General¶

• All server initialization scripts, configurations, and supporting documentation are tracked in a private git repository since 2017
• Proprietary software is always avoided
• Out-of-tree software is avoided when possible
• SSH and GPG keys are password protected
• Strong passwords are used
• Second factor authentication (2FA) is used when available
• Certificates are provided by Let's Encrypt and renewed manually every three months
• Domains:
  • DNSSEC enabled
  • CAA records, with reporting, with defined validation methods, and bound to a single account.
  • SPF records, set to strict
  • DKIM records
  • DMARC records, set to reject, with reporting
  • On the HSTS preload list if critical
• All drives of physical machines are encrypted with LUKS2/AES-XTS-512/Argon2
• Secure Boot is enabled when available, including in virtual machines
• AMD TSME of physical machines is enabled when available
• Intel ME of physical machines is neutered when possible
• Fedora Linux used across the board
• Choice of Fedora:
  • Overall very sane Linux distribution
  • Largely secure defaults
  • Stable kernel updates usually within two days of release
  • Generally up-to-date packages
  • Packages are usually very vanilla with few added patches
  • Only includes proprietary software for firmware if required
  • Avoids patent-encumbered packages
  • Basic compile-time hardening of nearly all packages
  • Comprehensive SELinux policy enabled by default with most system daemons strictly confined
• System updates:
  • Automatic daily updates via dnf-automatic-install
  • Automatic reboots after automatic updates via this hack
  • Security related updates are pulled in from updates-testing repository when available
  • Manual reboots at least once every three days
• System hardening:
  • Fedora default targeted SELinux policy confining nearly all system services
  • Many services sandboxed using systemd-exec-sandboxing
  • Various hardening (kernel/sysctl/file permissions) by Brace
  • The GrapheneOS hardened hardened memory allocator is used via this package
  • Only modern/secure cryptographic algorithms are enabled through Fedora's crypto-policies framework
  • No on-disk swap
• Networking:
  • cake is utilized on outbound interfaces of servers to ensure fair queuing
  • All stray traffic is default DROP via firewalld

spotco.us¶

This is the primary web server.

• Host: RamNode
• Cost: $12 per month
• Location: United States of America
• IPv4 address: 107.161.22.194
• IPv6 address: 2604:180:f1::76
• Operating system: Fedora 37 Server
• Hardware:
  • SKU: 2GB MKVM
  • Type: KVM
  • CPU: 2 shared x86-64-v2 cores of "Intel Xeon E312xx (Sandy Bridge, IBRS update)"
  • RAM: 2GB
  • Drive: 650GB, HDD backed, not encrypted
  • Bandwidth: 1000Mbps, cap of 7.5TB transfer per month
• Ports:
  • 22/TCP: OpenSSH
  • 80/TCP: Apache HTTP: redirects to HTTPS and serves for the Tor onion services
  • 443/TCP: Apache HTTPS
• OpenSSH service:
  • Confined via SELinux
  • Only permits login via combined (password protected) keys and TOTP token, password login is prohibited
  • All permitted keys are encrypted with a password
• Apache service:
  • Confined via SELinux and sandboxed via systemd-exec-sandbox, including separately the PHP process
  • Provides access to divested.dev and divestos.org
  • Can only write to select web server directories enforced via SELinux
  • The below noted SBNR relations are no longer directly used and needs to be updated, however its still largely lives on in other forms with the same mandates.
  • Excluding the Stripe library, all running PHP code is written by hand by us mostly through SBNR
  • SBNR provides input sanitization and input sanity checks.
  • SBNR provides XSS and CSRF protection
  • SBNR provides basic bot protections
  • SBNR utilizes an allow-list for alternate provided hostnames, used by eg. redirects
  • SBNR default denies or returns invalid data on failure
  • All non-onion HTTP requests are redirected to HTTPS with HSTS set and OCSP stapling
  • Index listings are only enabled for select paths
  • Rogue .git directories are not permitted to be served
  • Access out of web server directory is prohibited
  • Apache/PHP cannot read logs, only write them
  • Many debug options/outputs are disabled
  • Many dangerous PHP options are disabled both in PHP system config and by SBNR config
  • Browser is informed to disable special site permissions (location) via Permissions-Policy, always strip referrers, and block embedded frames
  • All pages are served with a strict Content-Security-Policy, largely prohibiting loading third party resources
  • Files are served with a SRI hash where possible
  • All critical files are served with cryptographic signatures allowing out-of-band verification (eg. GPG .asc, F-Droid signing)
  • TLSv1.3 records are padded out in 512 byte increments
  • Only two weeks of access logs are stored
  • mod_evasive is used to rate limit repeated and/or excessive requests
  • mod_security enforcing the OWASP Core Rule Set at paranoia level 4
• Tor Service:
  • Confined via SELinux and sandboxed via systemd-exec-sandbox
  • Provides access to OpenSSH (client auth required), divested.dev, and divestos.org on distinct onion version 3 addresses
  • Vanity onion addresses are generated using the mkp224o utility
• Redis Service:
  • Confined via SELinux
  • Not currently sandboxed via systemd-exec-sandbox
  • Only available via local socket

konvers.me¶

This is the primary chat server.

• Host: RamNode
• Cost: $12 per month
• Location: United States of America
• IPv4 address: 107.161.20.252
• IPv6 address: 2604:180:f1::70
• Operating system: Fedora 37 Server
• Hardware:
  • SKU: 2GB SKVM
  • Type: KVM
  • CPU: 2 shared x86-64-v3 cores of "AMD EPYC Processor (with IBPB)"
  • RAM: 2GB
  • Drive: 65GB, SSD backed, not encrypted
  • Bandwidth: 1000Mbps, cap of 3TB transfer per month
• Ports:
  • 22/TCP: OpenSSH
  • 5222/TCP: ejabberd server-to-client
  • 5269/TCP: ejabberd server-to-server
  • 18496/TCP: ejabberd HTTPS
  • Undisclosed: ejabberd STUN/TURN TCP/UDP, open STUN is often abused for UDP amplification DoS attacks
  • 64738: Mumble TCP/UDP
• OpenSSH service:
  • Confined via SELinux
  • Only permits login via combined (password protected) keys and TOTP token, password login is prohibited
  • All permitted keys are encrypted with a password
• ejabberd Service:
  • Sandboxed via systemd-exec-sandbox
  • Account registration is restricted
  • Account registration is captcha protected
  • Strong passwords are required
  • Repeat failed login attempts will have IP address blocked
  • Many known bad hosts are blocked from S2S via JabberSPAM project
  • Users are strongly encouraged to use end-to-end encryption (OMEMO) in chats when possible
  • Sane stanza, file, and rate limits are enforced
  • HTTP Upload and TURN are only available to authenticated users
  • HTTP Uploaded files are only kept for two days
  • Public MUCs require a captcha to join if not marked a member
  • Many dangerous/unnecessary options are disabled (eg. proxy65/bosh/websockets/stats)
  • IP addresses are not stored
  • Only one week of access logs are stored
  • Database is manually backed up at least once a month
• Mumble Service:
  • Confined via SELinux and sandboxed via systemd-exec-sandbox
  • Not publicly listed on their directory
  • Many dangerous options are disabled (eg. HTML messages)
  • IP addresses are not stored
  • Logs are disabled
  • Database is manually backed up at least once a month
• Tor Service:
  • Confined via SELinux and sandboxed via systemd-exec-sandbox
  • Provides access to OpenSSH (client auth required), konvers.me, and voice.konvers.me on distinct onion version 3 addresses
  • Vanity onion addresses are generated using the mkp224o utility