lulz! ^_^
Okay, first of all... I didn't start this thread. I was suggesting a
possible solution to accessing CouchDB without having to open the server to
the general public with no password.
For some reason I got a comment that logging in as root was "worse" than
making CouchDB publicly acces
Michael,
You are quite right to call me on my non-contribution to this thread,
I apologise.
I always set AllowRootLogin to false on ssh in the spirit of
defence-in-depth, coupled with the "UsePrivilegeSeparation yes"
setting.
SSH'ing to a non-privileged user account, allowed to sudo with a
pass
Hi Keith and others.
First off, I'd prefer to read discussions on this list based on facts
and not just "wow". You may have a point, but it's not a very nice
welcome to Tim who is writing in with a beginners question (his own
wording - not mine).
Second, I'd like to pick up your comment on r
On Mon, Apr 15, 2013 at 9:18 AM, Robert Newson wrote:
> wow.
>
retweet
>
> On 15 April 2013 15:15, Tim Tisdall wrote:
> > What's wrong with ssh'ing as root?
> >
>
I didn't say they were your servers... Just servers in general. And the
fact that I said one had someone logged in as root kind of implies that you
can log in as root, right? Also, logging in as root is not the same as
having root "available" to everyone.
On Mon, Apr 15, 2013 at 11:07 AM, Keit
"... SSHing as root, which is probably worse than opening CouchDB to the
world with no password."
I don't see how they're equivalent or even similar... hence my question.
And I don't see anything inherently wrong with ssh'ing as root, too. As
far as the external world is concerned, ssh'ing in as
Trick question: none of my servers allow root logins (PermitRootLogin No in
sshd.conf)
If CouchDB is wide open, the worst that can happen is your CouchDB data is
deleted. If root is available, the worst that can happen is a total
destruction of all data on the machine, potential compromise of othe
That's a false equivalence. You should not open couchdb to the world
before you set an administration password in the first place. :)
B.
On 15 April 2013 15:55, Tim Tisdall wrote:
> Still don't see how ssh'ing in as root is anywhere as bad as having your
> CouchDB open to the world with no passw
Still don't see how ssh'ing in as root is anywhere as bad as having your
CouchDB open to the world with no password...
If you had two machines, one with no password and public access to CouchDB
and another one with someone logged in via SSH as root and someone asked
you to delete the DB on one of
wow indeed.
---
Keith Gable
A+, Network+, and Storage+ Certified Professional
Apple Certified Technical Coordinator
Mobile Application Developer / Web Developer
On Mon, Apr 15, 2013 at 9:18 AM, Robert Newson wrote:
> wow.
>
> On 15 April 2013 15:15, Tim Tisdall wrote:
> > What's wrong with ss
http://serverfault.com/questions/57962/whats-wrong-with-always-being-root
---
Keith Gable
A+, Network+, and Storage+ Certified Professional
Apple Certified Technical Coordinator
Mobile Application Developer / Web Developer
On Mon, Apr 15, 2013 at 9:15 AM, Tim Tisdall wrote:
> What's wrong with
Le Mon, 15 Apr 2013 14:36:04 +0200,
Stefan Reich
a
écrit :
> Hi Robert,
>
> thanks for the answer.
>
> Now it's actually done... I looked up /etc/init.d/firewall and added
> a line there according to other lines that already existed:
>
> iptables -A INPUT -i $device -m state --state NEW -p
wow.
On 15 April 2013 15:15, Tim Tisdall wrote:
> What's wrong with ssh'ing as root?
>
>
> On Mon, Apr 15, 2013 at 10:08 AM, Keith Gable
> wrote:
>
>> But you're SSHing as root, which is probably worse than opening CouchDB to
>> the world with no password.
>>
>> ---
>> Keith Gable
>> A+, Network
What's wrong with ssh'ing as root?
On Mon, Apr 15, 2013 at 10:08 AM, Keith Gable wrote:
> But you're SSHing as root, which is probably worse than opening CouchDB to
> the world with no password.
>
> ---
> Keith Gable
> A+, Network+, and Storage+ Certified Professional
> Apple Certified Technical
ufw and shorewall are great wrappers for iptables that abstract iptables's
terminology into something better.
If you want a GUI to build the firewall config, check out FWBuilder. There
are a few others that exist as well, but I cannot remember what they're
called.
If you're having trouble setting
But you're SSHing as root, which is probably worse than opening CouchDB to
the world with no password.
