Hi, Thanks for the reply.
Yes our application layer is on cloud . We never expose any database layer directly to any of app but we haven't done any of the points mentioned below. Once we do these changes we will let everyone know the status.We tried manually cleaning nodes but these nodes get created again. Anything else you think we might have missed for better security. On Tue, Dec 17, 2013 at 1:39 PM, Lasse Westh-Nielsen < [email protected]> wrote: > Navrattan, > > So your application layer lives in the cloud alongside your Neo4j Server - > good. I assume you have application servers and database servers separate? > > But make sure your database server is safely tucked away on AWS. There are > basically two ways of doing that: > > 1) VPC: http://aws.amazon.com/vpc/ - I think this is their gold plated > solution, when I last looked at this ~2 years ago it was immature but I > think this should be your first port of call. > 2) Security groups' origin policies: > http://aws.amazon.com/ec2/faqs/#How_do_I_prevent_other_people_from_viewing_my_systems- > simply have machines in your DB group only accessible from machines in > your App group. When I last built such a system it was good enough for a > large UK corporate, so ought to be useful to you too? > > So basically, on your DB servers only port 7474 ought to be open, and only > open _from certain machines_ (and SSH for management of course). > > Good luck! > > > > > On Mon, Dec 16, 2013 at 6:16 PM, Navrattan Yadav < > [email protected]> wrote: > >> Hi Michael, >> >> Thanks for reverting back. Im sure with your feedback we would be able to >> have secured ne04j architecture. >> >> We are building a social sharing network based on phonebook, activities >> and interest and leveraging power of neo4j for building relations. >> >> We are using AWS EC2 instance UBUNTU 12.4 (with private key) and have >> Tomcat, Neo4J server (Enterprise mode in disabled mode),tomcat, >> java,phpadmin and >> mysql.We have Application layer on rest apis (Only way user can access >> rest api is after doing base-256 of initial login info) that can be accessed >> via web and mobile apps. We do not directly expose any neo4j database and >> mysql database (we are using jar file from neo4j). >> >> Open ports are: >> >> 20 - 21 0.0.0.0/0 Delete >> 22 (SSH) 0.0.0.0/0 Delete >> 80 (HTTP) 0.0.0.0/0 Delete >> 443 (HTTPS) 0.0.0.0/0 Delete >> 1024 - 1028 0.0.0.0/0 Delete >> 3306 (MYSQL) 0.0.0.0/0 Delete >> 3478 - 3479 0.0.0.0/0 Delete >> 5222 0.0.0.0/0 Delete >> 5229 0.0.0.0/0 Delete >> 5269 0.0.0.0/0 Delete >> 5280 0.0.0.0/0 Delete >> 7070 0.0.0.0/0 Delete >> 7443 0.0.0.0/0 Delete >> 7473 0.0.0.0/0 Delete >> 7474 0.0.0.0/0 Delete >> 7777 0.0.0.0/0 Delete >> 8000 0.0.0.0/0 Delete >> 8079 0.0.0.0/0 Delete >> 8080 (HTTP*) 0.0.0.0/0 Delete >> >> >> We found that one of the node always get added to different nodes,We >> checked the phone number and then added logs and can see in tomcat logs the >> IP >> address from where the request is coming from.Not sure if IP address is >> spoofed but this is what we see in logs.Its same IP everytime. >> >> I am not a server guy thats why may be exposed something by mistake but >> can anyone access neo4j data without rest apis or without neo4j server? >> >> Surprising thing is whenever a new node gets created in next few seconds >> few nigerian nodes(their ip, phone number is from nigeria, they are always >> same >> ) shows up in friend list. >> >> we dont have any rest api that can update anyones relation. >> >> >> Thanks in Advance. >> >> >> On Mon, Dec 16, 2013 at 3:35 AM, Michael Hunger < >> [email protected]> wrote: >> >>> Can you please detail exactly what you're doing with Neo4j, how your >>> architecture looks like and what ports are open on that machine and why? >>> >>> And how you figured out the nigerian IP's. >>> >>> I think you should terminate that machine (might be infected) and set up >>> a clean instance with only what you need and only ports open to a trusted >>> network. >>> >>> Michael >>> >>> >>> Am 13.12.2013 um 11:12 schrieb Navrattan Yadav < >>> [email protected]>: >>> >>> We dont have HTTPS that directly access our rest apis. >>> >>> Yes, We have security group enabled on AWS and few ports are open >>> including 7474 and 7473 but after the attack we removed the enterprise >>> Ne04j server therefore in theory nothing is running on this port even >>> though they are open. >>> >>> According to my minimum knowledge with Neo4j we feel only apache >>> instance is running and thats the one thats talking to Neo4j DB. >>> >>> I am confused about 1 thing though. Is Neo4J server and Neo4j Web Admin >>> one and same thing. We tried using this link but then dint go further as >>> we think only >>> apache instance is running. Are we correct ? >>> >>> >>> On Thu, Dec 12, 2013 at 9:45 PM, Lasse Westh-Nielsen < >>> [email protected]> wrote: >>> >>>> >>>> On 12/12/2013, at 16.10, Navrattan Yadav < >>>> [email protected]> wrote: >>>> >>>> Server: Aamazon with Ubuntu (Encryption on for every request and >>>> response) >>>> >>>> >>>> By "encryption" I guess you mean you have HTTPS enabled? >>>> >>>> Anyway: if you do not have an AWS security group protecting that server >>>> then anyone can access it, HTTPS or not. And you really should not do that. >>>> >>>> - Lasse >>>> >>>> >>>> >>>> -- >>>> You received this message because you are subscribed to a topic in the >>>> Google Groups "Neo4j" group. >>>> To unsubscribe from this topic, visit >>>> https://groups.google.com/d/topic/neo4j/-vs6uFXhC2c/unsubscribe. >>>> To unsubscribe from this group and all its topics, send an email to >>>> [email protected]. >>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >>> >>> >>> >>> -- >>> *Thanks and Regards* >>> >>> *Navrattan Yadav* >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Neo4j" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> >>> -- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "Neo4j" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/neo4j/-vs6uFXhC2c/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >> >> >> >> -- >> *Thanks and Regards* >> >> *Navrattan Yadav* >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Neo4j" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > > > -- > (Neo Technology)<-[:WORK_FOR]-(I)-[:DEVELOP]->(Neo4j) > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Neo4j" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/neo4j/-vs6uFXhC2c/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- *Thanks and Regards* *Navrattan Yadav* -- You received this message because you are subscribed to the Google Groups "Neo4j" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
