Login or Registration does not work. #496
Comments
|
I won't reopen it (== self service account creation) in the near future. There is just too much abuse by criminals and neither want to support their actions nor deal with deleting their stuff all the time. Account owners who can't login any more (because they used some external authentication and did not set a local password or forgot the local password) can write me an email to info @ nsupdate.info:
I will then set a new temporary password for you, so you can log in again. Note: I currently do not create new accounts manually, sorry (too much work). |
|
Interesting how other DDNS providers working with abuses. In the DuckDNS FAQ said
https://www.duckdns.org/faqs.jsp Maybe this is solvable somehow. The bigger problem is for tunnels providers. Maybe their experience may be useful |
Running a free service like this AND keeping it clear of people trying to use for C&C servers and other nefarious purposes, and then also fighting DDoS attacks from both good guys and bad guys is a full-time job. In theory, sure, any of us could set this up on a bunch of VPSs out there and advertise it as "free dynamic dns service", but without a small team of people constantly babysitting it, it's just not practical. Just glad the software exists so I can self-host (and I'm looking at this because DuckDNS is again intermittent all weekend long). |
|
@sporkman Is there a fairly simple guide or any steps on setting up a selfhosted instance from scratch on a VPS (DigitalOcean etc)? |
|
@ThomasWaldmann could you please explain how criminals are using the service? But if criminals just need for any domain and they don't want to register because it needs for a credit card then this makes it more dificult. The only solution would be to require a payment of 1$ and then rollback. I'm asking because I made my own ddns server and I need to know how to protect. I decided to use a different approach. I want to make my users to be automatically registered. So they'll just generate a long random domain (uuid or ed25519 pub key) and token and configure a ddns client. The new domain with the token are registred and any next updates will require of the same password. P.S. my ddns server poc https://github.com/yurt-page/go-ddnsd |
|
Well, as far as i could see / got notified of:
I think a simple list of trademarks / registered names would be huge and won't solve the problem. E.g. if you had wellsfargo (a bank) on your list, the abuser would just use wells-fargo or we11sfargo or wellsfarg0 or ... - some are even hard to match with regexes. I thought about obligatory payments. That might deter some of the criminals, because that would harm their anonymity and some kind of information about them might be in reach for criminal investigators then. But I guess even that could be worked around, just by abusing the credit card of someone else. Also, I don't like that, because it would basically turn the free service into a commercial one, cause more work for me and would be either for nothing or would be more expensive... There is no "moderation admin interface" (yet?) for the nsupdate.info software (I currently do that via the django admin). In any case, I would only give access to very trusted persons I personally know. Using random (like uuid) hostnames and not allowing the user to choose the hostname removes some of the criminal use cases, but not all. Of course, it also removes some of the reasons why legitimate users want to have a dyndns name in the first place (== because they can remember it easily). It also removes some pattern matching options for the admin to fight criminal abusers. About removing inactive hostnames after some time: we also do that (after a rather long time), but it first notifies the users multiple times via email about that this is going to happen if there is no activity. This is not completely unproblematic, because sometimes users give fake email addresses or just don't get or read our emails. Hostnames that are not updated for longer times usually happen for cable internet providers (IP does not change). It is a good practice to not update the dyndns host if the IP did not change, BUT still send 1 monthly unconditional update just to signal "hey, I am still alive and using this dyndns host". About self-registration, oauth (external accounts):
Since I have removed self-registration and external accounts, the amount of abuse has significantly decreased (also the amount of abuse notifications I get via email). But I usually can't keep up with new user registration request emails (also hard to know how they will use the service), so in the past months I focussed on helping existing users to get into their accounts again (e.g. if they only had used the external auth [disabled now], but did not set a local password). |
ThomasWaldmann
changed the title
|
Update: I updated the 2nd post with the current state of affairs. Also cleaned up this ticket a bit, removed posts that are not useful any more. |
Registration of new accounts is currently not possible. More information: nsupdate-info/nsupdate.info#496
|
Very sad. Unfortunately, my friends recommended the service to me too late. If registration becomes possible again (I can also verify myself by personally sending stamps, even though no one uses stamps anymore), it would be cool if this thread could be updated. |
I can't sign up into the site. How long the registration will be closed?
The text was updated successfully, but these errors were encountered: