Based on concerns and dealing with issues raised here over time (which from reading is systemic across the web the last few months) and facing new waves of this stuff.
I tested Login Only, but noticed these AI bot waves hitting all kinds of discourse resources/paths, and potentially getting served a page/contents
Can anyone confirm if Login Only is a total block or not?
Also is there another potential entry angle via a Cloudflare cache interplay when, even when purging all caches, post Login Only state or does that solve the potential issue or only mitigate it until the cache is rebuilt?
Which paths specifically? anything that gets hit should redirect to login.
Yes, login only means the only way you can access the site is by logging in. It’s still possible to get some bot traffic to the / or /login routes, because those need to be public to allow humans to log in, but it will be restricted to those routes.
In some simple testing I followed the links various traffic was seeking, and I was able to pull down the css or js files and who knows what else, when discourse was in Login Only mode.
Oh I see, yes that’s expected… those are static assets used to render the app, they are often cached for performance and don’t contain sensitive post information.
Ok I understand the but maybe true lockdown needs to be deeply and quickly considered, for technical reasons I can’t think of other than leaving no threads that can be yanked DDoS level.
I’ve just seen nearly 3K unique URL request targeting specifically uploads/default/original/3X/c/.../...some.jpeg route, all launched from one IP in Singapore, the paths are correct, I sampled a few links and they are to unique specific image files, but Cloudflare was set to block Singapore wholesale.
The way things are going, nothing should be left hanging out that can be used for target practice. Total block.