When @bouncing@partizle.com, @The_iceman_cometh@partizle.com and I started this instance, we figured we’d get a dozen or so signups from people we knew. We left registration open, figuring no one would care because we did exactly nothing to promote this.
It’s by any measure still a small instance (~100 users) but even so, moderation of other instances is now a thing: we’ve blocked some troublesome instances, in particular ones that we suspect traffic in borderline illegal content. We by no means, however, have any good grasp on what’s federating to us from the open web.
Sooner or later, bots and spammers and trolls will find our humble little instance. Lemmy’s only real remedies for that is an application process and/or verified email. Both to our mind seem useless, because bots can convincingly automate either or both. Cloudflare can keep out the more naive bots, though ratcheting up the security in it causes inconvenience for users, especially ones who protect their privacy (think of captchas you get when using a VPN).
For its part, Lemmy is fun software, but not especially feature-rich. There’s really no admin interface to speak of. If you get 100 bot signups, you have to ban them, one at a time. That hasn’t happened yet to us, but it has happened to other instances, and it’s rough. We’ve considered even just slapping a Django admin UI on its Postgres database, but we’d need to learn the table structure and also make sure that just updating tables in Postgres is enough (ie, does Lemmy’s backend have state in RAM, etc). It’s not something we’re ready to take on right now.
Anyway, about the possible future of bots and spammers: So what do you guys think? Leave registrations wide open? Require approval? Keep it the way it is, but lean more on Cloudflare for protection?
I’m not sure which rules are restricted to pro plans, but it looks like Cloudflare WAF is available for free users. Are you able to setup a rule to rate limit access to the sign up page to a very low limit per IP (maybe 3 requests per 5 minutes) or have a captcha on only the sign up page?
https://blog.cloudflare.com/waf-for-everyone/
Wow I had no idea cloudflare offered so much for free. At a glance it looks like everything you mentioned could be done with the free plan. Although if the bot situation got really bad, I would be ok with donating a couple dollars a month to keep this instance usable
Part of what makes protecting Lemmy challenging is that, for mysterious reasons from a technical standpoint, Lemmy does everything over websockets. Maybe you’ve noticed that sometimes just nothing will work, and then if you reload the page, it all starts working. That’s your websocket connection getting reset.
I don’t know why they did that, and there probably is ultimately a way to do rate limiting on websockets, but it’s unfortunately not as easy as just limiting POST requests to a URL. 🤦♂️ I could look into whether WAF supports rate limiting on websockets, but Lemmy’s using them for things you normally wouldn’t (such as submitting signup data), so it’s challenging to rate limit using normal HTTP verbs.
Oh I see. I heard (but haven’t looked at the repos) that the next major version of Lemmy will get rid of websockets.
Oh my
I’ve heard rumblings about that too.