Return-Path: 
 <user-return-24265-apmail-couchdb-user-archive=couchdb.apache.org@couchdb.apache.org>
X-Original-To: apmail-couchdb-user-archive@www.apache.org
Delivered-To: apmail-couchdb-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 2F23EF0D6
	for <apmail-couchdb-user-archive@www.apache.org>;
 Mon, 15 Apr 2013 20:07:43 +0000 (UTC)
Received: (qmail 21693 invoked by uid 500); 15 Apr 2013 20:07:41 -0000
Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org
Received: (qmail 21628 invoked by uid 500); 15 Apr 2013 20:07:41 -0000
Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@couchdb.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@couchdb.apache.org>
List-Post: <mailto:user@couchdb.apache.org>
List-Id: <user.couchdb.apache.org>
Reply-To: user@couchdb.apache.org
Delivered-To: mailing list user@couchdb.apache.org
Received: (qmail 21620 invoked by uid 99); 15 Apr 2013 20:07:41 -0000
Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 15 Apr 2013 20:07:41 +0000
Received: from localhost (HELO mail-la0-f45.google.com) (127.0.0.1)
  (smtp-auth username rnewson, mechanism plain)
  by minotaur.apache.org (qpsmtpd/0.29) with ESMTP;
 Mon, 15 Apr 2013 20:07:41 +0000
Received: by mail-la0-f45.google.com with SMTP id gw10so4687051lab.4
        for <user@couchdb.apache.org>; Mon, 15 Apr 2013 13:07:38 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.112.134.70 with SMTP id pi6mr7656213lbb.72.1366056458883;
 Mon, 15 Apr 2013 13:07:38 -0700 (PDT)
Received: by 10.112.168.98 with HTTP; Mon, 15 Apr 2013 13:07:38 -0700 (PDT)
In-Reply-To: <516C5C26.4010306@zedeler.dk>
References: 
 <CAC2-jLFxWxNtk2vk=WNEu5sv7TTvn96n8sg4-QGWYmU2M1H2_g@mail.gmail.com>
	<CAC2-jLE8Oo5V6UHkAk=UfBij9jAiP+pK7c+PiC16HxykC9=oug@mail.gmail.com>
	<CAPNuaCh7ec-kpLr5VmFpQVucvfPQ_oSCfmAP-nOyyU4kG=rVvA@mail.gmail.com>
	<CABvT1DHmEOt2=26uqXJK1XmFDnD8X44LY+rWCfT1LdwxTNYDrw@mail.gmail.com>
	<CAPNuaCi0Lsb43wU_S5d-K2TFH_Lw++ob3B0s0Ri4Enj76tT5rQ@mail.gmail.com>
	<CAG+HO1yA8Pprw3T4=VFdwOAE3XgiMWH_JMbNFrH2jYFh-gjnFQ@mail.gmail.com>
	<CAC2-jLEh2bX_j0M46kGHkJxf7qja0cORjVRwSsqGQb+LsT=FeQ@mail.gmail.com>
	<CAC2-jLERN3-APAg+txrO0rueyh3cSN_AwExsFbK6qrp948o9fA@mail.gmail.com>
	<CAGxYWpaSV1A-UeWyJ8r+2NQT61gPoon1oAo7fDpErgdALpR1KQ@mail.gmail.com>
	<CAC7vo1APMB5b-VB2-=aGe5+FjVy3ama9mNNUg=0Fk=ja4v7kKA@mail.gmail.com>
	<CAGxYWpZMfpQhTHJPMbxEF5tDZZmeLx6V_EwBxeUNEKFYdqpgfA@mail.gmail.com>
	<CABvT1DHetnZpKuKckXhRYiGcCcKgcEPAg6ai8jKCpn_PERPOTQ@mail.gmail.com>
	<CAC7vo1CGVVUFVTxyhj+Sf6cEU9xxvi9PCUuTvArG+UAk6ZbscQ@mail.gmail.com>
	<516C5C26.4010306@zedeler.dk>
Date: Mon, 15 Apr 2013 21:07:38 +0100
Message-ID: 
 <CABvT1DF=veGCZxs9a2Ukgq9Fk7io2hgsurYKNmRe1T0bquPcMw@mail.gmail.com>
Subject: Re: CouchDB not reachable (beginner's question)
From: Robert Newson <rnewson@apache.org>
To: "user@couchdb.apache.org" <user@couchdb.apache.org>
Content-Type: text/plain; charset=ISO-8859-1

Michael,

You are quite right to call me on my non-contribution to this thread,
I apologise.

