Hi Beeple!
Here’s a vague version of events :
-
11PM EST: Lemmy.world got hacked
-
12:20AM EST: Blahaj.zone got hacked
-
12:25AM EST: I shut down the server
-
12:30AM EST: I make announcements to tell people about this
-
12:45AM EST: I have an idea of what the problem is but there is no fix
-
2:20AM EST: I go to sleep
-
8:50AM EST: The server is booted back up, steps are applied to mitigate issues (Rotating JWTs, Clearing DB of the source of vulnerability, deleting custom emoji), UI is updated with the fix, CSP and other security options are applied
-
11:40AM EST: We start testing things to make sure are working And well, now here we are.
If you have issues logging in or using an app:
-
Log out if you somehow are still logged in
-
Clear all cache, site data, etc.
-
Hard refresh Beehaw using CTRL+F5
-
Log back in.
If you still have issues, write to us at support@beehaw.org
To be clear : We have not been hacked as far as we know, we were completely unaffected. This was done preemptively.
Oh yeah, in case, you haven’t, this is a good opportunity and reminder to follow us on Mastodon as the communication line was still up despite Beehaw being down : https://hachyderm.io/@beehaw
You must log in or register to comment.
Huge props for being one of the few major instances to preemptively shut down!
shutting down the server early was best. the nature of open source software is what allows these incidents to be mitigated as quickly as they are. thanks a lot to you guys, and to all of the team at Lemmy who worked to resolve this.
heroes <3
Glad it’s back up. I went outside. It was hot af and boring.
This is why I am on Beehaw. The Admins really care about the Instance and the content on it.
That’s why I want to bring attention to the fact, that U can support them. https://opencollective.com/beehaw
I am not a Admin, Mod or anything else. I just really like Beehaw and support them. And you should too.
Thank you for shutting down rather than “wait and see”! It was the right choice.
The shutdown is a good call given the circumstances.
An idea of less-radical preventive action is placing the instance in read-only mode, either as a Lemmy feature, or through reverse proxy settings (eg reply 503 for any POST/PUT/DELETE request). But that’d require some development and/or preparation.
Doing that on the reserve proxy side would block any user-submitted content and more (logins, searches, …). This would hopefully be efficient at blocking many attack vectors, while still keeping the instance partially online, even if that’s a degraded mode.
Note that if this were a Lemmy feature, if we had been infected, an admin could’ve gotten hacked and as a result, disabled that feature. I’m not really sure what can be done to make Beehaw foolproof. That said, the UI has since been hardened by CSP headers so this type of attack should no longer be possible.
Would read-only mode help with XSS exploits though, like this particular one? Since the “damage was already done” by the time anybody noticed, wouldn’t putting the site in read-only mode still have kept serving up the XSS payload? It’d stop “infected” people from making any state mutations on Lemmy, but eg. data exliftration would still happen
huge Ws, excellent work
also, thanks for the Mastodon link, i wasn’t sure where to check on beehaw status during the outage
Thanks for the swift pre-emptive action
morning thought: I’ve definitely joined the right instance. (also the start from the assumption of good faith guidelines linked to in Gaywallet’s recent post)
Thank you for all you do, from what I was hearing I was in no way expecting you to have the site back up within 12 hours. Many kudos.
Awesome response, and a great succinct postmortem. Thanks for doing what you do!
12:30AM EST: I make announcements to tell people about this
I think it’d be beneficial to have more backup lines of communication for announcements than just Mastodon.
We have Discord and Matrix channels as well. Do you have anything to suggest?
Something like status-page is always nice. I haven’t used it but it looks like https://cachethq.io/ could be a decent fit as well.
There you go, courtesy of @Penguincoder@beehaw.org
Heck yeah! Thanks for getting this up
Just something Google-friendly.
Nah.
I’ll be blunt and say that unless you were already in-the-know, Beehaw pretty much ceased to exist when the server was shut down. Not the best result amidst a hacking scare.
Much preferable to the announcement of Beehaw was hacked and lost your user credentials <or more>. Security trumps convenience.
Having an entirely separate website, blog, or social media account for announcements that’s accessible via a Google search wouldn’t factor into how secure Beehaw is.
Can you be more precise? What exactly do you recommend? I don’t know what would be more “Google-friendly”
Maybe the front page of the domain could be news and info with the actual forums down a level? Not sure if that works with the software.
That’s not supported by Lemmy unfortunately… Most we could have is a status.beehaw.org, really.
A status website would honestly be excellent.
There you go, courtesy of @Penguincoder@beehaw.org
Awesome work sidestepping the hack.
Content-Security-Policy will really help save your
baconbeans and protect against XSS. Hopefully the Lemmy devs can apply a super strict policy to help. IMHO it’s a must for any site with user generated content.This is what this PR has done as I understand it : https://github.com/LemmyNet/lemmy-ui/pull/1907
Good work.
Have a non custom beer 🍻
