Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How do I stop this? #120

Open
roughnecks opened this issue Jan 9, 2024 · 8 comments
Open

How do I stop this? #120

roughnecks opened this issue Jan 9, 2024 · 8 comments

Comments

@roughnecks
Copy link

https://termbin.woodpeckersnest.space/b305/

https://termbin.woodpeckersnest.space/bik5ji/

https://termbin.woodpeckersnest.space/r77f/

Thanks
@msva
Copy link

msva commented Jan 9, 2024

ask your users to stop that 🤷
or password-protect the site

@roughnecks
Copy link
Author

These are robots

@martin-braun
Copy link

A good way to solve would be to have a different domain for the receiver, so people can't really attach the main service by spamming. However, that's security through obscurity. @roughnecks Look into rate and request size limiting via firewall / load balancer, so people can't abuse it.

@roughnecks
Copy link
Author

A good way to solve would be to have a different domain for the receiver, so people can't really attach the main service by spamming. However, that's security through obscurity. @roughnecks Look into rate and request size limiting via firewall / load balancer, so people can't abuse it.

Hi, do you mind explaining the "different" domain setup, because I actually own 2.

@roughnecks
Copy link
Author

roughnecks commented Jan 18, 2024
edited
Loading

"Rate and request limiting". okay but it would only stop the spam after N requests, right? Not really a good solution this one too.

@roughnecks
Copy link
Author

or password-protect the site

How can users access their pastes if I password protect the site?

@martin-braun
Copy link

@roughnecks I deleted my comment to rephrase, there was a mistake on my end in regards of shadowing your service.

The obscurity path is to have two containers, your public domain needs to point to the container without 9999 port forwarded. It needs to a run a reverse proxy that proxies to the secret container, that is actually port forwarding only 9999. Then you have both domains do different things. I was hoping it can be done with one container only, but as soon as you forward 9999, it will be available for all domains that point to that machine, because a reverse proxy can only work for the HTTP(S) protocol afaik.

In regards of the better solution "rate limiting" and "request limiting", yes, it will not prevent strangers from using the service, but it will limit the potential of abuse. Don't know in the top of my head how to rate limit a port though.

A solution of the problem is to not expose 9999 at all and pipe your content into a temporary file, scp it to your server and use a ssh command to nc it into 9999 locally. Then your service is protected via SSH, there you have it. Just a little bit of scripting should do the job.

@martin-braun
Copy link

martin-braun commented Jan 18, 2024
edited
Loading

Untested idea out of my head:

( 
  ssh-add
  tmp="$(mktemp)"
  remoteauth="user@remote"
  remotetmp="$(ssh "$remoteauth" mktemp)"
  echo "just a test" > "$tmp"
  scp "$tmp" "$remoteauth:$remotetmp"
  ssh "$remoteauth" cat "$remotetmp" | nc localhost 9999; rm "$remotetmp"
  rm "$tmp"
)

Don't copy paste, test carefully and adjust. Also add your identity via ssh-copy-id, so you don't have to enter your password multiple times.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@msva @roughnecks @martin-braun