Navrattan, So your application layer lives in the cloud alongside your Neo4j Server - good. I assume you have application servers and database servers separate?
But make sure your database server is safely tucked away on AWS. There are basically two ways of doing that: 1) VPC: http://aws.amazon.com/vpc/ - I think this is their gold plated solution, when I last looked at this ~2 years ago it was immature but I think this should be your first port of call. 2) Security groups' origin policies: http://aws.amazon.com/ec2/faqs/#How_do_I_prevent_other_people_from_viewing_my_systems- simply have machines in your DB group only accessible from machines in your App group. When I last built such a system it was good enough for a large UK corporate, so ought to be useful to you too? So basically, on your DB servers only port 7474 ought to be open, and only open _from certain machines_ (and SSH for management of course). Good luck! On Mon, Dec 16, 2013 at 6:16 PM, Navrattan Yadav < [email protected]> wrote: > Hi Michael, > > Thanks for reverting back. Im sure with your feedback we would be able to > have secured ne04j architecture. > > We are building a social sharing network based on phonebook, activities > and interest and leveraging power of neo4j for building relations. > > We are using AWS EC2 instance UBUNTU 12.4 (with private key) and have > Tomcat, Neo4J server (Enterprise mode in disabled mode),tomcat, > java,phpadmin and > mysql.We have Application layer on rest apis (Only way user can access > rest api is after doing base-256 of initial login info) that can be accessed > via web and mobile apps. We do not directly expose any neo4j database and > mysql database (we are using jar file from neo4j). > > Open ports are: > > 20 - 21 0.0.0.0/0 Delete > 22 (SSH) 0.0.0.0/0 Delete > 80 (HTTP) 0.0.0.0/0 Delete > 443 (HTTPS) 0.0.0.0/0 Delete > 1024 - 1028 0.0.0.0/0 Delete > 3306 (MYSQL) 0.0.0.0/0 Delete > 3478 - 3479 0.0.0.0/0 Delete > 5222 0.0.0.0/0 Delete > 5229 0.0.0.0/0 Delete > 5269 0.0.0.0/0 Delete > 5280 0.0.0.0/0 Delete > 7070 0.0.0.0/0 Delete > 7443 0.0.0.0/0 Delete > 7473 0.0.0.0/0 Delete > 7474 0.0.0.0/0 Delete > 7777 0.0.0.0/0 Delete > 8000 0.0.0.0/0 Delete > 8079 0.0.0.0/0 Delete > 8080 (HTTP*) 0.0.0.0/0 Delete > > > We found that one of the node always get added to different nodes,We > checked the phone number and then added logs and can see in tomcat logs the > IP > address from where the request is coming from.Not sure if IP address is > spoofed but this is what we see in logs.Its same IP everytime. > > I am not a server guy thats why may be exposed something by mistake but > can anyone access neo4j data without rest apis or without neo4j server? > > Surprising thing is whenever a new node gets created in next few seconds > few nigerian nodes(their ip, phone number is from nigeria, they are always > same > ) shows up in friend list. > > we dont have any rest api that can update anyones relation. > > > Thanks in Advance. > > > On Mon, Dec 16, 2013 at 3:35 AM, Michael Hunger < > [email protected]> wrote: > >> Can you please detail exactly what you're doing with Neo4j, how your >> architecture looks like and what ports are open on that machine and why? >> >> And how you figured out the nigerian IP's. >> >> I think you should terminate that machine (might be infected) and set up >> a clean instance with only what you need and only ports open to a trusted >> network. >> >> Michael >> >> >> Am 13.12.2013 um 11:12 schrieb Navrattan Yadav < >> [email protected]>: >> >> We dont have HTTPS that directly access our rest apis. >> >> Yes, We have security group enabled on AWS and few ports are open >> including 7474 and 7473 but after the attack we removed the enterprise >> Ne04j server therefore in theory nothing is running on this port even >> though they are open. >> >> According to my minimum knowledge with Neo4j we feel only apache >> instance is running and thats the one thats talking to Neo4j DB. >> >> I am confused about 1 thing though. Is Neo4J server and Neo4j Web Admin >> one and same thing. We tried using this link but then dint go further as >> we think only >> apache instance is running. Are we correct ? >> >> >> On Thu, Dec 12, 2013 at 9:45 PM, Lasse Westh-Nielsen < >> [email protected]> wrote: >> >>> >>> On 12/12/2013, at 16.10, Navrattan Yadav <[email protected]> >>> wrote: >>> >>> Server: Aamazon with Ubuntu (Encryption on for every request and >>> response) >>> >>> >>> By "encryption" I guess you mean you have HTTPS enabled? >>> >>> Anyway: if you do not have an AWS security group protecting that server >>> then anyone can access it, HTTPS or not. And you really should not do that. >>> >>> - Lasse >>> >>> >>> >>> -- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "Neo4j" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/neo4j/-vs6uFXhC2c/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >> >> >> >> -- >> *Thanks and Regards* >> >> *Navrattan Yadav* >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Neo4j" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Neo4j" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/neo4j/-vs6uFXhC2c/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > > > -- > *Thanks and Regards* > > *Navrattan Yadav* > > -- > You received this message because you are subscribed to the Google Groups > "Neo4j" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- (Neo Technology)<-[:WORK_FOR]-(I)-[:DEVELOP]->(Neo4j) -- You received this message because you are subscribed to the Google Groups "Neo4j" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
