XMPP module HTTP File Upload (formerly XEP-0363) provides a way to share files between XMPP clients, it works transparently and even in multi user chats. The sender uploads a file on an HTTP(S) server that will then generate an URI, this is sent to each one of the recipients that can then download it. The interesting bits about this XEP are various: File sharing now works even in multi-user chats (MUC), in any case the file is only uploaded a single time even if the recipients are more than one. Peer-to-peer file transfer, be it in-band (XEP-0234: Jingle File Transfer) or out-of-band (XEP-0065: SOCKS5 Bytestreams), is slow, unreliable, does not work in MUC and does not work if the recipient is offline. HTTP File Upload supports both client-server encryption (HTTPS) and end-to-end encryption when used in conjunction with OMEMO encryption (as per today this is supported by Conversations on Android and Gajim desktop client). 3.1. When using OMEMO encryption the files are stored encrypted on the server, this makes it impossibile for ejabberd to create a thumbnail if the file sent is a picture. To enable HTTP File Upload module with HTTPS enabled in ejabberd edit ejabberd.yml configuration file: > listen: - port: 5443 ip: "0.0.0.0" module: ejabberd_http request_handlers: "upload": mod_http_upload tls: true protocol_options: 'TLS_OPTIONS' dhfile: 'DH_FILE' ciphers: 'TLS_CIPHERS' modules: mod_http_upload: docroot: "/home/ejabberd/upload" # this must be a valid path, user ownership and SELinux flags must be set accordingly put_url: "https://@HOST@:5443/upload" access: local max_size: 25000000 #25 MByte thumbnail: false file_mode: "0644" dir_mode: "0744" mod_http_upload_quota: max_days: 2 shaper: soft_upload_quota: - 250: all # MiB hard_upload_quota: - 10000: all # MiB define_macro: 'TLS_CIPHERS': "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" 'TLS_OPTIONS': - "no_sslv2, no_sslv3, no_tlsv1" - "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" - "no_compression" 'DH_FILE': "/usr/local/etc/ejabberd/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 4096 Add an iptables rule to allow traffic coming from port TCP 5443: …

Fail2ban is a useful tool capable of mitigating brute force attacks performed against a multitude of services (ejabberd in our case). Configuration is split between a multitude of files: jail.conf defines which filters are active while the filters scripts are placed in ./filter.d directory. [root@CentOS ~]# vi /etc/fail2ban/jail.conf --- bantime = 1200 findtime = 1200 maxretry = 10 backend = auto [ejabberd-auth] enabled = true port = 5222,5280,7777 action = iptables-multiport[name=ejabberd, port="5222,5269,5280,777", protocol=tcp] logpath = /var/log/ejabberd/ejabberd.log --- [root@CentOS ~]# vi /etc/fail2ban/filter.d/ejabberd-auth.conf --- [Definition] failregex = ^=INFO REPORT==== ===\nI\(<0\.\d+\.0>:ejabberd_c2s:\d+\) : \([^)]+\) Failed authentication for .+ from IP <HOST> \({{(?:\d+,){3}\d+},\d+}\)$ ^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:wait_for_feature_request:\d+ \([^\)]+\) Failed authentication for \S+ from IP <HOST>$ ^.* Failed authentication for \S+ from <HOST>$ ^.* from <<"<HOST>">> failed with error: <<"inexistent-account">>$ ^.* from <<"<HOST>">> failed with error: <<"bad-password">>$ ^.* from <<"<HOST>">> failed with error: <<"badformed-jid">>$ ignoreregex = [Init] journalmatch = --- The first two regular expressions are for user authentication while the others are for administration panel login. Other useful commands are: …

This post is meant to be the sequel of the one I wrote one month ago about CentOS as router, transparent proxy, and much more. A big chunk of the precedent article is on how configure squid and squidGuard to act as a transparent proxy with URLs filtering capabilities. But there’s a problem with that: nowadays many sites (f4c3b00k.c0m just to name the most annoying one) are HTTPS. With HTTP one can really easily intercept a packet and read the payload (which contains the URL) but with HTTPS this is not possible anymore since the payload is encrypted. The only way to be able to read the payload of an HTTPS packet is doing a man-in-the-middle attack with a fake certificate, but that’s not advisable and you really don’t wanna do it. If, like in my case, we are not interested in what the users are doing but we just want them to not be able to access some sites/services/whatever ipset (combined with iptables) are the right tools for the job. iptables is a pretty powerful tool, the only real issue is that it doesn’t scale pretty well if the number of the rules is very big, and this is not a good thing since we probably want to blacklist thousands of IPs. And here comes ipset: with it it’s possible to manage huge blacklists without iptables slowing down. …

OpenVPN is the de facto standard VPN free open source software; it is widely used, tested, well documented and also included in the CentOS repos (EPEL). .:. Server side configuration yum install openvpn easy-rsa dnsmasq When yum is done installing the required packages, copy the sample config file. cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn Uncomment/edit the following lines in /etc/openvpn/server.conf: port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh4096.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1" push "dhcp-option DNS 10.8.0.1" keepalive 10 120 tls-auth ta.key 0 # This file is secret key-direction 0 tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 auth SHA512 cipher AES-256-GCM #comp-lzo # Disable LZO compression persist-key persist-tun status openvpn-status.log ;log openvpn.log # disable log, optional ;log-append openvpn.log # disable log, optional user nobody group nobody Now, create two folders easy-rsa/keys in /etc/openvpn and copy some files into them: …