couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Tisdall <tisd...@gmail.com>
Subject Re: CouchDB not reachable (beginner's question)
Date Mon, 15 Apr 2013 21:11:04 GMT
lulz!  ^_^

Okay, first of all...  I didn't start this thread.  I was suggesting a
possible solution to accessing CouchDB without having to open the server to
the general public with no password.

For some reason I got a comment that logging in as root was "worse" than
making CouchDB publicly accessible.  I don't see why it's a big deal with
respect to the conversation at hand.  The original poster just wanted to
access his CouchDB instance.  Whether or not allowing root causes brute
force attacks to be more successful really has nothing to do with the topic
at hand.



On Mon, Apr 15, 2013 at 3:59 PM, Michael Zedeler. <michael@zedeler.dk>wrote:

> Hi Keith and others.
>
> First off, I'd prefer to read discussions on this list based on facts and
> not just "wow". You may have a point, but it's not a very nice welcome to
> Tim who is writing in with a beginners question (his own wording - not
> mine).
>
> Second, I'd like to pick up your comment on remote root login via ssh.
>
> A server where root login using a pass phrase can be hacked using brute
> force over time. Yes - fail2ban should mitigate this somewhat, but it is
> still something that is just waiting to happen.
>
> But if you force the use of key login, getting in using brute force is
> essentially impossible.
>
> Then you could argue that using a second user account could serve as a
> second line of defense, but that is very thin line. Any attacker who has
> gained access to such an account can easilly log in and modify the
> environment to pick up any passwords that the user must enter in order to
> get root access.
>
> Monitoring, hardening and two factor authentication is what comes to mind
> when I think of what can be done to actually avoid the problem.
>
> I know that having remote ssh root access isn't ideal, but I think it is
> becoming very common on servers in small organisations because any extra
> security layers are complicated to set up, manage and monitor.
>
> Regards,
>
> Michael
>
>
> On 2013-04-15 16:23, Keith Gable wrote:
>
>> wow indeed.
>>
>> ---
>> Keith Gable
>> A+, Network+, and Storage+ Certified Professional
>> Apple Certified Technical Coordinator
>> Mobile Application Developer / Web Developer
>>
>>
>> On Mon, Apr 15, 2013 at 9:18 AM, Robert Newson <rnewson@apache.org>
>> wrote:
>>
>>  wow.
>>>
>>> On 15 April 2013 15:15, Tim Tisdall <tisdall@gmail.com> wrote:
>>>
>>>> What's wrong with ssh'ing as root?
>>>>
>>>>
>>>> On Mon, Apr 15, 2013 at 10:08 AM, Keith Gable <
>>>>
>>> ziggy@ignition-project.com>**wrote:
>>>
>>>> But you're SSHing as root, which is probably worse than opening CouchDB
>>>>>
>>>> to
>>>
>>>> the world with no password.
>>>>>
>>>>> ---
>>>>> Keith Gable
>>>>> A+, Network+, and Storage+ Certified Professional
>>>>> Apple Certified Technical Coordinator
>>>>> Mobile Application Developer / Web Developer
>>>>>
>>>>>
>>>>> On Mon, Apr 15, 2013 at 8:45 AM, Tim Tisdall <tisdall@gmail.com>
>>>>> wrote:
>>>>>
>>>>>  Instead of opening CouchDB to the world, I simply access it by
>>>>>> port-forwarding through ssh when I connect to the machine.  Like
this:
>>>>>>
>>>>>> ssh -L 5984:127.0.0.1:5984 root@mymachine.com
>>>>>>
>>>>>> Then on my local machine I can simply access
>>>>>>
>>>>> http://localhost:5984/_utils/**and <http://localhost:5984/_utils/and>
>>>>>
>>>>>> up comes futon.  It depends on your use-case, but this works well
for
>>>>>>
>>>>> me.
>>>
>>>>
>>>>>>
>>>>>> On Mon, Apr 15, 2013 at 7:14 AM, Stefan Reich <
>>>>>> stefan.reich.maker.of.eye@**googlemail.com<stefan.reich.maker.of.eye@googlemail.com>>
>>>>>> wrote:
>>>>>>
>>>>>>  Hmm... maybe you guys can help me solve the rest of the problem?
