
    • Strong passwords are required
    • Repeat failed login attempts will have IP address blocked
    • Many known bad hosts are blocked from S2S via JabberSPAM project
    • Users are strongly encouraged to use end-to-end encryption (OMEMO) in chats when possible
    • Sane stanza, file, and rate limits are enforced
    • HTTP Upload and TURN are only available to authenticated users
    • HTTP Uploaded files are only kept for two days
    • Public MUCs require a captcha to join if not marked a member
    • Many dangerous/unnecessary options are disabled (eg. proxy65/bosh/websockets/stats)
    • IP addresses are not stored
    • Only one week of access logs are stored
    • Database is manually backed up at least once a month
  • Mumble Service:
    • Confined via SELinux and sandboxed via systemd-exec-sandbox
    • Not publicly listed on their directory
    • Many dangerous options are disabled (eg. HTML messages)
    • IP addresses are not stored
    • Logs are disabled
    • Database is manually backed up at least once a month
  • Tor Service:
    • Confined via SELinux and sandboxed via systemd-exec-sandbox
    • Provides access to OpenSSH, konvers.me, and voice.konvers.me on distinct onion version 3 addresses
    • Vanity onion addresses are generated using the mkp224o utility

Donate