When installing the XMPP server ejabberd (version 2.1.x) the configuration is quite open. Let's see how we can secure this.
There are several things to secure.
All the settings are located in /etc/ejabberd/ejabberd.cfg
.
At the moment, everyone can register on our server. To change that, we
find the line
{access, register, [{allow, all}]}.and change it to
{access, register, [{deny, all}]}.
We can still register users using
ejabberdctl register user host passwordon the command line.
Second, we want to disable arbitrary users to be able to create multi-user chats (MUC) on our server. Search for the line
{access, muc, [{allow, all}]}.
in your configuration. This specifies that the predicate muc
is valid
for all users. We create a new predicate muc_create
as follows:
{access, muc_create, [{allow, local}]}.
Now this is only valid for local users.
Then we change the multi-user chat settings from
{mod_muc [ %%{host, "conference.@HOST@"}, {access, muc}, {access_create, muc}, {access_persistent, muc}, {access_admin, muc_admin} ]},
to the following
{mod_muc [ %%{host, "conference.@HOST@"}, {access, muc}, {access_create, muc_create}, {access_persistent, muc_create}, {access_admin, muc_admin} ]},
where we allow access to the MUCs for everyone, creation and persistent chat creation only to local users. Administration is only allowed to admins.
Third, ejabberd implements the Pubsup extension which is a publish subscribe protocol (e.g., newsfeeds).
{access, pubsub_createnode, [{allow, all}]}
to
{access, pubsub_createnode, [{allow, local}]}
Finally, ejabberd stores passwords in plaintext, which is not advisable. To change that, we add the line
{auth_password_format, scram}.
to the config file (or change it accordingly, if present).
To backup the configuration and register users and their rosters (contact list), we
can use the ejabberdctl
utility:
ejabberdctl dump /path/to/backupfile
We can restore the backup file with
ejabberdctl restore /path/to/backupfile
Using material from Dan Siemon.