---
Keith Gable
A+, Network+, and Storage+ Certified Professional
Apple Certified Technical Coordinator
Mobile Application Developer / Web Developer
On Mon, Apr 15, 2013 at 8:45 AM, Tim Tisdall
Instead of opening CouchDB to the world, I simply access it by
port-forwarding through ssh when I connect to the machine. Like this:
ssh -L 5984:127.0.0.1:5984 r...@mymachine.com
Then on my local machine I can simply access http://localhost:5984/_utils/ and
up comes futon. It depends on your us
Stefan, is ufw available to you on your OS? I find that a million times easier
than editing iptables.
On Apr 15, 2013, at 7:36 AM, Stefan Reich
wrote:
> Hi Robert,
>
> thanks for the answer.
>
> Now it's actually done... I looked up /etc/init.d/firewall and added a line
> there according to
Hi Robert,
thanks for the answer.
Now it's actually done... I looked up /etc/init.d/firewall and added a line
there according to other lines that already existed:
iptables -A INPUT -i $device -m state --state NEW -p tcp --dport 5984
-j ACCEPT
This crap (sorry) REALLY should be more intuitiv
Stefan,
CouchDB defaults to binding to 127.0.0.1 only (so that you can set an
admin password).
Do curl -XPUT localhost:5984/_config/httpd/bind_address -d '"0.0.0.0"'
to bind it to all interfaces (but do set an admin user/password
first).
For iptables, remember to add to -v (e.g, iptables -L -n -
Hmm... maybe you guys can help me solve the rest of the problem? (Access to
couchdb from outside)
These are the last iptables rules in chain INPUT:;
MY_REJECT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywheretcp dpt:5984
Is that not what it sho
OK, thanks for all the answers, folks. It was indeed iptables that blocked
the port. This stuff should be designed (much) better in operating systems.
Actually it's a project of mine to make that better (LuaOS and its
follow-ups).
I got iptables to allow access locally now. Weirdly, it still does
See if your local.ini bind_address is set to 0.0.0.0 so that you can access
it locally and remotely.
On Thu, Apr 11, 2013 at 2:54 AM, Stanley Iriele wrote:
> A simple cat of etc/hosts... Should let you know!... And maybe nsswitch
> just to be sure
> On Apr 10, 2013 11:22 AM, "Robert Newson" wro
A simple cat of etc/hosts... Should let you know!... And maybe nsswitch
just to be sure
On Apr 10, 2013 11:22 AM, "Robert Newson" wrote:
> Are you sure localhost == 127.0.0.1 on your machine? debian/ubuntu are
> notorious for changing that convention.
>
> On 10 April 2013 14:20, Stanley Iriele w
Are you sure localhost == 127.0.0.1 on your machine? debian/ubuntu are
notorious for changing that convention.
On 10 April 2013 14:20, Stanley Iriele wrote:
> Why are you telneting to it?...try curling it and see whatviy responds with
> On Apr 10, 2013 10:47 AM, "Stefan Reich" <
> stefan.reich.ma
Why are you telneting to it?...try curling it and see whatviy responds with
On Apr 10, 2013 10:47 AM, "Stefan Reich" <
stefan.reich.maker.of@googlemail.com> wrote:
> Oops, bad copy&paste - here's the actual process info:
>
> root@pussy-riot-germany:~/luastuff# ps -aef|grep 7651
> couchdb 765
Do you have any firewall (iptables) rules running?
On Wed, Apr 10, 2013 at 1:47 PM, Stefan Reich <
stefan.reich.maker.of@googlemail.com> wrote:
> Oops, bad copy&paste - here's the actual process info:
>
> root@pussy-riot-germany:~/luastuff# ps -aef|grep 7651
> couchdb 7651 7650 0 19:44 p
Oops, bad copy&paste - here's the actual process info:
root@pussy-riot-germany:~/luastuff# ps -aef|grep 7651
couchdb 7651 7650 0 19:44 pts/000:00:00
/usr/lib/erlang/erts-5.8/bin/beam.smp -Bd -K true -- -root /usr/lib/erlang
-progname erl -- -home /var/lib/couchdb -- -noshell -noinput -sasl
Hi there!
I'd like to start using CouchDB for my projects.
This is on a Linux host. CouchDB installed from standard Debian package, no
settings altered. But it doesn't start properly:
root@pussy-riot-germany:~/luastuff# uname -a
Linux pussy-riot-germany 2.6.32-042stab068.8 #1 SMP Fri Dec 7 17:06
29 matches
Mail list logo
