Thoughts on securing your NodeBB installation

julian

About two weeks ago, the creator of Redis, antirez, published a blog entry in response to perceived security "faults" in Redis.

From time to time I get security reports about Redis. It’s good to get reports, but it’s odd that what I get is usually about things like Lua sandbox escaping, insecure temporary file creation, and similar issues, in a software which is designed (as we explain in our security page here http://redis.io/topics/security) to be totally insecure if exposed to the outside world.

Click here to see the full blog post

A Former User

Despite using SSH Keys I also recommend to change your SSH Port and to disable direct root login.

xen

How to allow access to redis with two ip?

bind (my ip)
bind 127.0.0.1

But I still can not access from their computer.

This is necessary, because I use Redis Desktop Manager.

julian

@xen The bind directive accepts space-separated values.

I'd recommend using an SSH tunnel to access Redis from your desktop, while maintaining the bind set to 127.0.0.1.

@AOKP Good points. Also keep your server up-to-date

A Former User

This post is deleted!

rbeer

@xen
Binding a port through your ssh connection is actually quite simple.
(The following assumes that you are using the OpenSSH client on GNU/Linux)

tl;dr:
https://youtu.be/vC7Smc67gPg

1. Start the SSH client with ssh user@remotehost.com -L 7000:localhost:6379
   So basically like you would normally do, appending -L ... with the syntax:
   • local_port:interface_on_remote:remote_port (ssh manpage)
2. You should have an interactive session to your remote, prompt and all or whatever your setup resolves into when logging in over SSH. Again, business as usual is expected here.
3. Now comes the good part: Since you tunneled your local port 7000 to the remotes localhost interface on (redis-) port 6379, you can create a new connection in Redis Desktop Manager, ignoring the SSH tab in the "New Connection" dialog and simply connecting to localhost:7000.