Promote convergence

This commit is contained in:
Bob Mottram 2014-03-17 21:51:44 +00:00
parent d43f0eaf8e
commit 6f846328fe
1 changed files with 92 additions and 72 deletions

View File

@ -563,6 +563,8 @@ iptables -A INPUT -p udp --destination-port 32771:32774 -j DROP
iptables -A INPUT -p udp --destination-port 4000 -j DROP iptables -A INPUT -p udp --destination-port 4000 -j DROP
iptables -A INPUT -p udp --destination-port 119 -j DROP iptables -A INPUT -p udp --destination-port 119 -j DROP
iptables -A INPUT -p udp --destination-port 137 -j DROP iptables -A INPUT -p udp --destination-port 137 -j DROP
iptables -A INPUT -p udp --destination-port 8432 -j DROP
iptables -A INPUT -p udp --destination-port 8433 -j DROP
# Make sure NEW incoming tcp connections are SYN packets # Make sure NEW incoming tcp connections are SYN packets
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
@ -612,6 +614,9 @@ iptables -A INPUT -p tcp --dport 465 -m limit --limit 3/minute --limit-burst 1 -
# Limit Bitmessage connections # Limit Bitmessage connections
iptables -A INPUT -p tcp --dport 8444 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT iptables -A INPUT -p tcp --dport 8444 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
# Limit Convergence notary
iptables -A INPUT -p tcp --dport 8432:8433 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
# Limit the number of incoming tcp connections # Limit the number of incoming tcp connections
# Interface 0 incoming syn-flood protection # Interface 0 incoming syn-flood protection
iptables -N syn_flood iptables -N syn_flood
@ -4969,6 +4974,92 @@ You can hand out the random string used to generate the mailing list and its cor
To make the list easier to identify, rather than just appearing as a random string, then under the *Your Identities* tab right click on it and select *Set Avatar* and assign a suitable icon. To make the list easier to identify, rather than just appearing as a random string, then under the *Your Identities* tab right click on it and select *Set Avatar* and assign a suitable icon.
The disadvantage of this type of mailing list is that it's not possible for any one participant to act as a list moderator, or in other words each participant must do their own moderation. That's ok if the size of the group is small, but if it's larger then anyone spamming or trolling the list can make things miserable for the others. The disadvantage of this type of mailing list is that it's not possible for any one participant to act as a list moderator, or in other words each participant must do their own moderation. That's ok if the size of the group is small, but if it's larger then anyone spamming or trolling the list can make things miserable for the others.
** Add a Convergenge notary
Convergence is a secure replacement for the Certificate Authority System. Rather than employing a traditionally hard-coded list of immutable and largely untrusted CAs, Convergence allows you to configure a dynamic set of Notaries which use network perspective to validate your communication. For more details see [[http://convergence.io][convergence.io]] or [[http://www.youtube.com/watch?v=Z7Wl2FW2TcA][this talk which explains the concepts]].
*** Installation
#+BEGIN_SRC: bash
apt-get install python python-twisted-web python-twisted-names python-m2crypto python-openssl
cd /tmp
wget http://freedombone.uk.to/convergence-notary-current.tar.gz
#+END_SRC
Verify it:
#+BEGIN_SRC: bash
sha256sum convergence-notary-current.tar.gz
6d3f7f30649c174c58ef4d719498d33737ddfa229f3d7fc51af0162b590d719b
#+END_SRC
Install it:
#+BEGIN_SRC: bash
tar zxvf convergence-notary-current.tar.gz
cd convergence-0.4
python ./setup.py install
#+END_SRC
Generate a key pair:
#+BEGIN_SRC: bash
convergence-gencert
#+END_SRC
When asked for a challenge password just hit *Enter* a couple of times. Then move the key pair to the appropriate directories as follows.
#+BEGIN_SRC: bash
mv mynotary.key /etc/ssl/private
chmod 400 /etc/ssl/private/mynotary.key
mv mynotary.pem /etc/ssl/certs
#+END_SRC
Now create the database:
#+BEGIN_SRC: bash
convergence-createdb
