Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

user registration should be disabled by default #5617

Closed
alexandervlpl opened this issue Jun 24, 2017 · 9 comments
Closed

user registration should be disabled by default #5617

alexandervlpl opened this issue Jun 24, 2017 · 9 comments

Comments

@alexandervlpl
Copy link

@alexandervlpl alexandervlpl commented Jun 24, 2017

I was notified by a white hat "hacker" today about my completely open Sentry instance (anyone can register and access projects). Clearly an oversight on my part, but it would be good to see some info/warnings about this in the docs or to disable registration altogether in the default settings.

I really a doubt that a typical Sentry admin wants anyone on the internet to be able to get instant access to bits of their source code, passwords, and other sensitive data. Those that do want this kind of access should be the ones who tweak the settings and explicitly allow it.

When coming up with defaults, it's almost always better to go for more security, not less. I'm wondering how many other open instances are running out there and already getting exploited.

@shiny
Copy link

@shiny shiny commented Jun 24, 2017

I was received a mail from white hat today, facing on the same situation too.

@xNevo
Copy link

@xNevo xNevo commented Jun 24, 2017

Same here, luckely enough the guy who sent the email created a blog post on his homepage where he shows how he did this + how to disable the login

https://julian-uphoff.de/2017/06/24/how-i-found-your-sentry-instance-and-how-to-disable-user-registration/

@ei-grad
Copy link

@ei-grad ei-grad commented Jun 27, 2017

White hat?.. Just a typical blackhat, who got maximum of what he could from e-mail exposure vulnerability :-/.

The sentry shouldn't be used in way how we (all, who got the message) use it. Don't allow access from Internet to it. I'm going to fix it for my sentry instance ASAP.

@dcramer
Copy link
Member

@dcramer dcramer commented Jun 27, 2017

We strongly encourage customers to firewall off Sentry (as well as any other internal service), as there's generally no reason to expose it to the internet. Additionally, if compliance isn't a concern for you, you should take a look at our cloud option as we take care of these security concerns for you (and we're generally cheaper than running it yourself).

@themainframe
Copy link

@themainframe themainframe commented Jun 29, 2017

@dcramer That's not entirely true, for instance logging exceptions from JavaScript (frontend) applications or other platforms where code runs remotely, not on your network. You could put Sentry behind a WAF or otherwise and restrict all routes except the DSN URLs you need.

@wmealing
Copy link

@wmealing wmealing commented Jul 2, 2017

@ei-grad that is a cheap shot at those who are trying to do the right thing. There definitely are white hats in the industry.

@ei-grad
Copy link

@ei-grad ei-grad commented Jul 2, 2017

@wmealing unauthorized access to publicly exposed private services is actually a crime in some countries. Don't say "white hat" if you don't know what the responsible disclosure is.

@themainframe
Copy link

@themainframe themainframe commented Jul 2, 2017

I don't get your attitude. You'd rather just go on blissfully not knowing that you have a security problem? No. Sounds to me like your boss got one of his emails and chewed you out for dropping the ball on security so now you're butthurt.

@mattrobenolt
Copy link
Member

@mattrobenolt mattrobenolt commented Jul 2, 2017

I am just going to close and lock this issue since conversation has derailed. The next release will have this configurable in the UI.

@getsentry getsentry locked and limited conversation to collaborators Jul 2, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
8 participants
You can’t perform that action at this time.