-
Notifications
You must be signed in to change notification settings - Fork 38
taskd vulnerable to port scan/DOS attack (no socket timeout implemented) #196
Comments
Related to GothenburgBitFactory/taskwarrior#2987 |
Just to clarify for anyone else reading this: taskd (the taskwarrior sync server) is vulnerable. Taskwarrior itself is not. Until there's a better sync server available, the best recommendation is to limit access to the taskserver as much as possible. |
Thank you, I improved the title based on your comment. |
As a matter of fact this (and the referenced issues) should be moved under https://github.com/GothenburgBitFactory/taskserver/issues - could that be done by the repo owner or I need to recreate it manually? |
I can do that! |
Yep! Moving over to taskserver. |
I run taskd 1.2.0 on debian for quite some time and do not face DDOS issues. But that's only my experience, so be warned by the comments above. OTOH, the reason why I comment here is, that this issue report reminds me about my todo. My plan is to finally remove my taskd.service and switch over to syncthing to keep taskwarrior files synched across my devices. I also wanted to suggest this here. I think this might be a good solution for others as well. |
I come from the other way. If you have multiple devices it’s much more comfortable to manage task updates without overwriting everything and potentially loose some forgotten modifications done on some less used device. I can’t go back to file syncing. Meanwhile, my server’s firewall is set to restrict taskd access from unspecified sources, that will do most the job. |
Important Taskserver is only compatible with Taskwarrior 2.x, and is no longer actively developed. |
I am syncing my tasks to a remote instance of taskwarrior, running on port 50000 and properly secured. However I have found that from time to time I need to restart the daemon as the sync randomly stops working (
Sync failed. Could not connect to the Taskserver.
). Recently I've been digging a bit more to find out that there is a direct connection with suspicious IP, often reported at sites like https://www.abuseipdb.com/. During the times when the service is unavailable, the situation on the server appears as follows:Until the service is restarted I am seeing a stream of TCP retransmission originating from my IP address:
Could it be that a TCP connection opened for several hours results in such a condition?
Taskd is 1.1.0 running on Debian sid.
Edit:
Actually it turns out it's very easy to reproduce the issue. In one terminal run:
and leave the session opened. In second terminal try to sync. The sync is blocked until the previous TCP session is terminated.
The text was updated successfully, but these errors were encountered: