[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Dfey-general-discuss] Bitfolk supporting DFEY
From: |
Robert Leverington |
Subject: |
Re: [Dfey-general-discuss] Bitfolk supporting DFEY |
Date: |
Mon, 16 Nov 2009 00:02:32 +0000 |
User-agent: |
Mutt/1.5.17+20080114 (2008-01-14) |
Hello,
On 2009-11-15, Tim Dobson wrote:
> At Oggcamp I gave a talk about engaging young people in technology,
> pretty much identical to the one I gave at WYLUG a few weeks ago[2].
>
> Afterwards I was approached by Andy Smith from Bitfolk[3]. Some people
> here may be aware of the community VPS, dogfish.dfey.org which currently
> hosts our website and a number of other services.
>
> Andy offered to allow DFEY to use the Dogfish VPS (maintaining the same
> spec) for free with a number of preconditions, none of which I see being
> a major issue:
>
> * It is not used for commercial purposes
> * We take steps to ensure abuse doesn't originate from dogfish
> * We take steps to ensure that dogfish isn't compromised
> * We notify Bitfolk immediately if dogfish is compromised
> * If the machine causes him a lot of work (eg. is compromised more than
> once) then we will have to understand it is not viable for bitfolk to
> continue supporting us.
>
> In return for the VPS, we will list them on our website as providing the
> VPS.
This is great news, I have updated the wiki and will update the website
tomorrow if no one else does so before (along with a number of other
adjustments to the website I proposed some time ago).
> If we ever need more hosting for special events etc we should negotiate
> with them.
>
> Keeping the machine secure should not mean that people are tied down and
> unable to play around on it however it does mean we need to take a
> pro-active response to the security and administration of the machine.
At this point our attitude towards security is very good, regardless
there are couple of minor changes I am suggesting below.
I would like to propose implementing a firewall, with the intent of
prohibiting daemons from being run - at the moment any user is able to
run these on non-privileged ports. This should not affect any normal
usage, and the rules could be adjusted on a case-by-case basis if
necessery.
> We already require ssh public key authentication to access dogfish. This
> is good. We need to continue to only allow access with keys.
>
> We already have a proactive outlook on security updates with the
> sysadmin team being emailed when new updates are available and with them
> typically being installed promptly.
>
> We need to establish a policy towards accounts on the machine - give
> them out to people who we trust and have known for some time. Accounts
> need to be deactivated after a period once people lose touch and stop
> using them. I'm not sure exactly how people feel this should work put
> thoughts are more than welcome.
I think the best method would be to decide upon an arbitrary length of
time used in determining whether a member should have access. They can
be given access after x amount of time of being active in the community
(mailing lists or IRC), and lose access after x amount of time of not
participating in these parts of the community. My suggestion would be
two months.
Regarding root access, it makes sense to be a bit more strict about
this. My proposal would be to remove roots after one month of
inactivity, and to give root access out on an as-required basis with the
majority consensus of all existing roots and a positive indication from
the rest of the community. Where possible, more specific group-based
access should be used instead.
> We need to keep reliable written records of who has access to what and
> how to contact them.
Updated on the wiki.
> We need to regularly audit web applications installed on the machine for
> potential security issues and make sure everything is patched appropriately.
Updated on the wiki.
> Bitfolk have been very supportive of what we are setting out to do and
> I'm very pleased to announce this partnership.
++
> Feedback, thoughts and questions, as always, is welcome. :)
Regards,
--
Robert Leverington
http://rhl.me.uk/
signature.asc
Description: Digital signature