Lost all my data ? Help please
-
@Kowlin said:
Well am I the only one a bit troubled about the fact that the default Redis security is so easy to avoid. I opened my Redis port from my router and connected to it without any single problem...
What do you mean? ... any database is quite easy to get in if the guy that has set it up is not taking any security measures...
use IP tables and block the port, boom noone can connect apart from your localhost... and put a password on the config file(just for additional security)... thats all it needs
My get would be that any db you use u'd want to do the same unless you want to have remote access to that db, which makes no sense in the modern world we live in cause exposing your db to the public is just BAD. A db nowadays should be clearly set to be accessed on a localhost level only and then you can use an api to access its data from another connection.
-
@geobz That always has been a long established fact. But even the ancient artifact named MySQL has by default better security then Redis. Most of us are clearly experienced sysadmins. And will know the importance of security. But I've seen and talked to people. Mostly inexperienced gaming community owners, that will ignore security. It's of course there responsibility to secure there server properly. But I find it just weird that Redis doesn't have a minimum security to begin with. Luckily people have noticed this. And there is a ongoing pull request for that.
-
@Kowlin Well I am not an experienced sysadmin but when I am about to install some software that I don't know about, I have a look around and learn about it, its security etc.
If you just want to install a nodebb and run it for your community then its better if you use one of the paid plans nodebb has on its site, rather than trying to play with an open source software and then complain that it doesn't work or your db got wiped out or whatever that is.
When you are using open source software, I think you should acknowledge that it might have bugs and issues that you'll need to figure out on your own (or with some help).
In general I strongly believe that nodebb is a great forum software, but I think it can't really be used by people that have no programming experience, or IT experience. Not at this point in time.
I've been a senior software engineer for more than 10 years and it even took me quite a while to get the grasp of it and install it and configure it in a more proper manner.What I want to say in reality is, that if you can't understand that you need to set a firewall behind your DB, password your DB etc, you shouldn't been trying to use nodebb as your forum software but something else that is much easier to the non techy user, or buy a solution that comes preintalled by the nodebb team.
-
@Kowlin said:
But even the ancient artifact named MySQL has by default better security then Redis.
If you haven't noticed, there's recommended hardening measures you have to do for MySQL because by default it sets up with special tables that make it vulnerable.
You can't really blame the security of a database on the fact that you have to use a password or firewall though. A typical use of a database is to have it on a dedicated server, so yes, it does make sense to allow outside machines to talk to it by default, and in that case it should be behind a firewall or password protected at the very least.
-
@geobz
This type of security you can get by simply adding a line 'bind 127.0.0.1' to your redis configuration file.
The database listens to connections from the local host only with this configuration.
It's also described in the configuration file itself.
If connections from the local lan are required, this can be accomplished in a similar way.
For fine tuning the access, e.g. deny connections from a router Iptables is the choice, indeed -
The difficult part is that it takes quite a long time to get knowledgeable about server admin, not to mention server security as a whole. It took me years of playing around with my own servers to get halfway adequate at it.
Setting up NodeBB and its dependencies is fairly straightforward now, and it is straightforward to do with helper scripts like
apt-getandufw, though it can always be easier still. -
A lot of pain could probably be removed by setting up docker containers in a composition. I'm still working out the details of how docker even works though so I'm speaking purely in theoretical terms.
-
Funny, Digital Ocean has a 3 part series (pub 2014) to help set up your Ubuntu server and includes MOST of the basic sec advice given here. Disabling root, creating additional users, secure key access, ufw; covers all that.
Furthermore, they have several Redis and MongoDB set-up articles that shows one how to secure their setup... So the docs can simply point to those instead of repeating it internally.
