Lukas MartiniApr 11, 2017

I just went around and did some basic nmap-ing on the most popular Mastodon instances, and there's some seriously sketchy stuff in there. Publicly reachable Postgres servers, tons of open internal HTTP ports, SSH with password login, multiple Mastodon instances that seem to be running on mail server VMs, …

I guess if you're just running a single-user instance for yourself, sure, but those are all 2000+ user instances.

Show threadPhilippe Lemaire :squid:
@lutoma I guess people need to go through a sysadmin crash course before going through a mastodon install tutorial. Such a tutorial cannot cover current system hygiene and security.
Apr 11, 2017 at 10:28amWeb
Show threadebelApr 11, 2017
@plemaire @lutoma Ideally the tutorial would guide people through setting up an instance *securely*. So don't open PostgreSQL to everyone "because it makes the tutorial easier". etc
Show threadDrewryApr 11, 2017
@plemaire @lutoma If professional system administrators can't seem to manage to pull security off, I don't expect any amount of crash course is going to fix the enthusiastic amateurs. Best bet is to secure as much as possible by default in the docker image.