I always set AllowRootLogin to false on ssh in the spirit of
defence-in-depth, coupled with the  "UsePrivilegeSeparation yes"
setting.

SSH'ing to a non-privileged user account, allowed to sudo with a
password, is an extra hurdle.

The biggest improvement is to disable insecure SSH methods like
passwords, of course. That and keeping sshd patched.

B.


On 15 April 2013 20:59, Michael Zedeler. <michael@zedeler.dk> wrote:
> Hi Keith and others.
>
> First off, I'd prefer to read discussions on this list based on facts and
> not just "wow". You may have a point, but it's not a very nice welcome to
> Tim who is writing in with a beginners question (his own wording - not
> mine).
>
> Second, I'd like to pick up your comment on remote root login via ssh.
>
> A server where root login using a pass phrase can be hacked using brute
> force over time. Yes - fail2ban should mitigate this somewhat, but it is
> still something that is just waiting to happen.
>
> But if you force the use of key login, getting in using brute force is
> essentially impossible.
>
> Then you could argue that using a second user account could serve as a
> second line of defense, but that is very thin line. Any attacker who has
> gained access to such an account can easilly log in and modify the
> environment to pick up any passwords that the user must enter in order to
> get root access.
>
> Monitoring, hardening and two factor authentication is what comes to mind
> when I think of what can be done to actually avoid the problem.
>
> I know that having remote ssh root access isn't ideal, but I think it is
> becoming very common on servers in small organisations because any extra
> security layers are complicated to set up, manage and monitor.
>
> Regards,
>
> Michael
>
>
> On 2013-04-15 16:23, Keith Gable wrote:
>>
>> wow indeed.
>>
>> ---
>> Keith Gable
>> A+, Network+, and Storage+ Certified Professional
>> Apple Certified Technical Coordinator
>> Mobile Application Developer / Web Developer
>>
>>
>> On Mon, Apr 15, 2013 at 9:18 AM, Robert Newson <rnewson@apache.org> wrote:
>>
>>> wow.
>>>
>>> On 15 April 2013 15:15, Tim Tisdall <tisdall@gmail.com> wrote:
>>>>
>>>> What's wrong with ssh'ing as root?
>>>>
>>>>
>>>> On Mon, Apr 15, 2013 at 10:08 AM, Keith Gable <
>>>
>>> ziggy@ignition-project.com>wrote:
>>>>>
>>>>> But you're SSHing as root, which is probably worse than opening CouchDB
>>>
>>> to
>>>>>
>>>>> the world with no password.
>>>>>
>>>>> ---
>>>>> Keith Gable
>>>>> A+, Network+, and Storage+ Certified Professional
>>>>> Apple Certified Technical Coordinator
>>>>> Mobile Application Developer / Web Developer
>>>>>
>>>>>
>>>>> On Mon, Apr 15, 2013 at 8:45 AM, Tim Tisdall <tisdall@gmail.com> wrote:
>>>>>
>>>>>> Instead of opening CouchDB to the world, I simply access it by
>>>>>> port-forwarding through ssh when I connect to the machine.  Like this:
>>>>>>
>>>>>> ssh -L 5984:127.0.0.1:5984 root@mymachine.com
>>>>>>
>>>>>> Then on my local machine I can simply access
>>>>>
>>>>> http://localhost:5984/_utils/and
>>>>>>
>>>>>> up comes futon.  It depends on your use-case, but this works well for
>>>
>>> me.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Apr 15, 2013 at 7:14 AM, Stefan Reich <
