Return-Path: <dev-return-46764-archive-asf-public=cust-asf.ponee.io@couchdb.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 95BE8200C05
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Mon, 23 Jan 2017 11:39:46 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 9436F160B49; Mon, 23 Jan 2017 10:39:46 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id B8E58160B3E
	for <archive-asf-public@cust-asf.ponee.io>; Mon, 23 Jan 2017 11:39:45 +0100 (CET)
Received: (qmail 79508 invoked by uid 500); 23 Jan 2017 10:39:44 -0000
Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@couchdb.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@couchdb.apache.org>
List-Post: <mailto:dev@couchdb.apache.org>
List-Id: <dev.couchdb.apache.org>
Reply-To: dev@couchdb.apache.org
Delivered-To: mailing list dev@couchdb.apache.org
Received: (qmail 79496 invoked by uid 99); 23 Jan 2017 10:39:44 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Jan 2017 10:39:44 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id DF8801806A5
	for <dev@couchdb.apache.org>; Mon, 23 Jan 2017 10:39:43 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 1.78
X-Spam-Level: *
X-Spam-Status: No, score=1.78 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=2,
	RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01,
	RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5] autolearn=disabled
Authentication-Results: spamd3-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=orgmeta-com.20150623.gappssmtp.com
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id oRNHcO4aI-lh for <dev@couchdb.apache.org>;
	Mon, 23 Jan 2017 10:39:41 +0000 (UTC)
Received: from mail-qt0-f170.google.com (mail-qt0-f170.google.com [209.85.216.170])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id DAFFB5F22F
	for <dev@couchdb.apache.org>; Mon, 23 Jan 2017 10:39:40 +0000 (UTC)
Received: by mail-qt0-f170.google.com with SMTP id k15so116605984qtg.3
        for <dev@couchdb.apache.org>; Mon, 23 Jan 2017 02:39:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=orgmeta-com.20150623.gappssmtp.com; s=20150623;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to;
        bh=Kid7rpR4TsGqsPwZTZOR0DdREOaGsQ4O+VJdZfPx86I=;
        b=vyAw0OuDTZUX5NYaaRV2ZqwHqG2OutP6CD2Pw6nXKULFVO7T5kwvNQuk6/oK1DlmZA
         O08JddLYCse+lm5og4ZjA1emXvbix2neRXWrQb1msm1mexh+0Wxwg8EV3DPUiEgvRrVK
         6exsKnRjyx6BHDz4r5fy0OddcLAe5k3fIJFzn4Pd3hNl4FUaClQKrXOVD6LGqWxvMjrT
         lnryfZfbjd3BoWXaTWPpQ3bAomYna5igrhDwc9tTRVGCzvT6BIA+HCvELtpAkH/QgRF8
         acWcOZdzuIvH5228LNJQ6n6R/6wls3WPwG99SoezlEho/rLGwS/sc/WLF/4HvDj0ztGo
         pX+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to;
        bh=Kid7rpR4TsGqsPwZTZOR0DdREOaGsQ4O+VJdZfPx86I=;
        b=cr/iNk0G4t8XWWWdOErKEH/chZg3JBDvVgJMmwPbdBb/P//WgEDo0UFUp8483fJpW5
         M/wSABg21pCR7nCO24vu5X4rcrfVszCuUvdFFanR+6mJWyLV/AOJA1mfDILuOfu2vk6n
         di/lGqMvunQg4ILF9KHgEAbVQP2ctxzIGwGUek9EUI6QiyPK/LFgzud9HQPDrzJONxee
         PNc0hjhuE9jDLkqv4cypdC6jxZDPs5Pb+QtJBF89W7lkMakpt5J2sIvGy3Kv02tkNldn
         TzVu5k7lU9cqEAHcUi7QpZdtl4N891ALsrWahCPrdahWFdJcRjQ4Udpl6PVjaMlikckC
         5ANg==
X-Gm-Message-State: AIkVDXK0+QRfH9Ud+MnEnoLHooAeJFXMtL+gU13yse6M8joRp1q8nYXpKNbeu5Hgxo1HBw==
X-Received: by 10.55.75.134 with SMTP id y128mr22696452qka.134.1485167979647;
        Mon, 23 Jan 2017 02:39:39 -0800 (PST)
Received: from [192.168.1.2] (c-73-197-109-156.hsd1.nj.comcast.net. [73.197.109.156])
        by smtp.googlemail.com with ESMTPSA id h124sm12888538qke.40.2017.01.23.02.39.38
        for <dev@couchdb.apache.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 23 Jan 2017 02:39:39 -0800 (PST)
Subject: Re: ransom note - couchdb exploit / privilege escalation ?
To: dev@couchdb.apache.org
References: <CA+298Ujw5ooFSz0Zh4V6cRSOWsXSp9U6KODUTVp_XFAFdzJyDg@mail.gmail.com>
 <CAAwdm2OeE+tFqiDb5tCPRZ=xcRpG1LzaxsoYws++330JjSZwDA@mail.gmail.com>
 <8434d7e4-2a9a-d854-6582-bb00c554f448@orgmeta.com>
From: Vivek Pathak <vpathak@orgmeta.com>
Message-ID: <d95a4731-e506-e5de-4efd-d045ed567242@orgmeta.com>
Date: Mon, 23 Jan 2017 05:39:38 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.6.0
MIME-Version: 1.0
In-Reply-To: <8434d7e4-2a9a-d854-6582-bb00c554f448@orgmeta.com>
Content-Type: multipart/alternative;
 boundary="------------52649A6C039D1813220BC1F6"
archived-at: Mon, 23 Jan 2017 10:39:46 -0000

