Mastodawn

I just went around and did some basic nmap-ing on the most popular Mastodon instances, and there's some seriously sketchy stuff in there. Publicly reachable Postgres servers, tons of open internal HTTP ports, SSH with password login, multiple Mastodon instances that seem to be running on mail server VMs, …

I guess if you're just running a single-user instance for yourself, sure, but those are all 2000+ user instances.

Philippe Lemaire :squid:Apr 11, 2017

@lutoma I guess people need to go through a sysadmin crash course before going through a mastodon install tutorial. Such a tutorial cannot cover current system hygiene and security.

ebel Apr 11, 2017

@plemaire @lutoma Ideally the tutorial would guide people through setting up an instance *securely*. So don't open PostgreSQL to everyone "because it makes the tutorial easier". etc

Drewry Apr 11, 2017

@plemaire @lutoma If professional system administrators can't seem to manage to pull security off, I don't expect any amount of crash course is going to fix the enthusiastic amateurs. Best bet is to secure as much as possible by default in the docker image.

Mike Patton ✅Apr 11, 2017

@lutoma Be my guest and run one against masto.nine-hells.net - I have nothing to hide. :)

Lukas Martini Apr 11, 2017

@machiavelli Looks good at first glance :)

Mike Patton ✅Apr 11, 2017

@lutoma Thanks for that!

OliverUv Apr 11, 2017

@lutoma contacting admins with details I hope?

Lukas Martini Apr 11, 2017

@OliverUv yes, that's the plan. It'll probably take me a while though.

Olivier 🇧🇪Apr 11, 2017

@lutoma What is the problem with ssh and password login?

Lukas Martini Apr 11, 2017

@monnoliv SSH is perfectly fine, password login can be fine if the passwords are secure enough, but it's much better to use key authentication (and more convenient too!).

Olivier 🇧🇪Apr 11, 2017

@lutoma Yes but the problem with auth key is
1. you lose the key -> server brick
2. If someone has access to your PC, he can log on your server without password.
It's the reason why I always log with password (saved only in my head)

Lukas Martini Apr 11, 2017

@monnoliv You can encrypt your private key with a password, so that in order to use the key, you need to enter a password. That way you get the best of both. If you're afraid you might lose the key, consider putting it on a usb stick or something in its password-encrypted form.

Olivier 🇧🇪Apr 11, 2017

@lutoma Yes I know but I'm a bit paranoid.
Then I use fail2ban against brute force attack

Maj. Tohru Kobayashi Apr 11, 2017

@lutoma yeah I should at least lock down the internal HTTP ports, i'm aware my instance exposes that. (Nmappng your own shit is a good idea)

David Apr 11, 2017

@lutoma what would your recommendations be? Could you write a small set of recommendations, and send them in, as a PR, to Mastodon docs?

Lukas Martini Apr 11, 2017

@david Yep, already considered doing that. Not sure if I'll manage to do that today, but maybe some time this week.

Dirk Jäckel Apr 11, 2017

@lutoma How did you find SSH servers that allow password authentication using nmap?

Lukas Martini Apr 11, 2017

@dirkjaeckel I didn't, I tested that separately

Doc Edward Morbius ❌Apr 11, 2017

@lutoma I'd say it's time to build some securing-your-instance steps into the build-and-deployment process.

HN discussion: https://news.ycombinator.com/item?id=14086803

Lukas Martini Apr 11, 2017

@dredmorbius Yes, that's on the todo list.

Doc Edward Morbius ❌Apr 11, 2017

@lutoma Being really clear: /in the deployment process/, which means on Github.

Though drafting the recs, specs, and steps first is a prerequisite. This is mostly clarification for others' benefit, not yours.

Doc Edward Morbius ❌Apr 11, 2017

@lutoma First, thanks. Second: doing this on an ongoing basis and publishing results would be good. Maybe after an initial "fix yo mess" period.

Third: I'd love to hear from the OS / D* side what practices on securing and scanning are. @maiyannah @moonman @deadsuperhero

Fourth: has @Gargron been pinged yet?

[INACTIVE] R ✅Apr 11, 2017

@dredmorbius hey, just a friendly reminder: it's build by everyone, so go ahead ;) @lutoma @moonman @deadsuperhero @Gargron

JantsoP Apr 11, 2017

@lutoma You should maybe open this a bit more. First of all, all affected services are run by manual installs, not docker images. Did some testing on known docker servers and all are only reporting HTTP/HTTPS, SSH and Docker ports open. Second: Sure, server has password auth, but do you know if they have any other security measures place after that? They could an two-way auth or something else waiting after that.

Lukas Martini Apr 11, 2017

@JantsoP I agree that in and for itself, most of these things aren't critical issues. But most of these look like typical mistakes made by inexperienced admins, which doesn't exactly instill confidence in other parts of the setup that aren't as easily publicly visible (but potentially more relevant for security).

