efelon/shell_sequencer
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

Security and conformance updates

Browse Source 
- Publish abbuse addresse using mod_disco

Allow users to change password with client

- ...
This commit is contained in:
Martin Winkler
2019-11-23 12:55:41 +01:00
parent be59c27224
commit 5f662828a2
2 changed files with 50 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
seqs/ejabberd.sh
View File

@@ -2,6 +2,7 @@
toolName=ejabberd
toolConfLoc="/etc/ejabberd/ejabberd.yml"
toolAdminConf="/etc/ejabberd/ejabberdctl.cfg"
# for http upload
toolStorageLoc="/var/ejabberd"
certRoot="/etc/letsencrypt"
@@ -14,15 +15,15 @@ myPass=
step_1_info() { echo "Install $toolName via apt"; }
step_1_alias() { ALIAS="install"; }
step_1() {
exe apt update
exe apt install -y $toolName
exe systemctl stop $toolName
exe apt update
exe apt install -y $toolName
exe systemctl stop $toolName
}
step_2_info() { echo "Use certificate from local letsencrypt"; }
step_2() {
readDomain
local certLoc="${certRoot}/${myDomain}/full.pem"
if [ ! -f "$certLoc" ] ; then
echo "[ERROR] $certLoc not found"
@@ -57,12 +58,13 @@ step_3() {
# create storage for http upload
exe mkdir -p "$toolStorageLoc"
exe chown root:$toolName "$toolStorageLoc"
exe chmod 770 "$toolStorageLoc"
exe chmod 770 "$toolStorageLoc"
fi
# Erlang-VM to listen only on local interface
exe sed -i "s/#\(INET_DIST_INTERFACE=127\.0\.0\.1\)/\1/" "$toolAdminConf"
}
MissingConfEntry="\
Seq's basic configuration file \"$SEQDIR/ejabberd.yml\" missing.
MissingConfEntry="Seq's basic configuration file \"$SEQDIR/ejabberd.yml\" missing.
Backup $toolConfLoc and create a configuration manually.
Some essential settings needed:

52
seqs/ejabberd.yml
View File

@@ -1,4 +1,5 @@
loglevel: 3
loglevel: 3
hide_sensitive_log_data: true
log_rotate_size: 0
log_rotate_date: ""
@@ -18,18 +19,19 @@ listen:
## file and uncomment these lines:
##
certfile: "/etc/ejabberd/ejabberd.pem"
starttls: true
## starttls: true
##
## To enforce TLS encryption for client connections,
## use this instead of the "starttls" option:
##
## starttls_required: true
starttls_required: true
##
## Custom OpenSSL options
##
protocol_options:
- "no_sslv3"
## - "no_tlsv1"
- "no_tlsv1"
- "no_tlsv1_1"
max_stanza_size: 65536
shaper: c2s_shaper
access: c2s
@@ -67,14 +69,16 @@ listen:
## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text
## password storage (see auth_password_format option).
disable_sasl_mechanisms: "digest-md5"
s2s_use_starttls: optional
disable_sasl_mechanisms:
- "digest-md5"
- "x-oauth2"
s2s_use_starttls: required
s2s_certfile: "/etc/ejabberd/ejabberd.pem"
s2s_protocol_options:
- "no_sslv3"
- "no_tlsv1"
- "no_tlsv1_1"
outgoing_s2s_families:
- ipv4
@@ -84,6 +88,22 @@ outgoing_s2s_timeout: 10000
auth_method: internal
auth_password_format: scram
###. ===============
###' DATABASE _SETUP
### MySQL server:
###
#sql_type: mysql
#sql_server: "localhost"
#sql_database: "db_name"
#sql_username: "db_user"
#sql_password: "db_pass"
## Keepalive in seconds
#sql_keepalive_interval: 28800
#sql_pool_size: 5
###. ===============
###' TRAFFIC SHAPERS
shaper:
##
## The "normal" shaper limits traffic speed to 1000 B/s
@@ -176,7 +196,13 @@ modules:
mod_client_state: {}
mod_configure: {} # requires mod_adhoc
##mod_delegation: {} # for xep0356
mod_disco: {}
mod_disco:
server_info:
-
modules: all
name: "abuse-addresses"
urls:
- "mailto:jabberadmin@mydomain.eu"
mod_echo: {}
mod_irc: {}
mod_http_bind: {}
@@ -224,7 +250,7 @@ modules:
- "flat"
- "hometree"
- "pep" # pep requires mod_caps
## mod_register:
mod_register:
##
## Protect In-Band account registrations with CAPTCHA.
##
@@ -257,6 +283,9 @@ modules:
##
## access_from: deny
## access: register
# No registration, but allow existing accounts to change password
access: none
mod_roster:
versioning: true
mod_shared_roster: {}
@@ -264,7 +293,8 @@ modules:
mod_time: {}
mod_vcard:
search: false
mod_version: {}
mod_version:
show_os: false
##
## Enable modules with custom options in a specific virtual host