GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE
  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    ?? أحمد ?? (ahmad@bassam.social)'s status on Tuesday, 16-May-2023 23:58:09 JST ?? أحمد ?? ?? أحمد ??
    • Alex Gleason
    @alex

    So, today after the spam attack, I've deactivated 2 accounts by mistake. For some reason that also removed all content related to them. No idea why!!

    Anyway, can I restore them from a data base backup and just have whatever they had to appear again?

    I don't think it would be nice to tell them that everything is lost 😬
    In conversation Tuesday, 16-May-2023 23:58:09 JST from bassam.social permalink
    • Embed this notice
      Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 16-May-2023 23:58:08 JST Alex Gleason Alex Gleason
      in reply to
      @ahmad Local or remote accounts?
      In conversation Tuesday, 16-May-2023 23:58:08 JST permalink
    • Embed this notice
      ?? أحمد ?? (ahmad@bassam.social)'s status on Wednesday, 17-May-2023 00:00:03 JST ?? أحمد ?? ?? أحمد ??
      in reply to
      • Alex Gleason
      Local.
      Can I delete remote accounts too??
      In conversation Wednesday, 17-May-2023 00:00:03 JST permalink
    • Embed this notice
      Alex Gleason (alex@gleasonator.com)'s status on Wednesday, 17-May-2023 00:00:03 JST Alex Gleason Alex Gleason
      in reply to
      @ahmad It is possible, but it's really not easy. You would restore their data in the users table, then restore their data in "objects" and "activities"
      In conversation Wednesday, 17-May-2023 00:00:03 JST permalink
    • Embed this notice
      Alex Gleason (alex@gleasonator.com)'s status on Wednesday, 17-May-2023 00:00:52 JST Alex Gleason Alex Gleason
      in reply to
      • Alex Gleason
      @ahmad Did you use AdminFE? We made it very difficult to accidentally delete a local user in Soapbox 🤔
      In conversation Wednesday, 17-May-2023 00:00:52 JST permalink
    • Embed this notice
      flappypaddle (flappypaddle@hijacked.download)'s status on Wednesday, 17-May-2023 00:14:19 JST flappypaddle flappypaddle
      in reply to
      • Alex Gleason
      I got hit too. In wondering if there's an issue with the captcha config being figured out because that was never disabled.. or a possible logic flaw with account creation of registration is next open.
      In conversation Wednesday, 17-May-2023 00:14:19 JST permalink
    • Embed this notice
      Alex Gleason (alex@gleasonator.com)'s status on Wednesday, 17-May-2023 00:14:19 JST Alex Gleason Alex Gleason
      in reply to
      • flappypaddle
      @flappypaddle @ahmad Yeah, they're clearly getting around the captcha. The solution is to require approval, not to close registrations entirely. We've made this the default in Soapbox.
      In conversation Wednesday, 17-May-2023 00:14:19 JST permalink
    • Embed this notice
      Alex Gleason (alex@gleasonator.com)'s status on Wednesday, 17-May-2023 00:18:48 JST Alex Gleason Alex Gleason
      in reply to
      • flappypaddle
      @ahmad @flappypaddle I assume you also don't have rate limiting enabled, or it's not working correctly.
      In conversation Wednesday, 17-May-2023 00:18:48 JST permalink
    • Embed this notice
      ?? أحمد ?? (ahmad@bassam.social)'s status on Wednesday, 17-May-2023 00:18:49 JST ?? أحمد ?? ?? أحمد ??
      in reply to
      • Alex Gleason
      • flappypaddle
      This way I'll have hundreds of waiting approval accounts with no good way to filter the good ones. I've also closed registration till I'm home and reported the ip address used to attack us. Hopefully it'll slow them down.
      In conversation Wednesday, 17-May-2023 00:18:49 JST permalink
    • Embed this notice
      Alex Gleason (alex@gleasonator.com)'s status on Wednesday, 17-May-2023 00:23:22 JST Alex Gleason Alex Gleason
      in reply to
      • flappypaddle
      @flappypaddle @ahmad Pleroma has a built-in rate limiter, but you need to configure it for the real IP correctly if you use one or more proxies (being Nginx, Cloudflare, etc)
      In conversation Wednesday, 17-May-2023 00:23:22 JST permalink
    • Embed this notice
      flappypaddle (flappypaddle@hijacked.download)'s status on Wednesday, 17-May-2023 00:23:23 JST flappypaddle flappypaddle
      in reply to
      • Alex Gleason
      Via nginx or otherwise? I thought I had a basic rate limit via nginx but I might have disabled that for LE updates.
      In conversation Wednesday, 17-May-2023 00:23:23 JST permalink
    • Embed this notice
      anime graf mays ?️? (graf@poa.st)'s status on Wednesday, 17-May-2023 01:49:41 JST anime graf mays ?️? anime graf mays ?️?
      in reply to
      • Alex Gleason
      • flappypaddle
      @alex @ahmad @flappypaddle i text you a solution to this last night
      In conversation Wednesday, 17-May-2023 01:49:41 JST permalink
      Alex Gleason likes this.
    • Embed this notice
      Matty (matty@nicecrew.digital)'s status on Wednesday, 17-May-2023 03:47:11 JST Matty Matty
      in reply to
      • anime graf mays ?️?
      • Alex Gleason
      • flappypaddle
      Every day is a learning experience. How could I find out what headers CF is sending using only the terminal?
      In conversation Wednesday, 17-May-2023 03:47:11 JST permalink
    • Embed this notice
      ?? أحمد ?? (ahmad@bassam.social)'s status on Wednesday, 17-May-2023 03:47:11 JST ?? أحمد ?? ?? أحمد ??
      in reply to
      • anime graf mays ?️?
      • Alex Gleason
      • Matty
      • flappypaddle
      RTFM:
      developers.cloudflare.com/fundamentals/get-started/reference/http-request-headers/
      In conversation Wednesday, 17-May-2023 03:47:11 JST permalink

