January 30, 2015

When installing the XMPP server ejabberd (version 2.1.x) the configuration is quite open. Let's see how we can secure this.

1. Securing ejabberd

There are several things to secure.

1.1. Registration

All the settings are located in /etc/ejabberd/ejabberd.cfg. At the moment, everyone can register on our server. To change that, we find the line

{access, register, [{allow, all}]}.
and change it to
{access, register, [{deny, all}]}.

We can still register users using

ejabberdctl register user host password
on the command line.

1.2. Multi-user chat

Second, we want to disable arbitrary users to be able to create multi-user chats (MUC) on our server. Search for the line

{access, muc, [{allow, all}]}.

in your configuration. This specifies that the predicate muc is valid for all users. We create a new predicate muc_create as follows:

{access, muc_create, [{allow, local}]}.

Now this is only valid for local users.

Then we change the multi-user chat settings from

{mod_muc [
    %%{host, "conference.@HOST@"},
    {access, muc},
    {access_create, muc},
    {access_persistent, muc},
    {access_admin, muc_admin}

to the following

{mod_muc [
    %%{host, "conference.@HOST@"},
    {access, muc},
    {access_create, muc_create},
    {access_persistent, muc_create},
    {access_admin, muc_admin}

where we allow access to the MUCs for everyone, creation and persistent chat creation only to local users. Administration is only allowed to admins.

1.3. Pubsub

Third, ejabberd implements the Pubsup extension which is a publish subscribe protocol (e.g., newsfeeds).

{access, pubsub_createnode, [{allow, all}]}


{access, pubsub_createnode, [{allow, local}]}
1.4. Password

Finally, ejabberd stores passwords in plaintext, which is not advisable. To change that, we add the line

{auth_password_format, scram}.

to the config file (or change it accordingly, if present).

2. Backups

To backup the configuration and register users and their rosters (contact list), we can use the ejabberdctl utility:

ejabberdctl dump /path/to/backupfile

We can restore the backup file with

ejabberdctl restore /path/to/backupfile

Using material from Dan Siemon.

comments powered by Disqus