search

jitsi / jitsi-meet

Jitsi Meet - Secure, Simple and Scalable Video Conferences that you use as a standalone app or embed in your web application.
https://jitsi.org/meet
Apache License 2.0
23.24k stars 6.75k forks source link

Set up server defaults (i.e. password by default) to avoid "jitsibombing" #5579

Closed fpesari closed 4 years ago

fpesari commented 4 years ago

Hello,

these days, due to the COVID-19 pandemic, a lot of people are using Jitsi Meet for school, work or communication. Many of those people aren't really technology experts, they just want an easy way to do videoconferencing, and as such they are not able to set up Jitsi Meet in a secure way.

Unsecured rooms by default are susceptible to random people coming in and spamming inappropriate images and sounds. This is already happening on Zoom, a phenomenon which has been dubbed by media "Zoombombing".

The article I linked above talks about Zoom but proposes a good number of precautions which could be taken by Jitsi Meet by default. Asking for passwords on room creation is perhaps the most important one, just to prevent those trolls who try to join rooms at random.

ghost commented 4 years ago

It is easy to register an organizer who can open a room. Only when the organizer is there, other people can join. This avoids your fears.

Assuming you own the domain

Change vim /etc/prosody/conf.avail/meet.yourdomain.com.cfg.lua

To

VirtualHost "meet.yourdomain.com"
    authentication = "internal_plain"

and add at the end

VirtualHost "guests.meet.yourdomain.com"   
   authentication = "anonymous"    
   c2s_require_encryption = false

Edit the file:

vim /etc/jitsi/meet/meet.yourdomain.com-config.js

and add the anonymousdomain or uncomment the section (it's already present):

hosts: {
        // XMPP domain.
        domain: 'meet.yourdomain.com',

        // When using authentication, domain for guest users.
        anonymousdomain: 'guests.meet.yourdomain.com',

Finally add the following line to the file

vim /etc/jitsi/jicofo/sip-communicator.properties

org.jitsi.jicofo.auth.URL=XMPP:meet.yourdomain.com

Register your new user

prosodyctl register USERNAME meet.yourdomain.com PASSWORD

Restart everything with

service prosody restart
service jicofo restart
service jitsi-videobridge2 restart

And you are done.

fpesari commented 4 years ago

Yes, of course this is very easy to do if someone has the skills! We're on an issue tracker on Github, of course we are not talking about the kind of people who would post here.

I live in Italy, and in our schools it's (sadly) not very common to have sysadmins setting up servers - as a matter of fact, even universities rely on Google and Microsoft for many digital services.

Jitsi Meet is at the moment a bit of an exception. I personally know about at least one middle school using it. Now, this is a very important step for libre software, as most schools by now are entangled with proprietary SaaS.

But those schools are using it via meet.jit.si and teachers aren't necessarily technically skilled enough to set up a safe server. Since some of our mainstream media are a bit sensationalist, if things like zoombombing were to happen during a class meeting some of them would probably blame Jitsi Meet instead of the teachers who can't set up their meetings*. And this would give proprietary teleconferencing providers a huge PR opportunity to offer their services to those schools that are using Jitsi Meet at the moment, damaging the students' rights in other ways.

* = In their defense, they can't because nobody taught them, since they switched to e-learning out of necessity

ghost commented 4 years ago

I fully understand your concerns, but the whole system was probably designed to be easy to set up and use without a password. As long as the room is not known, it should not be a problem, should it?

bairdj commented 4 years ago

I agree that one of the key features of Jitsi Meet is that it can be used without any setup or password, however this is a valid concern, especially for public servers that may be used by users with less technical knowledge.

A potential solution could be that if a user joins a room, and is the first user there, a prompt asks whether they would like to set a password. There could also be a message explaining that without a password, anyone with the link would be able to join the meeting. This could be enabled in the server's config. More than anything this would just be highlighting to the user that they're on a public server and they shouldn't consider their meeting to be private

saghul commented 4 years ago

Duplicate of https://github.com/jitsi/jitsi-meet/issues/5407 - please feel free to drop by on that issue and add anything that could be missing. We are currently working to address this.

shubhamalive commented 4 years ago

It is easy to register an organizer who can open a room. Only when the organizer is there, other people can join. This avoids your fears.