      Attachments

      1. Domain not in remote thumbnail source whitelist: developers.cloudflare.com
        HTTP request headers · Cloudflare Fundamentals docs
        Cloudflare passes all HTTP request headers to your origin web server and adds additional headers as specified below.
      Alex Gleason likes this.
    • Embed this notice
      flappypaddle (flappypaddle@hijacked.download)'s status on Wednesday, 17-May-2023 03:47:12 JST flappypaddle flappypaddle
      in reply to
      • anime graf mays ?️?
      • Alex Gleason
      • Matty
      I used to, but no longer. Now its just to keep some skills semi-available should I ever want to join the rat race again (I don't).
      In conversation Wednesday, 17-May-2023 03:47:12 JST permalink
    • Embed this notice
      ?? أحمد ?? (ahmad@bassam.social)'s status on Wednesday, 17-May-2023 03:47:13 JST ?? أحمد ?? ?? أحمد ??
      in reply to
      • anime graf mays ?️?
      • Alex Gleason
      • Matty
      • flappypaddle
      whole country can have the same IP 🤣
      In conversation Wednesday, 17-May-2023 03:47:13 JST permalink
    • Embed this notice
      Matty (matty@nicecrew.digital)'s status on Wednesday, 17-May-2023 03:47:13 JST Matty Matty
      in reply to
      • anime graf mays ?️?
      • Alex Gleason
      • flappypaddle
      This is why I don't do this as a profession :whoaaaa:
      In conversation Wednesday, 17-May-2023 03:47:13 JST permalink
    • Embed this notice
      anime graf mays ?️? (graf@poa.st)'s status on Wednesday, 17-May-2023 03:47:14 JST anime graf mays ?️? anime graf mays ?️?
      in reply to
      • Alex Gleason
      • Matty
      • flappypaddle
      @matty @ahmad @alex @flappypaddle do you pass the CF connecting IP header to pleroma? how are you ratelimiting?
      In conversation Wednesday, 17-May-2023 03:47:14 JST permalink
    • Embed this notice
      Matty (matty@nicecrew.digital)'s status on Wednesday, 17-May-2023 03:47:14 JST Matty Matty
      in reply to
      • anime graf mays ?️?
      • Alex Gleason
      • flappypaddle
      I just ratelimit based on the IP shown to Nginx and hope that not everyone is getting the same CF IP lmao
      In conversation Wednesday, 17-May-2023 03:47:14 JST permalink
    • Embed this notice
      anime graf mays ?️? (graf@poa.st)'s status on Wednesday, 17-May-2023 03:47:15 JST anime graf mays ?️? anime graf mays ?️?
      in reply to
      • Alex Gleason
      • Matty
      • flappypaddle

