Lost all my data ? Help please



  • Well am I the only one a bit troubled about the fact that the default Redis security is so easy to avoid. I opened my Redis port from my router and connected to it without any single problem...


  • Community Rep

    @kacemlight said:

    Is someone here can explain me where to find if I have a backup.. How can I just lose all my data without a reason ?? Please someone explain me what's could have happened to my website ? I lose a nine months of hard work !!!

    What's command I have to execute to try restoring my datas ?

    Did you take a backup of any sort?


  • Gamers

    @julian @Kowlin Redis is that bad? Did not know that. Planned on migrating to Mongodb before production anyway 😄



  • @bitspook Like @julian said, security is retentively easy. But I'm surprised and scarred that its so weak by default. If it wasn't for my router I think my databases also could have been dropped.


  • Community Rep

    @kacemlight said:

    Is someone now why this happen ?!! Is it can be related to the hosting provider Digitalocean ?

    That would not make any logical sense. DO is only your IaaS platform and does not touch the system itself. You would not suspect a hardware vendor in a physical deployment of deleting your database.


  • GNU/Linux Admin

    @Kowlin said:

    Well am I the only one a bit troubled about the fact that the default Redis security is so easy to avoid.

    IIRC the default Redis config is "bind to 0.0.0.0", which means open to everyone. Might be the same with Mongo.

    However, Ubuntu locks these configs down by binding to localhost only, so installing via apt-get is usually better than installing by downloading and compiling on your own.


  • Community Rep

    @Kowlin said:

    Well am I the only one a bit troubled about the fact that the default Redis security is so easy to avoid. I opened my Redis port from my router and connected to it without any single problem...

    That is expected. That means that the firewall is open on your OS (is the firewall running?) and Redis does this because it is designed to be in a cluster and would need the port open to talk to itself or to a Sentinel.


  • Gamers

    @julian said:

    It sounds like someone (or some script, rather) is going around trying to connect to port 6379, and if successful, flushing the database.

    maliciously?


  • GNU/Linux Admin

    @bitspook Probably.

    Looks like antirez added a large warning block about it here, and it may be uncommented by default now...
    https://github.com/antirez/redis/blob/unstable/redis.conf#L40-L61


  • Plugin & Theme Dev

    Just bind redis to localhost. Then it's won't be accessible from the outside world.
    By default redis listens to all interfaces which means all external ips (unless you have some firewall in place).

    /etc/redis/redis.conf:

    add
    bind 127.0.0.1

    Edit: Damn @julian you beat me.



  • @julian If this doesn't happen can we atleast add a warning to the NodeBB documentation for this?



  • Please if we supposed the backup was actived by default, how can I find the dump.rdb ? or maybe how can I check if it's activated ? I just want to be sure that there is no hope to get back my website. That's mean I lost nine months of work and now I will give up and stop hosting it...


  • GNU/Linux Admin

    @Kowlin said:

    @julian If this doesn't happen can we atleast add a warning to the NodeBB documentation for this?

    I did amend the Ubuntu installation documentation yesterday to use Mongo instead. May as well.


  • Community Rep

    @kacemlight said:

    Please if we supposed the backup was actived by default, how can I find the dump.rdb ? or maybe how can I check if it's activated ? I just want to be sure that there is no hope to get back my website. That's mean I lost nine months of work and now I will give up and stop hosting it...

    What backup would that be? if you didn't set it up, there is no backup. If you did, you would likely know where it was.

    Do this... find / -name dump.rdb

    Doubt that you are going to find anything, but only takes a minute to be sure.


  • Community Rep

    @Kowlin said:

    @julian If this doesn't happen can we atleast add a warning to the NodeBB documentation for this?

    That people need to have firewalls? Seems a bit extreme to have to document in NodeBB's docs.


  • Plugin & Theme Dev

    @kacemlight

    You have to create your own redis backup script that rotates/saves dump files. By default redis does not make any incremental and or multiple save files.

    So if someone connect to your redis instance and do ```flushall`` your database will be gone again. Because the empty db get saved to disk in a few minutes (overwriting your old save-file).



  • @kacemlight I'm sad to say that if you didn't provide your own backup solution. The database will be lost forever. I hope you can still see something in your hosting though.



  • @scottalanmiller Its that or having more people complain about lost databases, either way it looks bad for NodeBB as a whole. There is nothing wrong with the software, and we are a supportive community. So adding a warning for this bug or exploit or however you want to call it is the least we can do.


  • Community Rep

    @Kowlin said:

    @scottalanmiller Its that or having more people complain about lost databases, either way it looks bad for NodeBB as a whole. There is nothing wrong with the software, and we are a supportive community. So adding a warning for this bug or exploit or however you want to call it is the least we can do.

    I suppose. It seems a bit over the top. We would need to put in mentions of backups, good passwords, firewalls, etc.


  • Gamers

    That reminds me, I was thinking that what we need is a knowledge base. Though this forum largely serves that purpose, a purpose-built knowledge base made to answer questions via a multiple of keywords would really be great.

    The community could submit articles and edit them. There are open source wiki engines and knowledge base systems that could be used. The docs were created some time ago and are not living documents as much as wikis are. The docs should not go away, but a wiki could be added to by approved members in an adhoc fashion.

    Everyone here knows important things from using the software. However, answering the same questions repeatedly will cause fatigue.


Log in to reply
 

Suggested Topics

  • 4
  • 4
  • 17
  • 2
  • 1
| |