>>>>>>>
>>>>>> (Access
>>>>>
>>>>>> to
>>>>>>
>>>>>>> couchdb from outside)
>>>>>>>
>>>>>>> These are the last iptables rules in chain INPUT:;
>>>>>>>
>>>>>>> MY_REJECT  all  --  anywhere             anywhere
>>>>>>> ACCEPT     tcp  --  anywhere             anywhere           
tcp
>>>>>>>
>>>>>> dpt:5984
>>>>>
>>>>>> Is that not what it should be...? Says "anywhere"... everywhere.
>>>>>>>
>>>>>> Heh.
>>>
>>>> Cheers,
>>>>>>> Stefan
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Apr 15, 2013 at 1:08 PM, Stefan Reich <
>>>>>>> stefan.reich.maker.of.eye@**googlemail.com<stefan.reich.maker.of.eye@googlemail.com>>
>>>>>>> wrote:
>>>>>>>
>>>>>>>  OK, thanks for all the answers, folks. It was indeed iptables
that
>>>>>>>>
>>>>>>> blocked
>>>>>>>
>>>>>>>> the port. This stuff should be designed (much) better in
operating
>>>>>>>>
>>>>>>> systems.
>>>>>>>
>>>>>>>> Actually it's a project of mine to make that better (LuaOS
and its
>>>>>>>> follow-ups).
>>>>>>>>
>>>>>>>> I got iptables to allow access locally now. Weirdly, it still
>>>>>>>>
>>>>>>> doesn't
>>>
>>>> work
>>>>>>>
>>>>>>>> over the Internet. And no, the server is not behind a firewall...
>>>>>>>>
>>>>>>> :)
>>>
>>>> Thanks,
>>>>>>>> Stefan
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Apr 11, 2013 at 3:30 AM, Andrey Kuprianov <
>>>>>>>> andrey.kouprianov@gmail.com> wrote:
>>>>>>>>
>>>>>>>>  See if your local.ini bind_address is set to 0.0.0.0 so
that you
>>>>>>>>>
>>>>>>>> can
>>>
>>>> access
>>>>>>>>> it locally and remotely.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Thu, Apr 11, 2013 at 2:54 AM, Stanley Iriele <
>>>>>>>>>
>>>>>>>> siriele2x3@gmail.com
>>>>>
>>>>>> wrote:
>>>>>>>>>> A simple cat of etc/hosts... Should let you know!...
And maybe
>>>>>>>>>>
>>>>>>>>> nsswitch
>>>>>>>
>>>>>>>> just to be sure
>>>>>>>>>> On Apr 10, 2013 11:22 AM, "Robert Newson" <rnewson@apache.org>
>>>>>>>>>>
>>>>>>>>> wrote:
>>>>>>
>>>>>>> Are you sure localhost == 127.0.0.1 on your machine?
>>>>>>>>>>>
>>>>>>>>>> debian/ubuntu
>>>>>
>>>>>> are
>>>>>>>
>>>>>>>> notorious for changing that convention.
>>>>>>>>>>>
>>>>>>>>>>> On 10 April 2013 14:20, Stanley Iriele <siriele2x3@gmail.com
>>>>>>>>>>>
>>>>>>>>>> wrote:
>>>>>>>
>>>>>>>> Why are you telneting to it?...try curling it and see
>>>>>>>>>>>>
>>>>>>>>>>> whatviy
>>>
>>>> responds
>>>>>>>>>
>>>>>>>>>> with
>>>>>>>>>>>
>>>>>>>>>>>> On Apr 10, 2013 10:47 AM, "Stefan Reich"
<
>>>>>>>>>>>> stefan.reich.maker.of.eye@**googlemail.com<stefan.reich.maker.of.eye@googlemail.com>>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>  Oops, bad copy&paste - here's the actual
process info:
>>>>>>>>>>>>>
>>>>>>>>>>>>> root@pussy-riot-germany:~/**luastuff#
ps -aef|grep 7651
>>>>>>>>>>>>> couchdb   7651  7650  0 19:44 pts/0 
  00:00:00
>>>>>>>>>>>>> /usr/lib/erlang/erts-5.8/bin/**beam.smp
-Bd -K true -- -root
>>>>>>>>>>>>>
>>>>>>>>>>>> /usr/lib/erlang
>>>>>>>>>>>
>>>>>>>>>>>> -progname erl -- -home /var/lib/couchdb --
-noshell
>>>>>>>>>>>>>
>>>>>>>>>>>> -noinput
>>>
>>>> -sasl
>>>>>>>
>>>>>>>> errlog_type error -couch_ini /etc/couchdb/default.ini
>>>>>>>>>>>>> /etc/couchdb/local.ini /etc/couchdb/default.ini
>>>>>>>>>>>>>
>>>>>>>>>>>> /etc/couchdb/local.ini
>>>>>>>>>
>>>>>>>>>> -s
>>>>>>>>>>>
>>>>>>>>>>>> couch -pidfile /var/run/couchdb/couchdb.pid
-heart
>>>>>>>>>>>>> couchdb   7682  7651  0 19:44 ?     