      @flappypaddle @ahmad @alex i dont think this is related, what issue did you have with cloudflare? (also you shouldnt use cloudflare but im not going to preach)

      @matty if you aren’t revealing IPs (for whatever reason) but still want it to work just replace limit_req_zone with

      limit_req_zone "$http_x_forwarded_for" zone=register_rate:1m rate=10r/m;

      or something similar. CF sends headers with the clients IP already, leverage them to your advantage

      In conversation Wednesday, 17-May-2023 03:47:15 JST permalink
    • Embed this notice
      Matty (matty@nicecrew.digital)'s status on Wednesday, 17-May-2023 03:47:15 JST Matty Matty
      in reply to
      • anime graf mays ?️?
      • Alex Gleason
      • flappypaddle
      Huh. I didn't know that. No, all traffic is just the CF IPs
      In conversation Wednesday, 17-May-2023 03:47:15 JST permalink
    • Embed this notice
      anime graf mays ?️? (graf@poa.st)'s status on Wednesday, 17-May-2023 03:47:16 JST anime graf mays ?️? anime graf mays ?️?
      in reply to
      • Alex Gleason
      • Matty
      • flappypaddle
      @matty @ahmad @alex @flappypaddle are you not revealing real IPs in your nginx config?
      In conversation Wednesday, 17-May-2023 03:47:16 JST permalink
    • Embed this notice
      flappypaddle (flappypaddle@hijacked.download)'s status on Wednesday, 17-May-2023 03:47:16 JST flappypaddle flappypaddle
      in reply to
      • anime graf mays ?️?
      • Alex Gleason
      • Matty
      I tried alex's writeup on using CF and never got it to work, so maybe this thread will be doubly-useful.
      In conversation Wednesday, 17-May-2023 03:47:16 JST permalink
    • Embed this notice
      anime graf mays ?️? (graf@poa.st)'s status on Wednesday, 17-May-2023 03:47:17 JST anime graf mays ?️? anime graf mays ?️?
      in reply to
      • Alex Gleason
      • flappypaddle

      @ahmad @alex @flappypaddle poast goes over and above to mitigate this with other measures that are a secret, yes however you can do the following:

      /etc/nginx/conf.d/ratelimit.conf:

      limit_req_zone $request_uri zone=register_rate:1m rate=10r/m;

      /etc/nginx/sites-enabled/pleroma.conf (or whatever you named it

      server { [...] location = /api/v1/accounts { limit_req zone=register_rate; proxy_pass http://phoenix; } }

      this will limit hits to the endpoint used for registration to 3 maximum in a minute. lower rate=10r/m to rate=3r/m to restrict to one registration per minute, increase by three per registration you want (3 calls are made each registration attempt)

      In conversation Wednesday, 17-May-2023 03:47:17 JST permalink

      Attachments


    • Embed this notice
      Matty (matty@nicecrew.digital)'s status on Wednesday, 17-May-2023 03:47:17 JST Matty Matty
      in reply to
      • anime graf mays ?️?
      • Alex Gleason
      • flappypaddle
      How does this work with Cloudflare?
      In conversation Wednesday, 17-May-2023 03:47:17 JST permalink
    • Embed this notice
      ?? أحمد ?? (ahmad@bassam.social)'s status on Wednesday, 17-May-2023 03:47:18 JST ?? أحمد ?? ?? أحمد ??
      in reply to
      • anime graf mays ?️?
      • Alex Gleason
      • flappypaddle
      Are we keeping secrets now?
      In conversation Wednesday, 17-May-2023 03:47:18 JST permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.