Divested Infrastructure

Detailed on this page is technical information on the servers and services I provide for transparency purposes.
Last updated: 2023-05-26

General

  • All server initialization scripts, configurations, and supporting documentation are tracked in a private git repository since 2017
  • Proprietary software is always avoided
  • Out-of-tree software is avoided when possible
  • SSH and GPG keys are password protected
  • Strong passwords are used
  • Second factor authentication (2FA) is used when available
  • Certificates are provided by Let's Encrypt and renewed manually every three months
  • Domains:
    • DNSSEC enabled
    • CAA records, with reporting, with defined validation methods, and bound to a single account.
    • SPF records, set to strict
    • DKIM records
    • DMARC records, set to reject, with reporting
    • On the HSTS preload list if critical
  • All drives of physical machines are encrypted with LUKS2/AES-XTS-512/Argon2
  • Secure Boot is enabled when available, including in virtual machines
  • AMD TSME of physical machines is enabled when available
  • Intel ME of physical machines is neutered when possible
  • Fedora Linux used across the board
  • Choice of Fedora:
    • Overall very sane Linux distribution
    • Largely secure defaults
    • Stable kernel updates usually within two days of release
    • Generally up-to-date packages
    • Packages are usually very vanilla with few added patches
    • Only includes proprietary software for firmware if required
    • Avoids patent-encumbered packages
    • Basic compile-time hardening of nearly all packages
    • Comprehensive SELinux policy enabled by default with most system daemons strictly confined
  • System updates:
    • Automatic daily updates via dnf-automatic-install with automatic reboot afterwards via on-change
    • Security related updates are pulled in from updates-testing repository when available
    • Manual reboots at least once every three days
  • System hardening:
    • Fedora default targeted SELinux policy confining nearly all system services
    • Many services sandboxed using systemd-exec-sandboxing
    • Various hardening (kernel/sysctl/file permissions) by Brace
    • Only modern/secure cryptographic algorithms are enabled through Fedora's crypto-policies framework
    • No on-disk swap
  • Networking:
    • cake is utilized on outbound interfaces of servers to ensure fair queuing
    • All stray traffic is default DROP via firewalld
    • Many hundred millions of "bad" IP addresses are dropped via SCFW3, with daily lists updates.

divested.dev

This is the web server. Load balanced via DNS round robin.

  • Host:
  • Cost:
    • us0: $12 per monthh
    • us1: $16 per month
  • Location:
    • us0: Atlanta, Georgia, USA
    • us1: Chicago, Illinois, USA
  • IPv4 address:
    • us0: 107.161.22.194
    • us1: 193.29.63.97
  • IPv6 address:
    • us0: 2604:180:f1::76
    • us1: 2605:4840:3:83f7::
  • Operating system
  • Hardware:
    • us0:
      • SKU: 2GB MKVM
      • Type: KVM
      • CPU: 2 shared x86-64-v2 cores of "Intel Xeon E312xx (Sandy Bridge, IBRS update)"
      • RAM: 2GB
      • Drive: 650GB, HDD backed, not encrypted
      • Bandwidth: 1000Mbps, cap of 7.5TB transfer per month
    • us1:
      • SKU: Storage 4TB
      • Type: KVM
      • CPU: 2 shared x86-64-v2 cores of "Intel(R) Xeon(R) CPU E5-2690 v2"
      • RAM: 2GB
      • Drive: 4000GB, HDD backed, not encrypted
      • Bandwidth: 1000+Mbps, cap of 10TB transfer per month
  • Ports:
    • 22/TCP: OpenSSH
    • 80/TCP: Apache HTTP: redirects to HTTPS and serves for the Tor onion services
    • 443/TCP: Apache HTTPS
  • OpenSSH service:
    • Confined via SELinux
    • Only permits login via combined (password protected) keys and TOTP token, password login is prohibited
    • All permitted keys are encrypted with a password
  • Apache service:
    • Confined via SELinux and sandboxed via systemd-exec-sandbox, including separately the PHP process
    • Provides access to divested.dev and divestos.org
    • Can only write to select web server directories enforced via SELinux
    • The below noted SBNR relations are no longer directly used and needs to be updated, however its still largely lives on in other forms with the same mandates.
    • Excluding the Stripe library, all running PHP code is written by hand by us mostly through SBNR
    • SBNR provides input sanitization and input sanity checks.
    • SBNR provides XSS and CSRF protection
    • SBNR provides basic bot protections
    • SBNR utilizes an allow-list for alternate provided hostnames, used by eg. redirects
    • SBNR default denies or returns invalid data on failure
    • All non-onion HTTP requests are redirected to HTTPS with HSTS set and OCSP stapling
    • Index listings are only enabled for select paths
    • Rogue .git directories are not permitted to be served
    • Access out of web server directory is prohibited
    • Apache/PHP cannot read logs, only write them
    • Many debug options/outputs are disabled
    • Many dangerous PHP options are disabled both in PHP system config and by SBNR config
    • Browser is informed to disable special site permissions (location) via Permissions-Policy, always strip referrers, and block embedded frames
    • All pages are served with a strict Content-Security-Policy, largely prohibiting loading third party resources
    • Files are served with a SRI hash where possible
    • All critical files are served with cryptographic signatures allowing out-of-band verification (eg. GPG .asc, F-Droid signing)
    • TLSv1.3 records are padded out in 512 byte increments
    • Only two weeks of access logs are stored
    • mod_evasive is used to rate limit repeated and/or excessive requests
    • mod_security enforcing the OWASP Core Rule Set at paranoia level 4
  • Tor Service:
    • Confined via SELinux and sandboxed via systemd-exec-sandbox
    • Provides access to divested.dev and divestos.org (Apache) on distinct onion version 3 addresses
    • Vanity onion addresses are generated using the mkp224o utility
  • Redis Service:
    • Confined via SELinux
    • Not currently sandboxed via systemd-exec-sandbox
    • Only available via local socket

