[reconnecting]

'tirreno guy' here.

You can use open-source security analytics (1) to detect fraudulent accounts instead of blocking domain names. Blocking domains only shows your system is fragile and will likely just shift the attackers to use other domains.

Feel free to contact us if you need assistance with setup.

(1) https://github.com/tirrenotechnologies/tirreno

[lucb1e]

Blocking providers makes sense since they can talk to the human that is doing the abuse. It's their customer after all

Like with IP ranges that send a lot of spam/abuse, it's the provider's space in the end. If the sender has no identification (e.g. User-Agent string is common for http bots) and the IP space owner doesn't take reasonable steps, the consequence is (imo) not to guess who may be human and who may be a bot, but to block the IP address(es) that the abuse is coming from. I remember our household being blocked once when I, as a teenager, bothered a domain squatter who was trying to sell a normal domain for an extortionary price. Doing a load of lookups on their system, I couldn't have brought it down from an ADSL line but apparently it was an unusual enough traffic spike to get their attention, as was my goal, and I promptly learned from the consequences. We got unblocked some hours after my parent emailed the ISP saying it wouldn't happen again (and it hasn't)

You don't have to look very far on HN to see the constant misclassifications of people as bots now that all the blocking has gotten seven times more aggressive in an attempt to gatekeep content and, in some cases, protect from poorly written bots that are taking it out on your website for some reason (I haven't had the latter category visit my website yet, but iirc curl/Daniel mentioned a huge outbound traffic volume to one scraper)

[reconnecting]

I like the part about leaving the neighborhood blocked from internet access. Did neighbours find out that it was because of you?

However, email accounts could be stolen, and this makes the email provider a victim as well.

This particular case sounds very simple, and I'm quite confident that if we dig further, it's highly possible that all accounts use some pattern that would be easy to identify and block without hurting legitimate users.

[lucb1e]

Neighbors? No, household; the ISP can't see into the house's network which MAC address did it, so they blocked the subscriber line that served my parents' household back when I lived with them (it was partially blocked actually: you could still visit info pages about the block on the ISP website and contact them by email)

Edited to add:

> this makes the email provider a victim as well

Sure, but they have to deal with a hijacked account anyway, better to tackle it at the source. I'm also not saying to block the whole provider right away, at least not if you can weather the storm for a business day while you await a proper response from their side, just to use blocks when there is nobody steering the ship on their end

[PokemonNoGo]

Odd installation steps.

[theamk]

Totally normal for PHP software, and that's a primary reason of why PHP apps have such a bad security reputation. Note:

- The application code itself and system configs are modifiable by the web handler itself. This is needed to allow web-based "setup.php" to work, but also means that any sort of RCE is immediately "fatal" - no need for kernel/sandbox exploit, if you can get PHP to execute remote code you can backdoor existing files as much as you want.

- The "logs", "tmp", "config" etc.. directories are co-located with code directory. This allows easy install via unzip, but means that the code directory must be kept accessible while operation. It's not easy to lock it down if you want to prevent possible backdoors from previous options.

Those install methods have been embraced by PHP community and make exploits so much easier. That's why you always hear about "php backdoors" and not about "go backdoors" or "django backdoors" - with other languages, you version-upgrade (possibly automatically) and things work and exploits disappear. With PHP, you version upgrade .. by extracting the new zip over the same location. If you were hacked, this basically keeps all the hacks in place.

Kinda weird to see this from some self-claimed "security professionals" though, I thought they'd know better :)

[PokemonNoGo]

I kinda understood I was missing "something" when I commented but I haven't used any PHP for over a decade and honestly it looked very well you said the rest... Thanks for the clarification. Very unfamiliar with modern PHP.

[lucb1e]

What did you think you had missed? I'm not understanding

> but I haven't used any PHP for over a decade

This isn't modern PHP, this is the traditional installation method that I used also a decade ago. The only thing that could be older about it is to have a web-cron instead of a proper system cron line. Modern PHP dependency installation is to basically curl|bash something on the host system (composer iirc) rather than load in the code under the web server's user and running the install from there, as this repository suggests. Not that the parent comment is wrong about the risks that still exist in being able to dynamically pull third-party code this way and hosting secrets under the webroot

[reconnecting]

Correct, this isn't modern PHP. We aimed to keep overall code dependencies around ~10, and with modern frameworks this number would be multiplied heavily.

