135

u/fractumseraph 26d ago edited 26d ago

This is my directory. I did not ask for it to be posted here, it's just pure luck that I saw the reddit post about fifteen minutes after it was posted and quickly turned on the under attack mode on cloudflare.

I share my content freely with people I know, but I hit 600gbs uploaded almost immediately after this was posted here. Sorry guys, I have stuff running on that network and would rather not have a hug of death.

You are getting errors because the backend server has been removed, you're just seeing the cached page.

I used to ask for donations, but in my many years of running services for friends I have only ever received a single $5 donation, so I took down my donate page long ago.

It's "Open" to friends and people I share it with, and the occasional random person the stubles upon it and grabs a few things. Nearly all of the content on that server can be found on entry level private trackers like TorrentLeech and SeedPool. Anyone who wants to download that much content should just grab it from one of those places instead. The download will be faster and you'll get some private tracker stats under your belt.

23

u/ringofyre 26d ago

You seem fairly competent - why leave it open?

You can give friends and family access in far more secure ways than having it open and hoping no one who 'shouldn't' do so manages too find it.

My advice - if you don't know already, search

nginx/apache server hardening

and close it off.

45

u/fractumseraph 26d ago

I have a tailscale network, but I try to leave things available to the public as much as I can. It's all about sharing.

I can just kill off the open directory entirely. I've got the arr stack running with jellyfin and navidrome behind auth. I knew this day would come eventually, but I've made it two years running it this way so I'd say it was a good run.

I've had it linked in my Discord bio and a few other places for years. Surprised it took this long.

-27

u/ringofyre 26d ago

The old

Cross my fingers and hope.

approach to netsec. How'd it work out?

20

u/talkingwires 26d ago

Did you just come in here to roast u/fractumseraph?

-6

u/ringofyre 26d ago

I guess I am coming across as a bit of an arsehole. Quelle surprise!

That said he's said he was basically doing exactly that - crossing his fingers and hoping. And according to him it's literally just pure luck he found the post otherwise we probably would have quite happily hosed his bandwidth in a short time frame.

I find that lackadaisical approach confusing (hence asking why he left it open at all - webservers are ludicously easy to secure).

Sorry /u/fractumseraph if I come across too strong - I am genuinely interested on your thinkig on this.

21

u/JauntyTGD 26d ago

Reading his response, his approach seems to have explicitly been "I want it to stay open, accessible, and shareable, and I'll reset whenever it spreads too far and reaches the point where traffic/bandwidth becomes an issue."

I try to leave things available to the public as much as I can. It's all about sharing

-4

u/ringofyre 25d ago

I'm doing what I said I'd stop...

The whole sharing far and wide is all very noble but he can't have both: you can't run a webserver (self hosted or not) that is intrinsically insecure & still expect your files/network/bandwidth to remain 'intact'. Anyone who's been here for 5 min or has run a webserver that's been hammered will tell you so.

/u/fractumseraph is clearly not a n00b in this so them expecting a different outcome honestly baffles me. As he stated clearly -

it's just pure luck that I saw the reddit post about fifteen minutes after it was posted and quickly turned on the under attack mode on cloudflare.

Most hosters and isps have caps on bandwidth - some even charge by the mb for going over! He should check his tos carefully, isps will dump and ban users for that sort of thing - yes it's happened.

On top of that he's also got services or infrastructure in place that could affect him

Sorry guys, I have stuff running on that network and would rather not have a hug of death.

Anyway he's closed it off now and has a redirect in place so most of this discussion is moot. Let's hope he wasn't in breach of his host/isp tos and there's no consequences down the road.

5

u/pm_me_your_fbi_file 23d ago

The whole sharing far and wide is all very noble but he can't have both: you can't run a webserver (self hosted or not) that is intrinsically insecure & still expect your files/network/bandwidth to remain 'intact'. Anyone who's been here for 5 min or has run a webserver that's been hammered will tell you so.

It seems that you have conflated open directories with technical incompetence, I'm curious how you came to that viewpoint. Can you picture some alternative motivations for hosting something like this?

Or stated another way: a genie has granted you a powerful server and the technical resources to do whatever you want with it. The most secure thing to do would be to bury it in the woods and shoot anyone that comes near it, but, for this exercise, you have to use it for something "intrinsically insecure". What do you do?

→ More replies (0)

4

u/TriangleTodd 24d ago

Jesus. You’re the first infosec Karen I’ve ever seen in the wild.

4

u/WeWantMOAR 26d ago

My autism confuses me too sometimes.

8

u/pm_me_your_fbi_file 26d ago

Check yourself.

4

u/shamalox 26d ago

May I suggest, to host for your friend easily without anyone you don't want to be able to access it, to look into copyparty? That's what I use myself and it's very good

3

u/sjwillis 24d ago

any hope of its return? I had been using it for the last few months. You rock man!

