21 Apr
2019
21 Apr
'19
9:38 a.m.
Quack,
Let's begin with the bad news.
=== Credentials and potential LDAP info leak ===
Our MediaWiki instances configuration, as all the rules of our infra are
opensource. Unfortunately certain secrets were not protected as they
should have been:
* database credentials: MariaDB is not available from the outside, so
it's not a big deal
* contact emails: we try to hide all emails to avoid SPAM; webmaster,
HappyPeng and myself are affected
* wiki secret key: used to generate entropy when a proper source is not
available, which is not our case
* LDAP service account: this is a nasty part as most user information
might be accessed; we do not keep more than needed to run the service
but realnames and email addresses could have been listed; all
credentials are safe and no modification is possible though
We did not find any suspicious activities in the logs, but that's
difficult to assess.
So obviously before sending this email we remedied the situation. We
also plan to limit how this account can be used even more.
Deeply sorry for this mistake :-/.
=== Progress on the new hardware ===
Nicecity's hardware gave some difficulties and a new disk was needed. It
is now almost fully deployed with Ansible, so we should soon be able to
use it in production.
Toushirou-NG's deployment is done and we're regularly syncing it. We're
keeping it up-to-date with current production and are preparing the
migration steps.
=== StuffCloud login Security ===
Two factor authentication (2FA) using TOTP and U2F has been activated
and tested for some time now. We did not have any problem with both
method, so we strongly suggest you try it.
The documentation has been updated to give more information on how to
set this up: https://users.duckcorp.org/index.php/Services/StuffCloud
=== Wiki Migration ===
The shared wiki (wiki.duckcorp.org), running on MoinMoin, is going to
migrate soon to MediaWiki in order to avoid having to maintain two
systems.
=== Mail and Sync User ===
Some users prefer to sync emails on their machine, which can be handy if
you travel, wish to access them offline and later have all your
modifications propagated. It can also be useful as a backup mechanism.
On problem with most tools is their inability to "move" mails (instead
of "copy"), which prevent then to use the 'Junk' folder
A simple solution is now available, described here:
https://users.duckcorp.org/index.php/Services/Mail#Retraining_for_feature-l…
=== Web and PHP ===
We were already investigating using PHP FPM instead of the embedded
Apache mod_php. This is more secure and flexible as you can run the
wanted number of workers using a dedicated UNIX user, thus avoiding one
instance to read files from the others.
It happens that we activated HTTP2 in the past and some related fix
unfortunately required to change the Apache MPM, which is not possible
with mod_php, or to abandon HTTP2, so this changed priorities a bit.
The full migration has just been done for all PHP-enabled vhosts, so
tell us if you encounter any problem.
Hope you enjoyed the Hanami!
\\_o<
--
Marc Dequènes (Duck)
25 Apr
25 Apr
3:26 p.m.
Quack,
=== Hardware Migration ===
Toushirou will be migrated on 2019-05-04. The replacement should start
around 09:00 CET.
Earlier in the morning SSH user logins will be denied and all user
session stopped, so please stop any script or connection you may have
the day before to be sure.
When the dispatched team is ready to make the switch, all services will
be shutdown and a final synchronization of all data will be done. It may
take some time to change the harware and check network and remote
access.
We'll check all services shortly after that. Exact timing and
notifications will be given on IRC on #MilkyPond. You're also welcome to
follow technical discussions on #DuckCorp.
=== Wiki Migration ===
The wiki has successfully been migrated.
\_o<
--
Marc Dequènes (Duck)
1433
days inactive
1437
days old
1 comments
1 participants
participants (1)
-
DuckCorp Admin Team