New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
@Kyz when you self host, always use some ipfirewall block all access to your apps and whitelist your ip locations.
that's not my issue at all, i don't even use a VPS for this
Their communication is hilarious. Love contradictions. Although its a bit weird for the first and only report by some random to yeet someone, given that they did respond/would have acted. Good to know.
So, the takeaway is don't allow unrestricted and unmoderated user uploads to a platform where the provider strictly enforces a TOS banning certain materials. And if you need such a service yourself, properly implement access controls. And whatever you do, don't advertise such a service publicly.
You mostly correctly identified in the post title, but didn't need to specify the application used or the provider in this case.
Given that this could have happened with (insert exploit of program X here) its still valuable to know that youre just hosed regardless.
I think the OP should not have public uploads allowed on a personal privatebin instance. Privatebin does not seem to restrict uploads (other than a simple on/off switch in config) so the easiest approach would be probably to use HTTP basic auth for the service.
Other than this, file uploads can be disabled entirely and expiration times can be enforced. From what I've heard those two settings help prevent situations like OP's however they come with limitations to the instance owner as well.
Running public service always comes with responsibility, especially when it can be abused easily by anonymous users. Interestingly enough, I was not aware that all instances of privatebin are public by default. The 3 most recent issues closed were related to this behavior and possibility of opting-out due to abuse on public instances. I assume the OP instance was not the only one affected by recent abuse cases happening there.
Instances can be removed from the official listing by disallowing PrivateBin's bot to index your page.
I think @xHosts did the right thing there nevertheless given the price of the service and severity of reported issue. Just hope it will serve as a good lesson for the OP to keep their private services restricted.
Basically, we at least decide on case-by-case. There is a difference between PrivateBin or running a forum and a website that only has CSAM imagery on it.
For first part, we would most likely forward the report and ask customer to remove the offending content, but second one, it would result in instant termination.
I've edited the title so that it better reflects the reality of the situation
For the record, the original title was:
I’m not going to go into details about any specific case.
What I will say is this wasn’t a normal copyright or spam complaint. It involved material that falls under child protection law. When something like that gets formally reported, you don’t treat it like a routine abuse ticket — you act immediately.
Also, just to be completely clear: this wasn’t one isolated report, and it wasn’t multiple reports tied to a single customer. We’ve had separate serious abuse issues across different, unrelated accounts over time. That’s why we’ve reviewed our policies more broadly.
As a small host operating under a reseller, serious abuse reports can put the entire reseller account — and every other customer on it — at risk. When that level of risk is involved, sometimes termination is the safest and most responsible option.
This wasn’t about pricing, and it wasn’t personal. It was a compliance and risk decision.
Because of repeated issues across different accounts (not just this one), we’re introducing stronger verification measures, including KYC for certain services. That’s a platform-wide change, not something aimed at one individual.
I will not comment further on this issue.
You can be disappointed in how @xHosts handled it (and arguably some of their wording is .. whatever) but this was fully self-inflicted by op.
He's more aware now so hopefully it won't happen to him again.
if you host something on a vps. you host something on a vps... Not my issue at all??? Are you twelve?
fair enough, but that doesnt explain the contradictions in messages and the obvious lie that this was requested by law enforcement, let alone that obviously they would aquire evidence.
thank you, now that explains why i got immediately banned. the way i read it, apparently it wasn't just me, so that's why something had to be done more broadly. now that make sense. i'm upset that this happened to me but i don't blame you.
if it wasn't clear already, this is Shared Web Hosting, not a Shared VPS. i don't have access to their system.
We live in a very bad world and in very dark times. One can't simply open up their soul and their platform anymore.
FBI coming for you op
You think a shared hosting provider will secure your installed website? LOL
Just fuck off already, you're babbling shit.
question: how to harden pastebin?
Iptables.
This is unfortunately where a lot of domain registries and hosts do fall flat. There's a great lack of understanding for much of the industry about what "User generated content" is, and also a lot of misunderstanding about the laws behind it.
Most of the big registries like to instantly suspend domains for anything illegal, which makes forums and social media sites quite vulnerable to someone uploading something they shouldn't, and then essentially self reporting. It's not the first time I have seen sites go down over this and it won't be the last.
In almost all "normal" countries, transit providers, hosts and website operators are not expected to proactively moderate anything, there has been attempts to push this through in law, but most places still don't expect it. You are expected to act only when you are aware of something, be this by report or finding it accidentally. And in a reasonable time frame depending on the type of report.
I don't really blame xHosts as if they are really a reseller, then they don't want to rock the boat with their provider, and admittedly for such a cheap offer you should pretty much expect no support at all, but this is a great example of why you would want to pick a host that owns their own equipment so has more control and leniency, and charges a bit more than pocket change so it's actually worth keeping their customers.
After all, it's a lot harder for a host to get kicked out of a datacentre than it is to get kicked off someone else's equipment. You do usually get what you pay for and to be honest this is usually why I consider lifetimes a scam, unless with an especially good provider. They usually are more than happy to kick you off as soon as possible with no refund.
bye children
@hyperblast said:
The problem isn't the paste site itself. The problem is that hosting anything whatsoever with user generated content opens up the vulnerability that bad actors can unilaterally decide whether or not your account gets terminated.
go to charityhost then
Enorce authentication for methods other than GET.
Doesn't that just cut down the time for the provider to "discover" the content?
I was not going to reply any further but as a quick suggestion, I have not reviewed the code but as I assume it will be sending this as a post, something like this at the top of the config file
I have had to add this to pastebin, security here blocks some of the code
https://pastebin.com/VwinfkeK
Basically, it will allow posts / uploads from your own IP or friends IPs that you trust, anything else should be blocked, you just add this to the top of a central file
The same German police that deport people for basic free speech like "Free Palestine"? I wouldn't trust them. Instead of only getting your hosting removed, if the police handled this they'd break down your door.