Comments (10)
from gotosocial.
Mmm. For now I'll make a separate issue for showing which domain signed a request. We can put that information right next to the user-agent. That will at least help people spot this kind of silliness more easily in their logs.
from gotosocial.
Thanks, subscribed.
I think we can close this one?
If I work out fail2ban rules, I could do a documentation submission with that (though someone would then need to do an nginx adaption as I use Apache httpd), if you’re interested?
from gotosocial.
Yes, interested! Thanks!
from gotosocial.
Hmmm. Well we already validate HTTP signatures. If those requests aren't signed with a valid signature, with a key we can fetch from the domain the request is signed from, they will get a 401 back. That's sort of the fedi equivalent of what you're describing, right? I think the other functionality you're describing -- putting the requester in "jail" for 24hrs -- could also be handled by dedicated software like fail2ban, if you tune it just right.
EDIT: Oh sorry my brain totally skipped over the last part of your message. Indeed I think fail2ban is probably the way to go here, so we don't reinvent the wheel in GtS. We should probably write a little bit in the docs for how to tune fail2ban for such cases though.
from gotosocial.
from gotosocial.
Is there any way to see which domain they use?
Hmm, no, not currently. I mean, GtS knows, but it's not exposed. It would be good to add that to the logging!
So they're running an implementation somewhere that can provide valid signatures in response to requests, but seemingly disguising their user-agent to try to scrape posts under the radar? That's annoying. Probably a good idea to check what 51.89.179.74
actually is, and just chuck it in the bin if it's not legit.
Unfortunately beyond that -- and perhaps adding some heuristics to give admins a warning when this kind of thing seems to be occurring -- there's not too much we can do about it. Trying to parse user agents and check IP addresses would introduce an impossible amount of headaches and likely a lot of false positives.
Alternatively, you could run in allowlist mode and only add instances you trust; then requests from unknown instances (no matter what they set their user-agent to) will be denied.
from gotosocial.
Oh, just to add a note here in case anyone reading this gets the wrong idea: blocklist mode (the default federation mode) will always permit requests to Public and Unlisted posts provided they're correctly signed by an unblocked domain; that's the nature of blocklist / open federation. It's similar to how you can always see someone's Public posts on the web view.
It's annoying behavior for someone to disguise their user-agent and make signatures from a different domain, but as long as they're valid signatures, GtS will serve a response. The same is true of every other fedi software running in blocklist mode (the default for the vast majority (all?) of them). The only way to prevent this behavior is to use allowlist mode, or block the domain or IP address they're actually signing requests from. In any case, your followers-only and direct visibility posts will not be exposed by this trick.
from gotosocial.
I looked some more and I think this is a false positive. I've got mastodonapp.uk domain blocked from my instance for a while now, and if I grep IP address 51.89.179.74
in my logs, I see those requests from mastodonapp.uk being blocked correctly, while the ones from universeodon go through correctly.
If you look at the about page for each of those sites, they're hosted in the same data center. So apparently it's "normal" (albeit slightly wonky) that they share the same IP address.
The rate limiting they run into may be explained by the fact that they're both quite big instances, hence push out a lot of traffic, and they get put in the same rate limit bucket due to the shared IP address.
from gotosocial.
from gotosocial.
Related Issues (20)
- [bug] Delivery goroutines experienced a panic with "not yet initialized" while executing CLI commands HOT 1
- [bug] fedilab shows error after boosting post HOT 7
- [bug] twblue and possibly software based around mastodon.pi doesn't work HOT 6
- [bug] Remote edits of media descriptions are not applied HOT 1
- [bug] Unable to interact with ktistec users HOT 2
- [bug] Duplicate boost notifications HOT 6
- [feature] Remove the `quote-inline` class from statuses HOT 5
- [bug/frontend] Custom emoji shortcode is not changed after addition/changed input file HOT 1
- [feature] Expose Mastodon API compatible version and identify platform as GotoSocial in the version string HOT 7
- [bug] "sql: no rows in result set" when attempting to accept an incoming follow request HOT 1
- [bug] External Users can still see followings/followers of a follow-hiddened account HOT 4
- [bug] Posting undo of a "like" to the inbox may result in 500 internal server error HOT 1
- [chore/frontend] Refactor layout + styling for consistency
- We're on holiday from May 8th up to and including May 26th
- [bug] filters don’t seem to always work HOT 7
- [feature] Search within bookmarks (and possibly own likes/boosts) HOT 2
- [bug] Can't find @[email protected] to follow HOT 1
- [bug] Refused to load the stylesheet ... because it violates the following Content Security Policy directive: "default-src 'self'". HOT 1
- [bug] Followed Owncast Stream but GTS seems to randomly not get updates HOT 1
- [feature] Better content warning handling in RSS feeds
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gotosocial.