Lukas MartiniApr 11, 2017

I just went around and did some basic nmap-ing on the most popular Mastodon instances, and there's some seriously sketchy stuff in there. Publicly reachable Postgres servers, tons of open internal HTTP ports, SSH with password login, multiple Mastodon instances that seem to be running on mail server VMs, …

I guess if you're just running a single-user instance for yourself, sure, but those are all 2000+ user instances.

Show threadDoc Edward Morbius ❌​

@lutoma I'd say it's time to build some securing-your-instance steps into the build-and-deployment process.

HN discussion: https://news.ycombinator.com/item?id=14086803

Apr 11, 2017 at 11:54amWeb
Show threadLukas MartiniApr 11, 2017
@dredmorbius Yes, that's on the todo list.
Show threadDoc Edward Morbius ❌​Apr 11, 2017

@lutoma Being really clear: /in the deployment process/, which means on Github.

Though drafting the recs, specs, and steps first is a prerequisite. This is mostly clarification for others' benefit, not yours.