  00:00:00 heart -pid
>>>>>>>>>>>>>
>>>>>>>>>>>> 7651
>>>>>
>>>>>> -ht 11
>>>>>>>>>
>>>>>>>>>> Cheers,
>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Wed, Apr 10, 2013 at 7:46 PM, Stefan
Reich <
>>>>>>>>>>>>> stefan.reich.maker.of.eye@**googlemail.com<stefan.reich.maker.of.eye@googlemail.com>>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>  Hi there!
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I'd like to start using CouchDB for
my projects.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> This is on a Linux host. CouchDB
installed from standard
>>>>>>>>>>>>>>
>>>>>>>>>>>>> Debian
>>>>>>
>>>>>>> package,
>>>>>>>>>>>
>>>>>>>>>>>> no settings altered. But it doesn't start
properly:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> root@pussy-riot-germany:~/**luastuff#
uname -a
>>>>>>>>>>>>>> Linux pussy-riot-germany 2.6.32-042stab068.8
#1 SMP Fri
>>>>>>>>>>>>>>
>>>>>>>>>>>>> Dec 7
>>>>>
>>>>>> 17:06:14
>>>>>>>>>>
>>>>>>>>>>> MSK
>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2012 i686 GNU/Linux
>>>>>>>>>>>>>> root@pussy-riot-germany:~/**luastuff#
/etc/init.d/couchdb
>>>>>>>>>>>>>>
>>>>>>>>>>>>> start
>>>>>>
>>>>>>> Starting database server: couchdb.
>>>>>>>>>>>>>> root@pussy-riot-germany:~/**luastuff#
/etc/init.d/couchdb
>>>>>>>>>>>>>>
>>>>>>>>>>>>> status
>>>>>>
>>>>>>> Apache CouchDB is running as process 7651, time to
>>>>>>>>>>>>>>
>>>>>>>>>>>>> relax.
>>>
>>>> root@pussy-riot-germany:~/**luastuff# telnet localhost
>>>>>>>>>>>>>>
>>>>>>>>>>>>> 5984
>>>
>>>> Trying ::1...
>>>>>>>>>>>>>> Trying 127.0.0.1...
>>>>>>>>>>>>>> telnet: Unable to connect to remote
host: Connection
>>>>>>>>>>>>>>
>>>>>>>>>>>>> refused
>>>>>
>>>>>> Connection refused?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Here's the process info:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> root@pussy-riot-germany:~/**luastuff#
uname -a
>>>>>>>>>>>>>> Linux pussy-riot-germany 2.6.32-042stab068.8
#1 SMP Fri
>>>>>>>>>>>>>>
>>>>>>>>>>>>> Dec 7
>>>>>
>>>>>> 17:06:14
>>>>>>>>>>
>>>>>>>>>>> MSK
>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2012 i686 GNU/Linux
>>>>>>>>>>>>>> root@pussy-riot-germany:~/**luastuff#
/etc/init.d/couchdb
>>>>>>>>>>>>>>
>>>>>>>>>>>>> start
>>>>>>
>>>>>>> Starting database server: couchdb.
>>>>>>>>>>>>>> root@pussy-riot-germany:~/**luastuff#
/etc/init.d/couchdb
>>>>>>>>>>>>>>
>>>>>>>>>>>>> status
>>>>>>
>>>>>>> Apache CouchDB is running as process 7651, time to
>>>>>>>>>>>>>>
>>>>>>>>>>>>> relax.
>>>
>>>> root@pussy-riot-germany:~/**luastuff# telnet localhost
>>>>>>>>>>>>>>
>>>>>>>>>>>>> 5984
>>>
>>>> Trying ::1...
>>>>>>>>>>>>>> Trying 127.0.0.1...
>>>>>>>>>>>>>> telnet: Unable to connect to remote
host: Connection
>>>>>>>>>>>>>>
>>>>>>>>>>>>> refused
>>>>>
>>>>>> Please help, dear experts... :)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message