When @bouncing@partizle.com, @The_iceman_cometh@partizle.com and I started this instance, we figured we’d get a dozen or so signups from people we knew. We left registration open, figuring no one would care because we did exactly nothing to promote this.
It’s by any measure still a small instance (~100 users) but even so, moderation of other instances is now a thing: we’ve blocked some troublesome instances, in particular ones that we suspect traffic in borderline illegal content. We by no means, however, have any good grasp on what’s federating to us from the open web.
Sooner or later, bots and spammers and trolls will find our humble little instance. Lemmy’s only real remedies for that is an application process and/or verified email. Both to our mind seem useless, because bots can convincingly automate either or both. Cloudflare can keep out the more naive bots, though ratcheting up the security in it causes inconvenience for users, especially ones who protect their privacy (think of captchas you get when using a VPN).
For its part, Lemmy is fun software, but not especially feature-rich. There’s really no admin interface to speak of. If you get 100 bot signups, you have to ban them, one at a time. That hasn’t happened yet to us, but it has happened to other instances, and it’s rough. We’ve considered even just slapping a Django admin UI on its Postgres database, but we’d need to learn the table structure and also make sure that just updating tables in Postgres is enough (ie, does Lemmy’s backend have state in RAM, etc). It’s not something we’re ready to take on right now.
Anyway, about the possible future of bots and spammers: So what do you guys think? Leave registrations wide open? Require approval? Keep it the way it is, but lean more on Cloudflare for protection?
You must log in or register to comment.
As someone who did utilise the open registration, I am reluctant to say so, but with beehaw defederating two other big instances with open registration, it’s not likely a problem to go away. I did already see that the VPS instance needed to be upgraded, and once bots are banging on the door, that’s even more load. I also utilise a VPN, so it’d be good if WAF could be restricted to signup and login pages, I don’t mind captchas on those entry points, it’d just be nice if it didn’t bug me everywhere. Maybe I will have to plug in an email, I did end up using my real net name anyway, which can be tied to my personreasonabley easily.
Whatever needs to be done… That’s the sad reality.
Cloudflare isn’t great at figuring out what pages are “high value” enough for captchas, though we could probably figure out a way to add them with page rules or something. I do imagine, once you do the captcha once, Cloudflare won’t bother you for a while. Or that’s been my experience.
I’m in agreement here
Personally love the small community vibes. Locking down wouldn’t be a bad idea. I wouldn’t even mind chipping in funds (subscription cost) to pay for the VPS hosting.
I’m not sure which rules are restricted to pro plans, but it looks like Cloudflare WAF is available for free users. Are you able to setup a rule to rate limit access to the sign up page to a very low limit per IP (maybe 3 requests per 5 minutes) or have a captcha on only the sign up page?
Part of what makes protecting Lemmy challenging is that, for mysterious reasons from a technical standpoint, Lemmy does everything over websockets. Maybe you’ve noticed that sometimes just nothing will work, and then if you reload the page, it all starts working. That’s your websocket connection getting reset.
I don’t know why they did that, and there probably is ultimately a way to do rate limiting on websockets, but it’s unfortunately not as easy as just limiting POST requests to a URL. 🤦♂️ I could look into whether WAF supports rate limiting on websockets, but Lemmy’s using them for things you normally wouldn’t (such as submitting signup data), so it’s challenging to rate limit using normal HTTP verbs.
Part of what makes protecting Lemmy challenging is that, for mysterious reasons from a technical standpoint, Lemmy does everything over websockets.
Oh I see. I heard (but haven’t looked at the repos) that the next major version of Lemmy will get rid of websockets.
but Lemmy’s using them for things you normally wouldn’t (such as submitting signup data)
Oh my
Oh I see. I heard (but haven’t looked at the repos) that the next major version of Lemmy will get rid of websockets.
I’ve heard rumblings about that too.
Wow I had no idea cloudflare offered so much for free. At a glance it looks like everything you mentioned could be done with the free plan. Although if the bot situation got really bad, I would be ok with donating a couple dollars a month to keep this instance usable
