user registration should be disabled by default

[alexandervlpl]

I was notified by a white hat "hacker" today about my completely open Sentry instance (anyone can register and access projects). Clearly an oversight on my part, but it would be good to see some info/warnings about this in the docs or to disable registration altogether in the default settings.

I really a doubt that a typical Sentry admin wants anyone on the internet to be able to get instant access to bits of their source code, passwords, and other sensitive data. Those that do want this kind of access should be the ones who tweak the settings and explicitly allow it.

When coming up with defaults, it's almost always better to go for more security, not less. I'm wondering how many other open instances are running out there and already getting exploited.

[shiny]

I was received a mail from white hat today, facing on the same situation too.

[cpuschma]

Same here, luckely enough the guy who sent the email created a blog post on his homepage where he shows how he did this + how to disable the login

https://julian-uphoff.de/2017/06/24/how-i-found-your-sentry-instance-and-how-to-disable-user-registration/

[ei-grad]

White hat?.. Just a typical blackhat, who got maximum of what he could from e-mail exposure vulnerability :-/.

The sentry shouldn't be used in way how we (all, who got the message) use it. Don't allow access from Internet to it. I'm going to fix it for my sentry instance ASAP.

[dcramer]

We strongly encourage customers to firewall off Sentry (as well as any other internal service), as there's generally no reason to expose it to the internet. Additionally, if compliance isn't a concern for you, you should take a look at our cloud option as we take care of these security concerns for you (and we're generally cheaper than running it yourself).

[themainframe]

@dcramer That's not entirely true, for instance logging exceptions from JavaScript (frontend) applications or other platforms where code runs remotely, not on your network. You could put Sentry behind a WAF or otherwise and restrict all routes except the DSN URLs you need.

[wmealing]

@ei-grad that is a cheap shot at those who are trying to do the right thing. There definitely are white hats in the industry.

[ei-grad]

@wmealing unauthorized access to publicly exposed private services is actually a crime in some countries. Don't say "white hat" if you don't know what the responsible disclosure is.

[themainframe]

I don't get your attitude. You'd rather just go on blissfully not knowing that you have a security problem? No. Sounds to me like your boss got one of his emails and chewed you out for dropping the ball on security so now you're butthurt.

[mattrobenolt]

I am just going to close and lock this issue since conversation has derailed. The next release will have this configurable in the UI.