--------------52649A6C039D1813220BC1F6
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

As a follow up, I have a design question

http://docs.couchdb.org/en/2.0.0/intro/security.html#authentication-database 
says:

  * There is a special design document|_auth|that cannot be modified

However it looks like the admin user can delete the authentication 
database (thereby deleting _auth document as well).

Is there a convenience benefit of allowing this (eg: admin party is 
useful when you start off locally and dont care about security) ?

Thanks
Vivek


On 01/23/2017 05:27 AM, Vivek Pathak wrote:
> Sorry for delayed response (I had to restore the backups and harden 
> the server a bit in order to deal with the ongoing attempts to grab my 
> data).   And thank you all to those who helped.
>
> Looks like this was a plain password sniffing of admin password. No 
> evidence of guessing or repeated attempts - and it was not a simple 
> password to guess or crack.
>
> I believe the admin password could only be sniffed because it was on 
> open port 5984.   I was careless because the site was in development.
>
> So now I have couchdb listening on 127.0.0.1, and the admin password 
> is now randomly generated 18 characters (dont know good if the centos 
> 7 rng has trapdoor though).  The need for replication and UI access 
> via _utils can be satisfied by setting up a ssh tunnel via a random 
> port, eg:
>
>     ssh -N -L 57237:localhost:5984  user@1.2.3.4
>
> Next is to move to https - and that should complete the securing 
> aspect.  Also ended up creating offline backup on a stopped ec2 
> instance - this should come handy if the attack become really serious.
>
> Thank you
>
>
> On 01/20/2017 09:09 AM, Thomas Guillet wrote:
>> @Paul: I agree, it is pretty straightforward to have some basic 
>> settings on.
>>
>> Could we rely on the cluster_setup endpoint to secure the instance?
>> If that is considered to be the first 'mandatory step' of a live
>> instance, it would be nice as an almost out-of-the-box secure set up.
>> (Plus, you can always "curl" the endpoint instead of "perl" the 
>> local.ini)
>>
>> SSL-only is tricky as the http server can't be deactivated in
>> local.ini but in default.ini (from memory).
>>
>> @All: What do you consider a same/secure set up? What are the known
>> unsecured features/weaknesses of CouchDB.
>>
>> @Vivek: You issue worries me quite a lot. Do you have a better idea of
>> what happened?
>> I saw you are using HTTP instead of HTTPS, were you using in encrypted
>> connection to exchange your credentials and session?
>> Is your instance behind a proxy? (nginx or alike) They may have other
>> logs to help us investigate.
>>
>>
>>
>>
>>
>>
>> 2017-01-20 12:49 GMT+01:00 Paul Hammant <hammant@apache.org>:
>>>> tee-hee, that was my wishful thinking, less actual planning :)
>>>>
>>>> As usual, there is no estimate for now.
>>>>
>>> Don't worry - my open source commitments slip by five years at a 
>>> time, but
>>> I thought I'd ask just in case.
>>>
>>> It might be better to focus on a series of post-install scripts for 2.x
>>> that lock down a couch.
>>>
>>> I was *very* excited by my first (and more or less only) exposure to
>>> CouchDB for - 
>>> http://paulhammant.com/2015/12/21/angular-and-svg-and-couchdb.
>>> As part of that I wanted to make it easy for the reader to turn on 
>>> CORS:
>>>
>>> perl -p -i -e 's/;enable_cors/enable_cors/'
>>> /usr/local/etc/couchdb/default.ini
>>> perl -p -i -e 's/enable_cors = false/enable_cors = true/'
>>> /usr/local/etc/couchdb/default.ini
>>> perl -p -i -e 's/;origins/origins/' /usr/local/etc/couchdb/default.ini
>>> perl -p -i -e 's/origins = /origins = */' 
>>> /usr/local/etc/couchdb/default.ini
>>> perl -p -i -e 's/origins = \*\*/origins = */'
>>> /usr/local/etc/couchdb/default.ini
>>>
>>>
>>> That's to turn on CORS (CouchDB v1.6.x), for the blog entry.
>>>
>>> I'll bet that it's only another eight "one-liners" (Perl or not) to go
>>> SSL-only, cancel the AdminParty, and generate a unique admin password.
>>>
>>> - Paul
>


--------------52649A6C039D1813220BC1F6--