💕 sugar

            /rss

transmission security

AAAAAAAAAAAAAA

2 min read #security  #software  #tech  #i hate computers  

This week I got some weird notifications on my phone from my torrent server for torrents I never added, for things I would never add. Tonight I tracked down what was happening.

Mistake 1: Exposing the Web Interface to the Public

I’ve always used authentication on this web interface without any issue for well over a decade now. This is how I used to operate before we had a VPN in place and once we put the VPN in I never locked this down. I thought I had done so earlier this week after the first round of notifications until I got hit with another notification just tonight. Turns out in Mikrotik that even though both a Filter Rule and a NAT Rule are required to open a port, if you disable only the Filter Rule the NAT Rule will continue working for QUITE some time. It should NOT work that way, so this must be a bug??

Mistake 2: Not Understanding the Complexities of Running Transmission Daemon Inside of Docker

On my old box I used to just run transmission-daemon as a standalone binary on the host OS. When I moved it to a new box I decided to check out the docker container for it. There’s a weird few caveats for this setup. Namely, you MUST define USER and PASS inside the docker-compose.yaml file. I could not understand why rpc-authentication-required kept getting set to false whenever the program started, even after I set it to true. This kept happening and I looked at so many other settings within transmission’s settings file, but that’s not where the problem was. Turns out that the docker version of transmission-daemon will always set that value to false if USER and PASS are not defined as docker environment variables. THAT is where I needed to put my newly rotated username and password so that I could enable the web authentication.

That is to say, I had been running without authentication of any kind for a year because of some fucking wildass bullshit behavior that defaults to insecurity. I SHOULD have been able to just bring in my existing settings file and just go, but the docker version has to be fucking weird!

Ay yi yi

Anyway, they were adding torrents of like, lectures? Biology and such; a collection of mp4 files from various universities or conferences. They also added tonight one game rip for a modern console. BAD BAD BAD! I caught it quick enough that I should not get a DMCA notice, but…!!! It had uploaded a TON because they also went in and disabled my seed ratio and seed time limit settings! I don’t get it. Just adding another node to the torrent seeds perhaps? Because there’s no way for them to get the data off of my machine..

This little scare kept me up longer than I expected to be tonight :\ This has been a really hard week and I just need some sleep D:

In summary: I hate computers.