>>>>>> stefan.reich.maker.of.eye@googlemail.com> wrote:
>>>>>>
>>>>>>> Hmm... maybe you guys can help me solve the rest of the problem?
>>>>>
>>>>> (Access
>>>>>>
>>>>>> to
>>>>>>>
>>>>>>> couchdb from outside)
>>>>>>>
>>>>>>> These are the last iptables rules in chain INPUT:;
>>>>>>>
>>>>>>> MY_REJECT  all  --  anywhere             anywhere
>>>>>>> ACCEPT     tcp  --  anywhere             anywhere            tcp
>>>>>
>>>>> dpt:5984
>>>>>>>
>>>>>>> Is that not what it should be...? Says "anywhere"... everywhere.
>>>
>>> Heh.
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Stefan
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Apr 15, 2013 at 1:08 PM, Stefan Reich <
>>>>>>> stefan.reich.maker.of.eye@googlemail.com> wrote:
>>>>>>>
>>>>>>>> OK, thanks for all the answers, folks. It was indeed iptables that
>>>>>>>
>>>>>>> blocked
>>>>>>>>
>>>>>>>> the port. This stuff should be designed (much) better in operating
>>>>>>>
>>>>>>> systems.
>>>>>>>>
>>>>>>>> Actually it's a project of mine to make that better (LuaOS and its
>>>>>>>> follow-ups).
>>>>>>>>
>>>>>>>> I got iptables to allow access locally now. Weirdly, it still
>>>
>>> doesn't
>>>>>>>
>>>>>>> work
>>>>>>>>
>>>>>>>> over the Internet. And no, the server is not behind a firewall...
>>>
>>> :)
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Stefan
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Apr 11, 2013 at 3:30 AM, Andrey Kuprianov <
>>>>>>>> andrey.kouprianov@gmail.com> wrote:
>>>>>>>>
>>>>>>>>> See if your local.ini bind_address is set to 0.0.0.0 so that you
>>>
>>> can
>>>>>>>>>
>>>>>>>>> access
>>>>>>>>> it locally and remotely.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Thu, Apr 11, 2013 at 2:54 AM, Stanley Iriele <
>>>>>
>>>>> siriele2x3@gmail.com
>>>>>>>>>>
>>>>>>>>>> wrote:
>>>>>>>>>> A simple cat of etc/hosts... Should let you know!... And maybe
>>>>>>>
>>>>>>> nsswitch
>>>>>>>>>>
>>>>>>>>>> just to be sure
>>>>>>>>>> On Apr 10, 2013 11:22 AM, "Robert Newson" <rnewson@apache.org>
>>>>>>
>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Are you sure localhost == 127.0.0.1 on your machine?
>>>>>
>>>>> debian/ubuntu
>>>>>>>
>>>>>>> are
>>>>>>>>>>>
>>>>>>>>>>> notorious for changing that convention.
>>>>>>>>>>>
>>>>>>>>>>> On 10 April 2013 14:20, Stanley Iriele <siriele2x3@gmail.com
>>>>>>>
>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Why are you telneting to it?...try curling it and see
>>>
>>> whatviy
>>>>>>>>>
>>>>>>>>> responds
>>>>>>>>>>>
>>>>>>>>>>> with
>>>>>>>>>>>>
>>>>>>>>>>>> On Apr 10, 2013 10:47 AM, "Stefan Reich" <
>>>>>>>>>>>> stefan.reich.maker.of.eye@googlemail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Oops, bad copy&paste - here's the actual process info:
>>>>>>>>>>>>>
>>>>>>>>>>>>> root@pussy-riot-germany:~/luastuff# ps -aef|grep 7651
>>>>>>>>>>>>> couchdb   7651  7650  0 19:44 pts/0    00:00:00
>>>>>>>>>>>>> /usr/lib/erlang/erts-5.8/bin/beam.smp -Bd -K true -- -root
>>>>>>>>>>>
>>>>>>>>>>> /usr/lib/erlang
>>>>>>>>>>>>>
>>>>>>>>>>>>> -progname erl -- -home /var/lib/couchdb -- -noshell
>>>
>>> -noinput
>>>>>>>
>>>>>>> -sasl
>>>>>>>>>>>>>
>>>>>>>>>>>>> errlog_type error -couch_ini /etc/couchdb/default.ini
>>>>>>>>>>>>> /etc/couchdb/local.ini /etc/couchdb/default.ini
>>>>>>>>>
