Lukas MartiniApr 11, 2017

I just went around and did some basic nmap-ing on the most popular Mastodon instances, and there's some seriously sketchy stuff in there. Publicly reachable Postgres servers, tons of open internal HTTP ports, SSH with password login, multiple Mastodon instances that seem to be running on mail server VMs, …

I guess if you're just running a single-user instance for yourself, sure, but those are all 2000+ user instances.

Show threadMitchell
@lutoma Doesn't SSH always return a password prompt? (Mine does - and passwordlogin is disabled) although the postgres servers being accessible kinda scary - you should also know that depending on the country the server is hosted in it is actually illegal to nmap it without the admin/owner consent - so I would definitely contact them and see if you can help them with closing unwanted ports :D
Apr 11, 2017 at 3:08pmWeb