Webosoof Apr 11, 2017

@lutoma
Thanks for the info !

:pineapple:

#Mastodon #server #park #description

toot :elephant:

T045T Apr 11, 2017

@lutoma can you link to a guide on what to probe for? I'm pretty sure I've locked scl.zmb.cm down well enough, but would like to double check :)

Fuzznucket :white_check_mark: Apr 11, 2017

@lutoma meet @Gargron - the founder and @JantsoP :)

stephenjahl Apr 11, 2017

@lutoma maybe docs on security best practices would help? A quick glance at the mastodon production guide isn't showing me a focus on security.

Lukas Martini Apr 11, 2017

@stephenjahl Agreed, and I've put adding some docs on it to my todo.

STuFF Apr 11, 2017

@lutoma that's the real problem with decentralized instances... security.

Guillaume Apr 11, 2017

@lutoma About that: Mastodon's port 3000 and 4000 and commonly available, but I don't know if that's really a flaw

mulander Apr 11, 2017

@lutoma it's caused by things like this tutorial https://github.com/ummjackson/mastodon-guide/blob/master/up-and-running.md starting off with "Step 1. Create a mastodon user with root privileges". With the attitude presented here https://mastodon.social/@ummjackson/2037637 I don't think it will be remedied at all...

donb Apr 11, 2017

@lutoma it would be useful for you to write up a guide on how to deploy Mastodon in a reasonably secure manner, citing these issues. That way, everyone can improve using one centralized guide.

luisbg :coffee:Apr 11, 2017

@lutoma is toot.cafe one of worrying ones in the list?

Dan Jones Apr 11, 2017

@lutoma May the internet remain sketchy, unserious, anonymous & transient, for ever and ever. Amen.

Srv-02 ✅Apr 11, 2017

@lutoma Centralization is not always a bad thing. There should be some best practices to run an instance.

Mitchell Apr 11, 2017

@lutoma Doesn't SSH always return a password prompt? (Mine does - and passwordlogin is disabled) although the postgres servers being accessible kinda scary - you should also know that depending on the country the server is hosted in it is actually illegal to nmap it without the admin/owner consent - so I would definitely contact them and see if you can help them with closing unwanted ports :D

Ckl[N]oob Apr 11, 2017

@thomas_virtubox
hey Admin you are not subject to all these issues are you ?

Thomas SUCHON Apr 11, 2017

@Ckln No, there are no issues on this side :smiley:

ashley Apr 11, 2017

@lutoma [runs scans on my playground servers] uh why are ports 3000 and 4000 not listening on only localhost??!

Royal Rivera:tophat: Apr 11, 2017

@lutoma This is a huge issue we discussed early on, lots of newer admins spinning up instances and not knowing how to properly secure them. Its going to eventually lead to a lot of breaches.

Ian Littman Apr 11, 2017

@lutoma A user friendly tool you could run on (an/your own) instance, even if it's just a bash script in a Gist, may help with this. Wonder whether the default Docker setup is secure.

bradj Apr 11, 2017

@lutoma You should notify the admins. That's scary.

kaiyou Apr 11, 2017

@lutoma That's pretty cool if you are doing it legally. Next step would be alerting the admin contact about the most obvious mistakes.

Lukas Martini Apr 11, 2017

@kaiyou Yes, I plan to talk to each admin as soon as I have time to do so

Renn Kane Apr 11, 2017

@lutoma On an instance, I was actually able to login on ssh with the mastodon user using the password "mastodon". Wondering how many instances share the same issue.

badosu ✅Apr 11, 2017

@dolfsquare @lutoma Please report this to the concerning admin, as this information is enough for a determined enough malicious agent to use the same exploit!

Renn Kane Apr 11, 2017

@badosu @lutoma I obviously did it, and he fixed it

badosu ✅Apr 11, 2017

@dolfsquare @lutoma Thanks!

Lloyd Apr 12, 2017

@lutoma Wow, nice find.

I found that there's a nice easy way for beginners to deploy their own Mastodon instance on Heroku, which should be quite safe.

https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Heroku-guide.md

Doc Edward Morbius ❌Apr 12, 2017

@eileenb If you hadn't already seen this, look upstream.

https://ohai.su/users/lutoma/updates/166

Eileen Brown ☑️Apr 12, 2017

@dredmorbius aah thanks - think I saw that that yesterday. Still working out how to positing this piece and be balanced..

🌭Apr 12, 2017

@lutoma let the games begin?

Derek I. Batting 💬🍵Apr 13, 2017

@lutoma Might want to bring it to the attention of the appropriate admins.

Anderath Apr 14, 2017

@lutoma How cool would it be to have a CTF of Mastodon communities? I kinda like the idea of that but the winner in this case would be a more secure social network because we can plug the holes.

#CTF #FamilyMatters