[reconnecting]

Fair critique on traditional PHP deployment.

However tirreno shouldn't be public-facing anyway. Production apps forward events via API on local network, security teams access dashboard over VPN.

Perhaps we will add this recommendation to the documentation to avoid any confusion. Thanks for the clarification.

[pests]

Id say it’s big standard for php apps and have been for awhile. Wordpress has a similar install flow. Docker images are provided tho.

[reconnecting]

Yes, Matomo/Piwik, WordPress, and ProcessWire have more or less the same installation steps, but maybe we missed something along the way.

[reconnecting]

Can you elaborate, please?

[snickerdoodle12]

The instructions aren't all that unusual for PHP software, especially those that target shared hosting, but are unusual compared to most other software.

> Download a zip file and extract it "where you want it installed on your web server"

The requirements mention apache with mod_rewrite enabled, so "your web server" is a bit vague. It wouldn't work with e.g. `python -m http.server 8000`. Also, most software comes bundled with its own web server nowadays but I know this is just how PHP is.

> Navigate to http://your-domain.example/install/index.php in a browser to launch the installation process.

Huh, so anyone who can access my web server can access the installation script? Why isn't this a command line script, a config file, or at least something bound to localhost?

> After the successful installation, delete the install/ directory and its contents.

Couldn't this have been automated? Am I subject to security issues if I don't do this? I don't have to manually delete anything when installing any other software.

[kstrauser]

I'll side with you here. This gives attackers a huge window of time in which to compromise your service and configure it the way they want it configured.

In my recent experience, you have about 3 seconds to lock down and secure a new web service: https://honeypot.net/2024/05/16/i-am-not.html

[lucb1e]

Wut? That can't have been a chance visit from a crawler unless maybe you linked it within those 3 seconds of creating the subdomain and the crawler visited the page it was linked from in that same second, or you/someone linked to it (in preparation) before it existed and bots were already constantly trying

Where did you "create" this subdomain, do you mean the vhost in the webserver configuration or making an A record in the DNS configuration at e.g. your registrar? Because it seems to me that either:

- Your computer's DNS queries are being logged and any unknown domains immediately get crawled, be it with malicious or white-hat intent, or

- Whatever method you created that subdomain by is being logged (by whoever owns it, or by them e.g. having AXFR enabled accidentally for example) and immediately got crawled with whichever intent

I can re-do the test on my side if you want to figure out what part of your process is leaky, assuming you can reproduce it in the first place (to within a few standard deviations of those three seconds at least; like if the next time is 40 seconds I'll call it 'same' but if it's 4 days then the 3 seconds were a lottery ticket -- not that I'd bet on those odds to deploy important software, but generally speaking about how aggressive-or-not the web is nowadays)

[kstrauser]

Consensus from friends after I posted that is that attackers monitor the Let's Encrypt transparency logs and pounce on new entries the moment they're created. Here I was using Caddy, which by default uses LE to create a cert on any hosts you define.

I can definitely reproduce this. It shocked me so much that I tried a few times:

1. Create a new random hostname in DNS.

2. `tail -f` the webserver logs.

3. Define an entry for that hostname and reload the server (or do whatever your webserver requires to generate a Let's Encrypt certificate).

4. Start your stopwatch.

[LeifCarrotson]

> Huh, so anyone who can access my web server can access the installation script?

"Obviously", the server should not be accessible from the public Internet while you're still doing setup. I assume it should still behind a firewall and you're accessing it by VPN. Only after you're happy with all the configuration and have the security locked down tight would you publish it to the world. Right?

[snickerdoodle12]

Obviously you should lock it down. I'm just going off these instructions and how they might be interpreted.

[reconnecting]

This is not something specific to tirreno, as it's the usual installation process of any PHP application.

If there is an example of another approach, I will gladly take it into account.

[snickerdoodle12]

> as it's the usual installation process of any PHP application

Maybe a decade ago. Look into composer.

[kassner]

composer install should be pretty much what one needs nowadays. Any installing scripts (although you really shouldn’t) can also be hooked into it.

[lucb1e]

This requires running the install scripts with your shell permissions rather than with the webserver's permissions, if I'm not mistaken. I could see why one might prefer the other way, even if shared hosting is less common nowadays and shells more often an option

[lucb1e]

Care to elaborate? They seem bog-standard to me

[reconnecting]

Sent a letter to security@.