konvers.me

This is the chat server.

  • Host: HostHatch (status)
  • Cost: $12 per month
  • Location: Chicago, Illinois, USA
  • IPv4 address: 134.195.88.109
  • IPv6 address: 2605:4840:3:7941::0
  • Operating system: Fedora 38 Cloud
  • Hardware:
    • SKU: NVMe 12 GB
    • Type: KVM
    • CPU: 4 shared x86-64-v3 cores of "AMD EPYC 7402 24-Core Processor"
    • RAM: 12GB
    • Drive: 50GB, NVMe backed, not encrypted
    • Bandwidth: 1000+Mbps, cap of 5TB transfer per month
  • Ports:
    • 22/TCP: OpenSSH
    • 5222/TCP: ejabberd server-to-client
    • 5269/TCP: ejabberd server-to-server
    • 18496/TCP: ejabberd HTTPS
    • Undisclosed: ejabberd STUN/TURN TCP/UDP, open STUN is often abused for UDP amplification DoS attacks
    • 64738: Mumble TCP/UDP
  • OpenSSH service:
    • Confined via SELinux
    • Only permits login via combined (password protected) keys and TOTP token, password login is prohibited
    • All permitted keys are encrypted with a password
  • ejabberd Service:
    • Sandboxed via systemd-exec-sandbox
    • Account registration is restricted
    • Account registration is captcha protected
    • Strong passwords are required
    • Repeat failed login attempts will have IP address blocked
    • Many known bad hosts are blocked from S2S via the JabberSPAM project
    • Many known bad users are blocked in real-time via the xmppbl project
    • Users are strongly encouraged to use end-to-end encryption (OMEMO) in chats when possible
    • Sane stanza, file, and rate limits are enforced
    • HTTP Upload and TURN are only available to authenticated users
    • HTTP Uploaded files are only kept for two days
    • Public MUCs require a captcha to join if not marked a member
    • Many dangerous/unnecessary options are disabled (eg. proxy65/bosh/websockets/stats)
    • IP addresses are not stored
    • Only one week of access logs are stored
    • Database is manually backed up at least once a month
  • Mumble Service:
    • Confined via SELinux and sandboxed via systemd-exec-sandbox
    • Not publicly listed on their directory
    • Many dangerous options are disabled (eg. HTML messages)
    • IP addresses are not stored
    • Logs are disabled
    • Database is manually backed up at least once a month
  • Tor Service:
    • Confined via SELinux and sandboxed via systemd-exec-sandbox
    • Provides access to konvers.me (ejabberd) and voice.konvers.me (Mumble) on distinct onion version 3 addresses
    • Vanity onion addresses are generated using the mkp224o utility

Donate