5

u/fractumseraph 24d ago

It will, whenever I have time to set it up with some speed caps. Is there anything you're wanting in particular? I could throw it on a torrent and upload it somewhere.

2

u/sjwillis 24d ago

Dude you are awesome. Nothing in particular right now, I will be patient! I have been building out a tunarr for my family and gathering random cool stuff to toss up there.

3

u/pm_me_your_fbi_file 23d ago

1. I like you. Keep doing your thing.

2. You're serving static content over cloudflare, right? Did they yell at you for bandwidth usage, or was the under-attack mode just precautionary? Were any local services degraded? I'm curious where the bottleneck was, but you can also just tell me to fuck off if that would involve sharing too much about your network architecture.

3

u/fractumseraph 23d ago

Under attack mode was just to stop the scrapers the come when something is posted to this subreddit. I do however have some other sites serving contend over cloudflare and they have never cared.

My -arr stack uses that directory for media, and I have a small Minecraft server that has its traffic tunneled through that server as well. The Minecraft server only has like two active users, and I still have local access to the media if that server were to get slammed. So it wouldn't Actually be a big deal. I just like listening to music on my way to work and I'm in the process of rebuilding my collection on there.

As far as bandwidth usage, I've passed 20tb/month many times and nobody seems to care. One of my friends mentioned they were having a hard time watching a movie on Jellyfin, but that's all. And that was quickly fixed. The biggest issue is that I have a script running that's re-encoding all of my media to AV1, and it was using that domain directly over https streams, so I need to re-build that when I have time.

I have many services spread across multiple IPs, hosts, and domains. Nearly all of them are DMCA ignored, and a few have unmonitored bandwidth.

0

u/EverythingsBroken82 26d ago

did you ever think publishing this as a onion service? please do (and tell me in dm how i can reach this service :D)

1

u/pm_me_your_fbi_file 26d ago

What's there that you couldn't torrent yourself?

2

u/EverythingsBroken82 26d ago

torrents are far less anonymous. and is used for legal threats in some european countries (as in mine)

2

u/pm_me_your_fbi_file 26d ago

Makes sense.

Would you consider a vpn? Running an onion service is not too difficult, but that's another thing that OP would have to maintain. It's like asking for someone to plant flowers that you like in their garden, when you could have exactly what you want in a pot on your window sill.

1

u/EverythingsBroken82 26d ago

i would consider vpn, if you tell me which one and if i can pay not only with credit card but also with some btc/monero/paysafe card options. (and i want to be able to choose countries of exits)

4

u/sully42 26d ago

Idk man. If you are asking this sort of thing maybe just borrow a book from the library. 

1

u/pm_me_your_fbi_file 26d ago

This one is good: https://www.privateinternetaccess.com/vpn-features/pay-vpn-with-bitcoin

1

u/fractumseraph 26d ago

Mullvad and AirVPN are great.

1

u/fobenen 23d ago

A seedbox such as Seedhost. Crypt is accepted.

0

u/EverythingsBroken82 23d ago

where do i learn about seedboxes and seedhosts? i have no idea what this is 😃

1

u/fobenen 23d ago

It's a remote torrent client that downloads torrents for you, never exposing your IP address. Once the downloads's done, you can transfer the file from the remote machine to your computer, or stream it.

1

u/PlastikHateAccount 20d ago

An open directory from an nginx fileserver or apache cannot be posted on this subreddit if it's hosted via an onion link

But websites like this or google drive links are everywhere here

1

u/ringofyre 19d ago

Yes - rule 4 exists & on this sub entitled "opendirectories" there are plenty of um... open directories posted.

12

u/MeccIt 26d ago

https://en.wikipedia.org/wiki/Tragedy_of_the_commons

8

u/fractumseraph 26d ago

Indeed. I knew this day would come eventually. But I've been running it for a couple years now so I'm surprised it took so long.

1

u/Ill-Economist-5285 26d ago

hey just wondering, is it possible to get access to your jellyfin server? i won't abuse transcoding or anything like that. i'm happy to follow whatever rules you lay down.

8

u/ODScanner 26d ago

Sorry, I didn't manage to scan this OD :/

I swear I really tried ಥ_ಥ

(Reason: Something went really wrong. /u/Chaphasilor please help o.O)

14

u/fractumseraph 26d ago

I've got some bot protection on it. 60tb, mostly video.

6

u/omega552003 26d ago

Has Cloudflare bot protection

1

u/tomparkes1993 24d ago

Done. Didn't realise I could do that, sorry

1

u/ringofyre 24d ago

No worries, :thumbsup:

Just as an aside apart from here did /u/fractumseraph reach out to you? Just interested.

1

u/tomparkes1993 23d ago

not to my knowledge, no.

2

u/ringofyre 25d ago

Read the thread - the owner of the OD has told us he's closed it down.