Lost all my data ? Help please
-
@Kowlin said:
@scottalanmiller Its that or having more people complain about lost databases, either way it looks bad for NodeBB as a whole. There is nothing wrong with the software, and we are a supportive community. So adding a warning for this bug or exploit or however you want to call it is the least we can do.
I suppose. It seems a bit over the top. We would need to put in mentions of backups, good passwords, firewalls, etc.
-
That reminds me, I was thinking that what we need is a knowledge base. Though this forum largely serves that purpose, a purpose-built knowledge base made to answer questions via a multiple of keywords would really be great.
The community could submit articles and edit them. There are open source wiki engines and knowledge base systems that could be used. The docs were created some time ago and are not living documents as much as wikis are. The docs should not go away, but a wiki could be added to by approved members in an adhoc fashion.
Everyone here knows important things from using the software. However, answering the same questions repeatedly will cause fatigue.
-
Not a bad idea. A wiki would be especially useful.
-
I do not see a lot of sense into a Wiki. The current doc system can be updated over GitHub as well and actually has a better implementation of code/command elements.
@scottalanmiller , it is everything else than extreme to use a firewall. In general it is "suicide" for the server to allow all connections. Ubuntu, CentOS and Co. don't feature these tools just for fun. It is somehow like leaving Port 22 open, disabling SSH Protocol 2 and then hoping that no one will access the server.
-
@bitspook there's already a documentation repository, (at docs.nodebb.org) specifically for this purpose, open source and everything (though it could use some maintenance).
Including tutorials on how to secure your instance would be overkill, but a reference for people who are doing this for the first time would probably be good
I was thinking of doing this actually when I got some time, but if someone else gets to it, it should at least include the basics like- ssh access
- using keys instead of passwords
- disallow login as sudo
- changing the default port
- firewalls
- setting up a new user (so as only to sudo when you need to)
- importance of enabling 2FA for your DO account (one of our members had his instances wiped because someone broke into his login)
If you haven't been keeping up on the security breaches as of late, you won't be as mindful of these things
- ssh access
-
I second this. A keyword based community Wiki would be a great idea. A process like configuring or securing redis is definitely something everyone should know, and being able to locate it, without work from other users is a good idea, that will educate many, and inconvenience few, as there will be there duplicate posts and questions.
-
just found this in the syslog of my server:
Nov 11 11:26:05 web02 redis[3992]: WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.It seems that virtual machines need an additional setting to get redis working securely...
-
Redis does require roughly 2x the dataset size in memory in order to persist to disk properly. If you have a large forum (e.g. 300mb dataset) on a small machine (e.g. 512mb memory), it is possible that the database will not be persisted because Redis can't properly make a copy of the db in-memory.
This was the main reason we switched to MongoDB, but Redis datasets are fairly small anyhow.
-
@Kowlin said:
Well am I the only one a bit troubled about the fact that the default Redis security is so easy to avoid. I opened my Redis port from my router and connected to it without any single problem...
What do you mean? ... any database is quite easy to get in if the guy that has set it up is not taking any security measures...
use IP tables and block the port, boom noone can connect apart from your localhost... and put a password on the config file(just for additional security)... thats all it needs
My get would be that any db you use u'd want to do the same unless you want to have remote access to that db, which makes no sense in the modern world we live in cause exposing your db to the public is just BAD. A db nowadays should be clearly set to be accessed on a localhost level only and then you can use an api to access its data from another connection.
-
@geobz That always has been a long established fact. But even the ancient artifact named MySQL has by default better security then Redis. Most of us are clearly experienced sysadmins. And will know the importance of security. But I've seen and talked to people. Mostly inexperienced gaming community owners, that will ignore security. It's of course there responsibility to secure there server properly. But I find it just weird that Redis doesn't have a minimum security to begin with. Luckily people have noticed this. And there is a ongoing pull request for that.
-
@Kowlin Well I am not an experienced sysadmin but when I am about to install some software that I don't know about, I have a look around and learn about it, its security etc.
If you just want to install a nodebb and run it for your community then its better if you use one of the paid plans nodebb has on its site, rather than trying to play with an open source software and then complain that it doesn't work or your db got wiped out or whatever that is.
When you are using open source software, I think you should acknowledge that it might have bugs and issues that you'll need to figure out on your own (or with some help).
In general I strongly believe that nodebb is a great forum software, but I think it can't really be used by people that have no programming experience, or IT experience. Not at this point in time.
I've been a senior software engineer for more than 10 years and it even took me quite a while to get the grasp of it and install it and configure it in a more proper manner.What I want to say in reality is, that if you can't understand that you need to set a firewall behind your DB, password your DB etc, you shouldn't been trying to use nodebb as your forum software but something else that is much easier to the non techy user, or buy a solution that comes preintalled by the nodebb team.
-
@Kowlin said:
But even the ancient artifact named MySQL has by default better security then Redis.
If you haven't noticed, there's recommended hardening measures you have to do for MySQL because by default it sets up with special tables that make it vulnerable.
You can't really blame the security of a database on the fact that you have to use a password or firewall though. A typical use of a database is to have it on a dedicated server, so yes, it does make sense to allow outside machines to talk to it by default, and in that case it should be behind a firewall or password protected at the very least.
-
@geobz
This type of security you can get by simply adding a line 'bind 127.0.0.1' to your redis configuration file.
The database listens to connections from the local host only with this configuration.
It's also described in the configuration file itself.
If connections from the local lan are required, this can be accomplished in a similar way.
For fine tuning the access, e.g. deny connections from a router Iptables is the choice, indeed -
The difficult part is that it takes quite a long time to get knowledgeable about server admin, not to mention server security as a whole. It took me years of playing around with my own servers to get halfway adequate at it.
Setting up NodeBB and its dependencies is fairly straightforward now, and it is straightforward to do with helper scripts like
apt-getandufw, though it can always be easier still. -
A lot of pain could probably be removed by setting up docker containers in a composition. I'm still working out the details of how docker even works though so I'm speaking purely in theoretical terms.
-
Funny, Digital Ocean has a 3 part series (pub 2014) to help set up your Ubuntu server and includes MOST of the basic sec advice given here. Disabling root, creating additional users, secure key access, ufw; covers all that.
Furthermore, they have several Redis and MongoDB set-up articles that shows one how to secure their setup... So the docs can simply point to those instead of repeating it internally.
