Hi Keith and others.
First off, I'd prefer to read discussions on this list based on facts
and not just "wow". You may have a point, but it's not a very nice
welcome to Tim who is writing in with a beginners question (his own
wording - not mine).
Second, I'd like to pick up your comment on remote root login via ssh.
A server where root login using a pass phrase can be hacked using brute
force over time. Yes - fail2ban should mitigate this somewhat, but it is
still something that is just waiting to happen.
But if you force the use of key login, getting in using brute force is
essentially impossible.
Then you could argue that using a second user account could serve as a
second line of defense, but that is very thin line. Any attacker who has
gained access to such an account can easilly log in and modify the
environment to pick up any passwords that the user must enter in order
to get root access.
Monitoring, hardening and two factor authentication is what comes to
mind when I think of what can be done to actually avoid the problem.
I know that having remote ssh root access isn't ideal, but I think it is
becoming very common on servers in small organisations because any extra
security layers are complicated to set up, manage and monitor.
Regards,
Michael
On 2013-04-15 16:23, Keith Gable wrote:
wow indeed.
---
Keith Gable
A+, Network+, and Storage+ Certified Professional
Apple Certified Technical Coordinator
Mobile Application Developer / Web Developer
On Mon, Apr 15, 2013 at 9:18 AM, Robert Newson <rnew...@apache.org> wrote:
wow.
On 15 April 2013 15:15, Tim Tisdall <tisd...@gmail.com> wrote:
What's wrong with ssh'ing as root?
On Mon, Apr 15, 2013 at 10:08 AM, Keith Gable <
zi...@ignition-project.com>wrote:
But you're SSHing as root, which is probably worse than opening CouchDB
to
the world with no password.
---
Keith Gable
A+, Network+, and Storage+ Certified Professional
Apple Certified Technical Coordinator
Mobile Application Developer / Web Developer
On Mon, Apr 15, 2013 at 8:45 AM, Tim Tisdall <tisd...@gmail.com> wrote:
Instead of opening CouchDB to the world, I simply access it by
port-forwarding through ssh when I connect to the machine. Like this:
ssh -L 5984:127.0.0.1:5984 r...@mymachine.com
Then on my local machine I can simply access
http://localhost:5984/_utils/and
up comes futon. It depends on your use-case, but this works well for
me.
On Mon, Apr 15, 2013 at 7:14 AM, Stefan Reich <
stefan.reich.maker.of....@googlemail.com> wrote:
Hmm... maybe you guys can help me solve the rest of the problem?
(Access
to
couchdb from outside)
These are the last iptables rules in chain INPUT:;
MY_REJECT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp
dpt:5984
Is that not what it should be...? Says "anywhere"... everywhere.
Heh.
Cheers,
Stefan
On Mon, Apr 15, 2013 at 1:08 PM, Stefan Reich <
stefan.reich.maker.of....@googlemail.com> wrote:
OK, thanks for all the answers, folks. It was indeed iptables that
blocked
the port. This stuff should be designed (much) better in operating
systems.
Actually it's a project of mine to make that better (LuaOS and its
follow-ups).
I got iptables to allow access locally now. Weirdly, it still
doesn't
work
over the Internet. And no, the server is not behind a firewall...
:)
Thanks,
Stefan
On Thu, Apr 11, 2013 at 3:30 AM, Andrey Kuprianov <
andrey.koupria...@gmail.com> wrote:
See if your local.ini bind_address is set to 0.0.0.0 so that you
can
access
it locally and remotely.
On Thu, Apr 11, 2013 at 2:54 AM, Stanley Iriele <
siriele...@gmail.com
wrote:
A simple cat of etc/hosts... Should let you know!... And maybe
nsswitch
just to be sure
On Apr 10, 2013 11:22 AM, "Robert Newson" <rnew...@apache.org>
wrote:
Are you sure localhost == 127.0.0.1 on your machine?
debian/ubuntu
are
notorious for changing that convention.
On 10 April 2013 14:20, Stanley Iriele <siriele...@gmail.com
wrote:
Why are you telneting to it?...try curling it and see
whatviy
responds
with
On Apr 10, 2013 10:47 AM, "Stefan Reich" <
stefan.reich.maker.of....@googlemail.com> wrote:
Oops, bad copy&paste - here's the actual process info:
root@pussy-riot-germany:~/luastuff# ps -aef|grep 7651
couchdb 7651 7650 0 19:44 pts/0 00:00:00
/usr/lib/erlang/erts-5.8/bin/beam.smp -Bd -K true -- -root
/usr/lib/erlang
-progname erl -- -home /var/lib/couchdb -- -noshell
-noinput
-sasl
errlog_type error -couch_ini /etc/couchdb/default.ini
/etc/couchdb/local.ini /etc/couchdb/default.ini
/etc/couchdb/local.ini
-s
couch -pidfile /var/run/couchdb/couchdb.pid -heart
couchdb 7682 7651 0 19:44 ? 00:00:00 heart -pid
7651
-ht 11
Cheers,
Stefan
On Wed, Apr 10, 2013 at 7:46 PM, Stefan Reich <
stefan.reich.maker.of....@googlemail.com> wrote:
Hi there!
I'd like to start using CouchDB for my projects.
This is on a Linux host. CouchDB installed from standard
Debian
package,
no settings altered. But it doesn't start properly:
root@pussy-riot-germany:~/luastuff# uname -a
Linux pussy-riot-germany 2.6.32-042stab068.8 #1 SMP Fri
Dec 7
17:06:14
MSK
2012 i686 GNU/Linux
root@pussy-riot-germany:~/luastuff# /etc/init.d/couchdb
start
Starting database server: couchdb.
root@pussy-riot-germany:~/luastuff# /etc/init.d/couchdb
status
Apache CouchDB is running as process 7651, time to
relax.
root@pussy-riot-germany:~/luastuff# telnet localhost
5984
Trying ::1...
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection
refused
Connection refused?
Here's the process info:
root@pussy-riot-germany:~/luastuff# uname -a
Linux pussy-riot-germany 2.6.32-042stab068.8 #1 SMP Fri
Dec 7
17:06:14
MSK
2012 i686 GNU/Linux
root@pussy-riot-germany:~/luastuff# /etc/init.d/couchdb
start
Starting database server: couchdb.
root@pussy-riot-germany:~/luastuff# /etc/init.d/couchdb
status
Apache CouchDB is running as process 7651, time to
relax.
root@pussy-riot-germany:~/luastuff# telnet localhost
5984
Trying ::1...
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection
refused
Please help, dear experts... :)
Cheers,
Stefan