>>>>>>>>> /etc/couchdb/local.ini
>>>>>>>>>>>
>>>>>>>>>>> -s
>>>>>>>>>>>>>
>>>>>>>>>>>>> couch -pidfile /var/run/couchdb/couchdb.pid -heart
>>>>>>>>>>>>> couchdb   7682  7651  0 19:44 ?        00:00:00 heart -pid
>>>>>
>>>>> 7651
>>>>>>>>>
>>>>>>>>> -ht 11
>>>>>>>>>>>>>
>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Wed, Apr 10, 2013 at 7:46 PM, Stefan Reich <
>>>>>>>>>>>>> stefan.reich.maker.of.eye@googlemail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi there!
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I'd like to start using CouchDB for my projects.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> This is on a Linux host. CouchDB installed from standard
>>>>>>
>>>>>> Debian
>>>>>>>>>>>
>>>>>>>>>>> package,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> no settings altered. But it doesn't start properly:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> root@pussy-riot-germany:~/luastuff# uname -a
>>>>>>>>>>>>>> Linux pussy-riot-germany 2.6.32-042stab068.8 #1 SMP Fri
>>>>>
>>>>> Dec 7
>>>>>>>>>>
>>>>>>>>>> 17:06:14
>>>>>>>>>>>>>
>>>>>>>>>>>>> MSK
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2012 i686 GNU/Linux
>>>>>>>>>>>>>> root@pussy-riot-germany:~/luastuff# /etc/init.d/couchdb
>>>>>>
>>>>>> start
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Starting database server: couchdb.
>>>>>>>>>>>>>> root@pussy-riot-germany:~/luastuff# /etc/init.d/couchdb
>>>>>>
>>>>>> status
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Apache CouchDB is running as process 7651, time to
>>>
>>> relax.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> root@pussy-riot-germany:~/luastuff# telnet localhost
>>>
>>> 5984
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Trying ::1...
>>>>>>>>>>>>>> Trying 127.0.0.1...
>>>>>>>>>>>>>> telnet: Unable to connect to remote host: Connection
>>>>>
>>>>> refused
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Connection refused?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Here's the process info:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> root@pussy-riot-germany:~/luastuff# uname -a
>>>>>>>>>>>>>> Linux pussy-riot-germany 2.6.32-042stab068.8 #1 SMP Fri
>>>>>
>>>>> Dec 7
>>>>>>>>>>
>>>>>>>>>> 17:06:14
>>>>>>>>>>>>>
>>>>>>>>>>>>> MSK
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2012 i686 GNU/Linux
>>>>>>>>>>>>>> root@pussy-riot-germany:~/luastuff# /etc/init.d/couchdb
>>>>>>
>>>>>> start
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Starting database server: couchdb.
>>>>>>>>>>>>>> root@pussy-riot-germany:~/luastuff# /etc/init.d/couchdb
>>>>>>
>>>>>> status
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Apache CouchDB is running as process 7651, time to
>>>
>>> relax.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> root@pussy-riot-germany:~/luastuff# telnet localhost
>>>
>>> 5984
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Trying ::1...
>>>>>>>>>>>>>> Trying 127.0.0.1...
>>>>>>>>>>>>>> telnet: Unable to connect to remote host: Connection
>>>>>
>>>>> refused
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Please help, dear experts... :)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>> Stefan
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>
>