Conversation
Notices
-
Embed this notice
?? أحمد ?? (ahmad@bassam.social)'s status on Tuesday, 16-May-2023 23:58:09 JST 
?? أحمد ??
@alex
So, today after the spam attack, I've deactivated 2 accounts by mistake. For some reason that also removed all content related to them. No idea why!!
Anyway, can I restore them from a data base backup and just have whatever they had to appear again?
I don't think it would be nice to tell them that everything is lost 😬-
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Tuesday, 16-May-2023 23:58:08 JST 
Alex Gleason
@ahmad Local or remote accounts? -
Embed this notice
?? أحمد ?? (ahmad@bassam.social)'s status on Wednesday, 17-May-2023 00:00:03 JST
?? أحمد ??
Local.
Can I delete remote accounts too?? -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Wednesday, 17-May-2023 00:00:03 JST
Alex Gleason
@ahmad It is possible, but it's really not easy. You would restore their data in the users table, then restore their data in "objects" and "activities" -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Wednesday, 17-May-2023 00:00:52 JST
Alex Gleason
@ahmad Did you use AdminFE? We made it very difficult to accidentally delete a local user in Soapbox 🤔 -
Embed this notice
flappypaddle (flappypaddle@hijacked.download)'s status on Wednesday, 17-May-2023 00:14:19 JST 
flappypaddle
I got hit too. In wondering if there's an issue with the captcha config being figured out because that was never disabled.. or a possible logic flaw with account creation of registration is next open. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Wednesday, 17-May-2023 00:14:19 JST
Alex Gleason
@flappypaddle @ahmad Yeah, they're clearly getting around the captcha. The solution is to require approval, not to close registrations entirely. We've made this the default in Soapbox. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Wednesday, 17-May-2023 00:18:48 JST
Alex Gleason
@ahmad @flappypaddle I assume you also don't have rate limiting enabled, or it's not working correctly. -
Embed this notice
?? أحمد ?? (ahmad@bassam.social)'s status on Wednesday, 17-May-2023 00:18:49 JST
?? أحمد ??
This way I'll have hundreds of waiting approval accounts with no good way to filter the good ones. I've also closed registration till I'm home and reported the ip address used to attack us. Hopefully it'll slow them down. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Wednesday, 17-May-2023 00:23:22 JST
Alex Gleason
@flappypaddle @ahmad Pleroma has a built-in rate limiter, but you need to configure it for the real IP correctly if you use one or more proxies (being Nginx, Cloudflare, etc) -
Embed this notice
flappypaddle (flappypaddle@hijacked.download)'s status on Wednesday, 17-May-2023 00:23:23 JST
flappypaddle
Via nginx or otherwise? I thought I had a basic rate limit via nginx but I might have disabled that for LE updates. -
Embed this notice
anime graf mays ?️? (graf@poa.st)'s status on Wednesday, 17-May-2023 01:49:41 JST 
anime graf mays ?️?
@alex @ahmad @flappypaddle i text you a solution to this last night Alex Gleason likes this. -
Embed this notice
Matty (matty@nicecrew.digital)'s status on Wednesday, 17-May-2023 03:47:11 JST 
Matty
Every day is a learning experience. How could I find out what headers CF is sending using only the terminal? -
Embed this notice
?? أحمد ?? (ahmad@bassam.social)'s status on Wednesday, 17-May-2023 03:47:11 JST
?? أحمد ??
RTFM:
developers.cloudflare.com/fundamentals/get-started/reference/http-request-headers/Alex Gleason likes this. -
Embed this notice
flappypaddle (flappypaddle@hijacked.download)'s status on Wednesday, 17-May-2023 03:47:12 JST
flappypaddle
I used to, but no longer. Now its just to keep some skills semi-available should I ever want to join the rat race again (I don't). -
Embed this notice
?? أحمد ?? (ahmad@bassam.social)'s status on Wednesday, 17-May-2023 03:47:13 JST
?? أحمد ??
whole country can have the same IP 🤣 -
Embed this notice
Matty (matty@nicecrew.digital)'s status on Wednesday, 17-May-2023 03:47:13 JST
Matty
This is why I don't do this as a profession :whoaaaa: -
Embed this notice
anime graf mays ?️? (graf@poa.st)'s status on Wednesday, 17-May-2023 03:47:14 JST
anime graf mays ?️?
@matty @ahmad @alex @flappypaddle do you pass the CF connecting IP header to pleroma? how are you ratelimiting? -
Embed this notice
Matty (matty@nicecrew.digital)'s status on Wednesday, 17-May-2023 03:47:14 JST
Matty
I just ratelimit based on the IP shown to Nginx and hope that not everyone is getting the same CF IP lmao -
Embed this notice
anime graf mays ?️? (graf@poa.st)'s status on Wednesday, 17-May-2023 03:47:15 JST
anime graf mays ?️?
@flappypaddle @ahmad @alex i dont think this is related, what issue did you have with cloudflare? (also you shouldnt use cloudflare but im not going to preach)
@matty if you aren’t revealing IPs (for whatever reason) but still want it to work just replace limit_req_zone with
limit_req_zone "$http_x_forwarded_for" zone=register_rate:1m rate=10r/m;
or something similar. CF sends headers with the clients IP already, leverage them to your advantage
-
Embed this notice
Matty (matty@nicecrew.digital)'s status on Wednesday, 17-May-2023 03:47:15 JST
Matty
Huh. I didn't know that. No, all traffic is just the CF IPs -
Embed this notice
anime graf mays ?️? (graf@poa.st)'s status on Wednesday, 17-May-2023 03:47:16 JST
anime graf mays ?️?
@matty @ahmad @alex @flappypaddle are you not revealing real IPs in your nginx config? -
Embed this notice
flappypaddle (flappypaddle@hijacked.download)'s status on Wednesday, 17-May-2023 03:47:16 JST
flappypaddle
I tried alex's writeup on using CF and never got it to work, so maybe this thread will be doubly-useful. -
Embed this notice
anime graf mays ?️? (graf@poa.st)'s status on Wednesday, 17-May-2023 03:47:17 JST
anime graf mays ?️?
@ahmad @alex @flappypaddle poast goes over and above to mitigate this with other measures that are a secret, yes however you can do the following:
/etc/nginx/conf.d/ratelimit.conf:
limit_req_zone $request_uri zone=register_rate:1m rate=10r/m;/etc/nginx/sites-enabled/pleroma.conf (or whatever you named it
server { [...] location = /api/v1/accounts { limit_req zone=register_rate; proxy_pass http://phoenix; } }this will limit hits to the endpoint used for registration to 3 maximum in a minute. lower rate=10r/m to rate=3r/m to restrict to one registration per minute, increase by three per registration you want (3 calls are made each registration attempt)
-
Embed this notice
Matty (matty@nicecrew.digital)'s status on Wednesday, 17-May-2023 03:47:17 JST
Matty
How does this work with Cloudflare? -
Embed this notice
?? أحمد ?? (ahmad@bassam.social)'s status on Wednesday, 17-May-2023 03:47:18 JST
?? أحمد ??
Are we keeping secrets now?
-
Embed this notice
All GNU social JP content and data are available under the