|
|
| (51 intermediate revisions not shown) |
| Line 1: |
Line 1: |
| - | If you are interested in donating/linking an IRC server to DareNET, please join #routing on the network to speak with a Routing Team representative, or e-mail routing[at]darenet.org.
| + | #REDIRECT [[Policy:Linking Guidelines]] |
| - | | + | |
| - | == What the Routing Team looks for when considering linking a new server ==
| + | |
| - | | + | |
| - | <pre>
| + | |
| - | | + | |
| - | a) The IRC server must be permitted and supported by the administration of the
| + | |
| - | machine and network that it is sitting on.
| + | |
| - | | + | |
| - | If a server is not being linked by the hosting organization, or employees
| + | |
| - | of the hosting organization (e.g. it is a colocated server), uplink support
| + | |
| - | must be given prior to applying for a DareNET link. In addition, a contact
| + | |
| - | address for an individual at the hosting entity should be given to verify
| + | |
| - | such support.
| + | |
| - | | + | |
| - | b) The server administrators must be reasonably knowledgable about IRC and
| + | |
| - | UNIX. They should be willing and able to answer most user questions that
| + | |
| - | they encounter regarding DareNET and IRC. Additionally, they should know
| + | |
| - | how their network reaches major internet backbones.
| + | |
| - | | + | |
| - | c) The machine is not required to be dedicated; however, they must adequately
| + | |
| - | address any and all security concerns and be sufficient to properly run an
| + | |
| - | IRC server. Upon application submission, you agree to consent to a port scan
| + | |
| - | and other unobtrusive probes to verify this information. A fully dedicated
| + | |
| - | server or a semi-dedicated server (with other forms of access filtered)
| + | |
| - | is highly preferred.
| + | |
| - | | + | |
| - | The machine should be reasonably modern and should have at least a 500MHz
| + | |
| - | or faster CPU and 256M (512 highly prefered) or more of total RAM.
| + | |
| - | | + | |
| - | (*) xntpd is not a requirement but clock synchronization
| + | |
| - | is. ntpdate run on a regular basis should suffice
| + | |
| - | (at least once a day).
| + | |
| - | | + | |
| - | All vunerabilities in your irc server's OS should be patched and updated
| + | |
| - | as soon as possible. Likewise, if a vunerability arises in any of the
| + | |
| - | running daemons such as sshd or ircd, those should be updated as soon as
| + | |
| - | possible as well.
| + | |
| - | | + | |
| - | The nameserver that the machine is running should be a current & secure
| + | |
| - | version. Information on which version of BIND is current and secure can
| + | |
| - | be found at http://www.isc.org/products/BIND/bind-security.html.
| + | |
| - | | + | |
| - | d) Running a server requires that the rest of the IRC network put a lot of
| + | |
| - | trust in you. People who are known not to be trustworthy or who have a
| + | |
| - | history of not acting in the best interests of DareNET will typically be
| + | |
| - | denied server links. This includes proposed opers.
| + | |
| - | | + | |
| - | e) New servers MUST be on a multihomed network. We must also be able to
| + | |
| - | verify that your server is on a multihomed network, via BGP announcements.
| + | |
| - | | + | |
| - | IRC servers tend to attract their fair share of Denial of Service attacks
| + | |
| - | and hack attempts. These attacks can often times be several hundred mbit/sec,
| + | |
| - | with several hundred thousand packets per second. Often times these attacks
| + | |
| - | are also not directed at irc servers directly, but at neighboring routers
| + | |
| - | or machines.
| + | |
| - | | + | |
| - | These attacks can often times cripple even the most robust and diverse
| + | |
| - | networks. New applicants must be aware of this, and not only be ready
| + | |
| - | to deal with it, but must be versed in methods of combating and protecting
| + | |
| - | your server from Denial of Service attacks.
| + | |
| - | | + | |
| - | f) The server MUST be protected from attacks resulting from ARP hijacking.
| + | |
| - | One way to accomplish this is by utilizing static arp addressing on your
| + | |
| - | router. Ideally, the server should be on its own IP subnet and VLAN.
| + | |
| - | | + | |
| - | g) All server administrators must grant DareNET's Routing Team access to the
| + | |
| - | account running ircd by means of password and ssh public key. The server
| + | |
| - | daemon runs as a user program under a vanilla end-user account (frequently
| + | |
| - | called "darenet"), with no setuid or special privilege. Configuration files
| + | |
| - | are deployed from a central location using ssh and scp. New servers are
| + | |
| - | either staged as binary files or recompiled on the server account, depending
| + | |
| - | on architecture and other factors.
| + | |
| - | </pre>
| + | |
