Divested Infrastructure
Detailed on this page is technical information on the servers and services I provide for transparency purposes.
Last updated: 2023-05-26
General¶
- All server initialization scripts, configurations, and supporting documentation are tracked in a private git repository since 2017
- Proprietary software is always avoided
- Out-of-tree software is avoided when possible
- SSH and GPG keys are password protected
- Strong passwords are used
- Second factor authentication (2FA) is used when available
- Certificates are provided by Let's Encrypt and renewed manually every three months
- Domains:
- All drives of physical machines are encrypted with LUKS2/AES-XTS-512/Argon2
- Secure Boot is enabled when available, including in virtual machines
- AMD TSME of physical machines is enabled when available
- Intel ME of physical machines is neutered when possible
- Fedora Linux used across the board
- Choice of Fedora:
- Overall very sane Linux distribution
- Largely secure defaults
- Stable kernel updates usually within two days of release
- Generally up-to-date packages
- Packages are usually very vanilla with few added patches
- Only includes proprietary software for firmware if required
- Avoids patent-encumbered packages
- Basic compile-time hardening of nearly all packages
- Comprehensive SELinux policy enabled by default with most system daemons strictly confined
- System updates:
- Automatic daily updates via dnf-automatic-install with automatic reboot afterwards via on-change
- Security related updates are pulled in from updates-testing repository when available
- Manual reboots at least once every three days
- System hardening:
- Fedora default targeted SELinux policy confining nearly all system services
- Many services sandboxed using systemd-exec-sandboxing
- Various hardening (kernel/sysctl/file permissions) by Brace
- Only modern/secure cryptographic algorithms are enabled through Fedora's crypto-policies framework
- No on-disk swap
- Networking:
divested.dev¶
This is the web server. Load balanced via DNS round robin.
- Host:
- Cost:
- us0: $12 per monthh
- us1: $16 per month
- Location:
- us0: Atlanta, Georgia, USA
- us1: Chicago, Illinois, USA
- IPv4 address:
- us0: 107.161.22.194
- us1: 193.29.63.97
- IPv6 address:
- us0: 2604:180:f1::76
- us1: 2605:4840:3:83f7::
- Operating system
- Hardware:
- us0:
- SKU: 2GB MKVM
- Type: KVM
- CPU: 2 shared x86-64-v2 cores of "Intel Xeon E312xx (Sandy Bridge, IBRS update)"
- RAM: 2GB
- Drive: 650GB, HDD backed, not encrypted
- Bandwidth: 1000Mbps, cap of 7.5TB transfer per month
- us1:
- SKU: Storage 4TB
- Type: KVM
- CPU: 2 shared x86-64-v2 cores of "Intel(R) Xeon(R) CPU E5-2690 v2"
- RAM: 2GB
- Drive: 4000GB, HDD backed, not encrypted
- Bandwidth: 1000+Mbps, cap of 10TB transfer per month
- us0:
- Ports:
- 22/TCP: OpenSSH
- 80/TCP: Apache HTTP: redirects to HTTPS and serves for the Tor onion services
- 443/TCP: Apache HTTPS
- OpenSSH service:
- Confined via SELinux
- Only permits login via combined (password protected) keys and TOTP token, password login is prohibited
- All permitted keys are encrypted with a password
- Apache service:
- Confined via SELinux and sandboxed via systemd-exec-sandbox, including separately the PHP process
- Provides access to divested.dev and divestos.org
- Can only write to select web server directories enforced via SELinux
- The below noted SBNR relations are no longer directly used and needs to be updated, however its still largely lives on in other forms with the same mandates.
- Excluding the Stripe library, all running PHP code is written by hand by us mostly through SBNR
- SBNR provides input sanitization and input sanity checks.
- SBNR provides XSS and CSRF protection
- SBNR provides basic bot protections
- SBNR utilizes an allow-list for alternate provided hostnames, used by eg. redirects
- SBNR default denies or returns invalid data on failure
- All non-onion HTTP requests are redirected to HTTPS with HSTS set and OCSP stapling
- Index listings are only enabled for select paths
- Rogue .git directories are not permitted to be served
- Access out of web server directory is prohibited
- Apache/PHP cannot read logs, only write them
- Many debug options/outputs are disabled
- Many dangerous PHP options are disabled both in PHP system config and by SBNR config
- Browser is informed to disable special site permissions (location) via Permissions-Policy, always strip referrers, and block embedded frames
- All pages are served with a strict Content-Security-Policy, largely prohibiting loading third party resources
- Files are served with a SRI hash where possible
- All critical files are served with cryptographic signatures allowing out-of-band verification (eg. GPG .asc, F-Droid signing)
- TLSv1.3 records are padded out in 512 byte increments
- Only two weeks of access logs are stored
- mod_evasive is used to rate limit repeated and/or excessive requests
- mod_security enforcing the OWASP Core Rule Set at paranoia level 4
- Tor Service:
- Redis Service:
- Confined via SELinux
- Not currently sandboxed via systemd-exec-sandbox
- Only available via local socket
konvers.me¶
This is the chat server.
- Host: HostHatch (status)
- Cost: $12 per month
- Location: Chicago, Illinois, USA
- IPv4 address: 134.195.88.109
- IPv6 address: 2605:4840:3:7941::0
- Operating system: Fedora 38 Cloud
- Hardware:
- SKU: NVMe 12 GB
- Type: KVM
- CPU: 4 shared x86-64-v3 cores of "AMD EPYC 7402 24-Core Processor"
- RAM: 12GB
- Drive: 50GB, NVMe backed, not encrypted
- Bandwidth: 1000+Mbps, cap of 5TB transfer per month
- Ports:
- 22/TCP: OpenSSH
- 5222/TCP: ejabberd server-to-client
- 5269/TCP: ejabberd server-to-server
- 18496/TCP: ejabberd HTTPS
- Undisclosed: ejabberd STUN/TURN TCP/UDP, open STUN is often abused for UDP amplification DoS attacks
- 64738: Mumble TCP/UDP
- OpenSSH service:
- Confined via SELinux
- Only permits login via combined (password protected) keys and TOTP token, password login is prohibited
- All permitted keys are encrypted with a password
- ejabberd Service:
- Sandboxed via systemd-exec-sandbox
- Account registration is restricted
- Account registration is captcha protected
- Strong passwords are required
- Repeat failed login attempts will have IP address blocked
- Many known bad hosts are blocked from S2S via the JabberSPAM project
- Many known bad users are blocked in real-time via the xmppbl project
- Users are strongly encouraged to use end-to-end encryption (OMEMO) in chats when possible
- Sane stanza, file, and rate limits are enforced
- HTTP Upload and TURN are only available to authenticated users
- HTTP Uploaded files are only kept for two days
- Public MUCs require a captcha to join if not marked a member
- Many dangerous/unnecessary options are disabled (eg. proxy65/bosh/websockets/stats)
- IP addresses are not stored
- Only one week of access logs are stored
- Database is manually backed up at least once a month
- Mumble Service:
- Confined via SELinux and sandboxed via systemd-exec-sandbox
- Not publicly listed on their directory
- Many dangerous options are disabled (eg. HTML messages)
- IP addresses are not stored
- Logs are disabled
- Database is manually backed up at least once a month
- Tor Service: