Lukas MartiniApr 11, 2017

I just went around and did some basic nmap-ing on the most popular Mastodon instances, and there's some seriously sketchy stuff in there. Publicly reachable Postgres servers, tons of open internal HTTP ports, SSH with password login, multiple Mastodon instances that seem to be running on mail server VMs, …

I guess if you're just running a single-user instance for yourself, sure, but those are all 2000+ user instances.

Show threadOlivier 🇧🇪Apr 11, 2017
@lutoma What is the problem with ssh and password login?
Show threadLukas MartiniApr 11, 2017
@monnoliv SSH is perfectly fine, password login can be fine if the passwords are secure enough, but it's much better to use key authentication (and more convenient too!).
Show threadOlivier 🇧🇪Apr 11, 2017
@lutoma Yes but the problem with auth key is
1. you lose the key -> server brick
2. If someone has access to your PC, he can log on your server without password.
It's the reason why I always log with password (saved only in my head)
Show threadLukas Martini
@monnoliv You can encrypt your private key with a password, so that in order to use the key, you need to enter a password. That way you get the best of both. If you're afraid you might lose the key, consider putting it on a usb stick or something in its password-encrypted form.
Apr 11, 2017 at 11:11amWeb
Show threadOlivier 🇧🇪Apr 11, 2017
@lutoma Yes I know but I'm a bit paranoid.
Then I use fail2ban against brute force attack