Lukas MartiniApr 11, 2017

I just went around and did some basic nmap-ing on the most popular Mastodon instances, and there's some seriously sketchy stuff in there. Publicly reachable Postgres servers, tons of open internal HTTP ports, SSH with password login, multiple Mastodon instances that seem to be running on mail server VMs, …

I guess if you're just running a single-user instance for yourself, sure, but those are all 2000+ user instances.

Show threadDoc Edward Morbius ❌​Apr 11, 2017

@lutoma First, thanks. Second: doing this on an ongoing basis and publishing results would be good. Maybe after an initial "fix yo mess" period.

Third: I'd love to hear from the OS / D* side what practices on securing and scanning are. @maiyannah @moonman @deadsuperhero

Fourth: has @Gargron been pinged yet?

Show thread[INACTIVE] R ✅
@dredmorbius hey, just a friendly reminder: it's build by everyone, so go ahead ;) @lutoma @moonman @deadsuperhero @Gargron
Apr 11, 2017 at 12:12pmWeb