this post was submitted on 10 Jul 2023
384 points (100.0% liked)

Beehaw Support

2797 readers
2 users here now

Support and meta community for Beehaw. Ask your questions about the community, technical issues, and other such things here.

A brief FAQ for lurkers and new users can be found here.

Our September 2024 financial update is here.

For a refresher on our philosophy, see also What is Beehaw?, The spirit of the rules, and Beehaw is a Community

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

if you can see this, it's up  

founded 2 years ago
MODERATORS
remington
Zmodem
Gaywallet
alyaza
Lionir
Penguincoder
384
PSA: We're back, here's a post-mortem! (self.support)
submitted 1 year ago* (last edited 1 year ago) by Lionir to c/support
71 comments fedilink hide all child comments
 

Hi Beeple!

Here's a vague version of events :

  • 11PM EST: Lemmy.world got hacked

  • 12:20AM EST: Blahaj.zone got hacked

  • 12:25AM EST: I shut down the server

  • 12:30AM EST: I make announcements to tell people about this

  • 12:45AM EST: I have an idea of what the problem is but there is no fix

  • 2:20AM EST: I go to sleep

  • 8:50AM EST: The server is booted back up, steps are applied to mitigate issues (Rotating JWTs, Clearing DB of the source of vulnerability, deleting custom emoji), UI is updated with the fix, CSP and other security options are applied

  • 11:40AM EST: We start testing things to make sure are working And well, now here we are.

If you have issues logging in or using an app:

  1. Log out if you somehow are still logged in

  2. Clear all cache, site data, etc.

  3. Hard refresh Beehaw using CTRL+F5

  4. Log back in.

If you still have issues, write to us at support@beehaw.org

To be clear : We have not been hacked as far as we know, we were completely unaffected. This was done preemptively.

Oh yeah, in case, you haven't, this is a good opportunity and reminder to follow us on Mastodon as the communication line was still up despite Beehaw being down : https://hachyderm.io/@beehaw

top 50 comments
sorted by: hot top controversial new old
[–] communication 77 points 1 year ago

Huge props for being one of the few major instances to preemptively shut down!

[–] frogman 57 points 1 year ago

shutting down the server early was best. the nature of open source software is what allows these incidents to be mitigated as quickly as they are. thanks a lot to you guys, and to all of the team at Lemmy who worked to resolve this.

heroes <3

[–] alehel 38 points 1 year ago

Thank you for shutting down rather than "wait and see"! It was the right choice.

[–] mlburgess 20 points 1 year ago

Glad it's back up. I went outside. It was hot af and boring.

[–] SenorBolsa 17 points 1 year ago

Good work.

Have a non custom beer 🍻

[–] fracture 17 points 1 year ago* (last edited 1 year ago)

huge Ws, excellent work

also, thanks for the Mastodon link, i wasn't sure where to check on beehaw status during the outage

[–] pwacata 14 points 1 year ago

Awesome response, and a great succinct postmortem. Thanks for doing what you do!

[–] Hirom 14 points 1 year ago (2 children)

The shutdown is a good call given the circumstances.

An idea of less-radical preventive action is placing the instance in read-only mode, either as a Lemmy feature, or through reverse proxy settings (eg reply 503 for any POST/PUT/DELETE request). But that'd require some development and/or preparation.

Doing that on the reserve proxy side would block any user-submitted content and more (logins, searches, ...). This would hopefully be efficient at blocking many attack vectors, while still keeping the instance partially online, even if that's a degraded mode.

[–] Lionir 10 points 1 year ago

Note that if this were a Lemmy feature, if we had been infected, an admin could've gotten hacked and as a result, disabled that feature. I'm not really sure what can be done to make Beehaw foolproof. That said, the UI has since been hardened by CSP headers so this type of attack should no longer be possible.

[–] interolivary 7 points 1 year ago

Would read-only mode help with XSS exploits though, like this particular one? Since the "damage was already done" by the time anybody noticed, wouldn't putting the site in read-only mode still have kept serving up the XSS payload? It'd stop "infected" people from making any state mutations on Lemmy, but eg. data exliftration would still happen

[–] ericjmorey 13 points 1 year ago

Maybe post to https://hachyderm.io/@beehaw to spread the word outside of Beehaw.org

[–] YourHeroes4Ghosts 13 points 1 year ago

Thank you for all you do, from what I was hearing I was in no way expecting you to have the site back up within 12 hours. Many kudos.

[–] LoneLee 13 points 1 year ago

This is why I am on Beehaw. The Admins really care about the Instance and the content on it.

That's why I want to bring attention to the fact, that U can support them. https://opencollective.com/beehaw

I am not a Admin, Mod or anything else. I just really like Beehaw and support them. And you should too.

[–] gromnar 12 points 1 year ago* (last edited 1 year ago) (1 children)

Good job on making the right call and preemptively shutting the server down. Thanks for being alert!

[–] Cube6392 14 points 1 year ago

Far more memorable than all the times the service was unavailable was all the times your data was breached. I'll always prefer the service being down to having it up, and vulnerable

[–] emma 11 points 1 year ago

morning thought: I've definitely joined the right instance. (also the start from the assumption of good faith guidelines linked to in Gaywallet's recent post)

[–] nlm 11 points 1 year ago

Great job keeping the site safe guys!

Nice to see it back up again! It being offline was surprisingly palpable. Missed it!

I'm guessing it's probably not the last big thing that's going to hit Lemmy instances in the future, everything still being in early development and all. Only things we can do is keep an eye out, have vigilant admins and plenty of backups!

And patient users but we seem to have that. :)

[–] Pepper 10 points 1 year ago (1 children)

12:30AM EST: I make announcements to tell people about this

I think it'd be beneficial to have more backup lines of communication for announcements than just Mastodon.

[–] Lionir 18 points 1 year ago (2 children)

We have Discord and Matrix channels as well. Do you have anything to suggest?

[–] gifflen 5 points 1 year ago* (last edited 1 year ago) (1 children)

Something like status-page is always nice. I haven't used it but it looks like https://cachethq.io/ could be a decent fit as well.

[–] Pepper 4 points 1 year ago (7 children)

Just something Google-friendly.

[–] Penguincoder 4 points 1 year ago (13 children)

Nah.

load more comments (13 replies)
load more comments (6 replies)
[–] soeren@iusearchlinux.fyi 9 points 1 year ago

Welcome Back 🤗

[–] snowbell 9 points 1 year ago (1 children)

Anyone know where we can get updates on what is happening with lemmy.world? I have an account there as well but I'm afraid to even open the site now.

[–] Lionir 10 points 1 year ago

Lemmy.world is fine now. They were able to get a handle of things.

[–] astromd 9 points 1 year ago

Amazing job! This is not easy to go, given that you're working with an immature product and a changing landscape.

[–] HowlsSophie 7 points 1 year ago

Your work is greatly appreciated! Also happy to know that you got some sleep, very important for the process ☺

[–] GameGod 6 points 1 year ago (1 children)

Content-Security-Policy will really help save your ~~bacon~~ beans and protect against XSS. Hopefully the Lemmy devs can apply a super strict policy to help. IMHO it's a must for any site with user generated content.

load more comments (1 replies)
[–] sludge 5 points 1 year ago

yayyyyyy

[–] jherazob 5 points 1 year ago

Great job! Being preemptive in a case like this is very good! Thanks for all your work!

[–] kittenroar 5 points 1 year ago

Awesome work sidestepping the hack.

load more comments
view more: next ›