#+END_SRC
Create an initialisation script:
#+BEGIN_SRC: bash
convergence-notary -p 8432 -s 8433 -c /etc/ssl/certs/mynotary.pem -k /etc/ssl/private/mynotary.key
#+END_SRC
An initialisation script will be created automatically within /etc/init.d.
Generate a notary bundle:
#+BEGIN_SRC: bash
convergence-bundle
#+END_SRC
Enter your name, nickname, handle or whatever.
For the bundle location enter https://mydomainname.com/convergence.notary
For the Hostname enter your domain name
For SSL port enter *8433* and for HTTP port nter *8432*
For the pem file enter */etc/ssl/certs/mynotary.pem*
#+BEGIN_SRC: bash
export HOSTNAME=mydomainname.com
mv mynotarybundle.notary /var/www/$HOSTNAME/htdocs/convergence.notary
chown www-data:www-data /var/www/$HOSTNAME/htdocs/convergence.notary
#+END_SRC
Now open ports 8432 and 8433 on your internet router or firewall and direct it to the BBB.
*** Using Convergence
On a computer which is not the BBB (your laptop, etc):
Install the browser plugin by navigating to https://convergence.io or a backup copy also exists at http://freedombone.uk.to/convergence-current.xpi
After installation restart your browser.
You will notice that an icon appears in the top right corner of the browser, which resembles a lock and two plus signs. Click on the down arrow to the right of it and select *options*.
** Install Tripwire ** Install Tripwire
#+BEGIN_VERSE #+BEGIN_VERSE
@ -5042,6 +5133,7 @@ The following ports on your internet router/firewall should be forwarded to the
| XMPP (server) | 5269 | | XMPP (server) | 5269 |
| XMPP (BOSH) | 5280..5281 | | XMPP (BOSH) | 5280..5281 |
| Bitmessage | 8444 | | Bitmessage | 8444 |
| Convergence | 8432..8433 |
* Hints and Tips * Hints and Tips
** Messaging security ** Messaging security
@ -5676,78 +5768,6 @@ Within a browser open https://mydomainname.com:8888
See documentation in /usr/share/doc/kune/INSTALL.gz See documentation in /usr/share/doc/kune/INSTALL.gz
** Add a Convergenge notary
Convergence is a secure replacement for the Certificate Authority System. Rather than employing a traditionally hard-coded list of immutable and largely untrusted CAs, Convergence allows you to configure a dynamic set of Notaries which use network perspective to validate your communication. For more details see [[http://convergence.io][convergence.io]]
#+BEGIN_SRC: bash
apt-get install python python-twisted-web python-twisted-names python-m2crypto python-openssl
cd /tmp
wget http://freedombone.uk.to/convergence-notary-current.tar.gz
#+END_SRC
Verify it:
#+BEGIN_SRC: bash
sha256sum convergence-notary-current.tar.gz
6d3f7f30649c174c58ef4d719498d33737ddfa229f3d7fc51af0162b590d719b
#+END_SRC
Install it:
#+BEGIN_SRC: bash
tar zxvf convergence-notary-current.tar.gz
cd convergence-0.4
python ./setup.py install
#+END_SRC
Generate a key pair:
#+BEGIN_SRC: bash
convergence-gencert
#+END_SRC
When asked for a challenge password just hit *Enter* a couple of times. Then move the key pair to the appropriate directories as follows.
#+BEGIN_SRC: bash
mv mynotary.key /etc/ssl/private
chmod 400 /etc/ssl/private/mynotary.key
mv mynotary.pem /etc/ssl/certs
#+END_SRC
Now create the database:
#+BEGIN_SRC: bash
convergence-createdb
#+END_SRC
Create an initialisation script:
#+BEGIN_SRC: bash
convergence-notary -p 8432 -s 8433 -c /etc/ssl/certs/mynotary.pem -k /etc/ssl/private/mynotary.key
#+END_SRC
An initialisation script will be created automatically within /etc/init.d.
Generate a notary bundle:
#+BEGIN_SRC: bash
convergence-bundle
#+END_SRC
Enter your name, nickname, handle or whatever.
For the bundle location enter https://mydomainname.com/convergence.notary
For the Hostname press Enter.
#+BEGIN_SRC: bash
export HOSTNAME=mydomainname.com
mv mynotarybundle.notary /var/www/$HOSTNAME/htdocs/convergence.notary
chown www-data:www-data /var/www/$HOSTNAME/htdocs/convergence.notary
#+END_SRC
Now open ports 8432 and 8433 on your internet router or firewall and direct it to the BBB.
* Related projects * Related projects
* [[https://freedomboxfoundation.org/][Freedombox]] * [[https://freedomboxfoundation.org/][Freedombox]]