Patrick Figel 🐣 @pfigel@mastodon.at

Why is /etc group writable on a clean Scaleway Ubuntu server based on their image is all I want to know right now.

You know what would be great? If fog-openstack doesn't change what kind of configuration it expects for, like, one release.

On the bright side, I guess we now have 20G of free disk space for future database growth.

I suppose this is the point where it's finally paid off to have a Content-Security-Policy in place. Mastodon should really ship one by default 😐

elasticsearch in single-node deployments is always good for a surprise is all I'm saying

Me whenever I see tech people trying to interpret GDPR somewhere online:

Here's a version of the block list you can dump in your nginx to get rid of the bots:

https://gist.github.com/patf/1ae99fdd15718483fc15b1e8c8f25fe2#file-naughty_list_nginx-conf

The advantage of using nginx here instead of your firewall/iptables is that you'll have an easier time checking for false-positives in logs (in case I fucked up); the bots follow a predictable pattern (GET / then GET /auth/sign_up) while real traffic would stand out.

#mastoadmin

cc @Gargron

Here's a slightly revised CIDR list that seems to cover all the IPs used by the spammers so far:

https://gist.github.com/patf/1ae99fdd15718483fc15b1e8c8f25fe2

(some CIDRs are redundant because they're from different sources)

Hopefully that'll do for now.

#mastoadmin

Definitely looks like a spam campaign. So far all accounts signed up from the same ISP. Here's a script you can paste in your rails console to find all users from IP ranges belonging to that ISP (assuming I didn't miss any):

https://gist.githubusercontent.com/patf/fc2e65007562d403181c33b418fff045/raw/1d66d75c7f00ef8f73eae5a83a99514cd04c525f/naughty_list.rb

To get to the rails console, run this in /home/mastodon/live as the mastodon user:

RAILS_ENV=production bundle exec rails c

You might also want to temporarily ban those IP ranges if the sign-ups don't stop. I did.

#mastoadmin

Anyone else seeing spammy-looking signups from QUALITYNETWORK IP ranges? #mastoadmin

😂😂😂

(Source: https://www.wsj.com/articles/telegram-messaging-app-scraps-plans-for-public-coin-offering-1525281933)

Not deploying a simple HTTP header, something that literally every website security scan out there would flag, is apparently not a sign of crappy security practices, folks.

It's quite telling that infosec people are mostly talking about DNSSEC and what not instead of being like "Wait, you're telling me a cryptocurrency wallet handling millions every day did not deploy HSTS?"

No one's even surprised anymore.

(source: http://seclists.org/oss-sec/2018/q2/50)

Oh for fuck's sake, OpenSSL. Just when I was starting to think they'd finally gotten their shit together

TFW you're looking for XSS and accidentally find RCE