Purging Empty Synapse Rooms

Summary

If like me you have a very small Synapse deployment but have joined some very large rooms in the past and left since, you may have your server reaching out still to those previous rooms servers. I discovered this when I noticed my IDS/IPS was catching connections outbound to certain GeoIP restricted locations (Iran, Russia, China, Saudi Arabia, etc), thankfully most of the destination ports were 8448 (the default synapse port) so it was fairly obvious what the service was. At first I attempted to take a look at the database and I saw about 10k lines worth of destinations Synapse was reaching out to, I had joined some large rooms so this was not shocking. This is generating many false positives and I left these rooms a long time ago so there is no need for my servers to be communicating with them. Below is how I cleared the rooms from my server.

Clearing Rooms

First you need to obtain the admin users bearer token. If you use the Element client you can get that by going to “Quick Settings” -> “All Settings” -> “Help & About” -> “Access Token”. I then saved those as quick env vars:

export TOKEN="<Your access token>"
export BASEURL="<Your domain>"

I then used cURL and JQ to obtain a list of all rooms on the server, like so:

curl --header "Authorization: Bearer $TOKEN" \
  'https://'$BASEURL'/_synapse/admin/v1/rooms?limit=300' | jq > roomlist.json

This will drop the list to a file and uses jq to make it pretty, I will want to review the rooms manually also to make sure there is nothing of concern later. Then you can remove a room from the server like so:

curl --header "Authorization: Bearer $TOKEN" \
  -X DELETE -d "{\"purge\": true}" \
  'https://'$BASEURL'/_synapse/admin/v1/rooms/'$room'' 

Where “$room” is the full id of a room in the json file. Finally I put it all together in a simple script:

export TOKEN="<Your access token>"
export BASEURL="<Your domain>"
curl --header "Authorization: Bearer $TOKEN" \
  'https://'$BASEURL'/_synapse/admin/v1/rooms?limit=300' | jq > roomlist.json
for room in $(jq -r '.rooms[] | select(.joined_local_members == 0) | .room_id' roomlist.json); do
  echo "Deleting Room: $room"
  curl --header "Authorization: Bearer $TOKEN" \
  -X DELETE -d "{\"purge\": true}" \
  'https://'$BASEURL'/_synapse/admin/v1/rooms/'$room'' 
  echo ""
done

All unused rooms were successfully removed and my IDS/IPS is MUCH less noisy.

Sources

• https://levans.fr/shrink-synapse-database.html
• https://matrix-org.github.io/synapse/v1.40/admin_api/rooms.html#delete-room-api