Assuming you own the domain meet.yourdomain.com

Change vim /etc/prosody/conf.avail/meet.yourdomain.com.cfg.lua

To

VirtualHost "meet.yourdomain.com"
    authentication = "internal_plain"

and add in the end

VirtualHost "guests.meet.yourdomain.com"   
   authentication = "anonymous"    
   c2s_require_encryption = false

Edit the file:

vim /etc/jitsi/meet/meet.yourdomain.com-config.js

and add the anonymousdomain:

hosts: {
        // XMPP domain.
        domain: 'meet.yourdomain.com',

        // When using authentication, domain for guest users.
        anonymousdomain: 'guests.meet.yourdomain.com',

Finally add the following line to the file

vim /etc/jitsi/jicofo/sip-communicator.properties

org.jitsi.jicofo.auth.URL=XMPP:meet.yourdomain.com

Register your new user

prosodyctl register USERNAME meet.yourdomain.com 'PASSWORD

Restart everything with

service prosody restart
service jicofo restart
service jitsi-videobridge2 restart

And you are done. Hey,

I tried this but getting some error after changing the config(s) If I start a meeting and login to it, it still keeps me on the same page with the same popup "Waiting for the host..." this error goes vanishes if I refresh the tab. But the other person who has the link joins it still displays "Waiting for the host..." so overall it's not working anymore as even if I login from 2 places it doesn't connect.

My Config files look like this:-

My domain 'examle.in'

File vim /etc/prosody/conf.avail/meet.yourdomain.com.cfg.lua

VirtualHost "example.in"
     authentication = "internal_plain"

VirtualHost "guests.example.in"
    authentication = "anonymous"
    c2s_require_encryption = false

File /etc/jitsi/meet/example.in-config.js

var config = {
    hosts: {
            domain: 'example.im',
            anonymousdomain: 'guests.example.in',
            ...
        },
        ...
}

File vim /etc/jitsi/jicofo/sip-communicator.properties

 `org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.example.in`
 `org.jitsi.jicofo.auth.URL=XMPP:example.in`

Does anything need to be fixed?

Screenshot_5

ghost commented 4 years ago

Hi @shubhamalive,

Too bad it won't work for you, but maybe we can work this out.

Did you restart the services or try to reboot the system?

service prosody restart service jicofo restart service jitsi-videobridge2 restart

Did you create a user like you indicated here?

prosodyctl register USERNAME meet.yourdomain.com 'PASSWORD

What happens if you click at "I am the host"?

shubhamalive commented 4 years ago

Hey @xilentura , Yes i have restarted the services and restarted the server. And yes i created user with same cmd.

When i click "I am the host" it asks for id and password when i entered correct credentials it just trys to obtain id and rhen same popup is present, now if i refresh it doesn't show popup and not only for this meeting, it doesn't show it for any new meetings i try to create. But most importantly even if i am in, others can't join the meeting. It asks them too for host id & password.

spinspider commented 4 years ago

Is this issue fixed, even i'm facing the same issue like you are not the host

ghost commented 4 years ago

Hi @spinspider and @shubhamalive ,

meanwhile I'm using the Jitsi Docker image and it works here the same way as written or stated here.

I've recognized a typo in my instructions:

prosodyctl register USERNAME meet.yourdomain.com 'PASSWORD

should be

prosodyctl register USERNAME meet.yourdomain.com PASSWORD

without the quotation mark (or try it on both sides of the password like 'PASSWORD').

Another way is to specify the path to the prosody config file:

prosodyctl --config /config/prosody.cfg.lua register USERNAME meet.jitsi PASSWORD

You should be able to list all current Jitsi users with the following command:

find /config/data/meet%2ejitsi/accounts -type f -exec basename {} .dat \;

All the best!