Re: CouchDB in the cloud - security assessment from dev team?

[Paul Hammant]

Jan,

Looking at https://docs.bitnami.com/general/infrastructure/couchdb/ they're
making an admin account by default, which implies that ransomware stuff
won't happen simply because admin-party-mode == true

The documentation recommends the reader should edit local.ini in three
places. One to get it to accept connections from something other than
127.0.0.1, another for changing the admin password, and the last to setup
HTTPS (with certs).

>From a DevOps point of view, scripts would be better:
 openCouchUpFrom127001ToAll.sh, chgCouchAdminPassword.sh and alike.

I'll do some more checking.

Regards,

- Paul

Re: CouchDB in the cloud - security assessment from dev team?

[Jan Lehnardt]

Heya Paul,

all good questions, I think you’d have to ask the Bitnami folks about this 
specifically, or hire someone (*cough*) to make an external assessment.

Best
Jan
--

> On 23. May 2017, at 14:21, Paul Hammant  wrote:
> 
> https://bitnami.com/stack/couchdb
> 
> One click* will get you a couch instance in Google or Amazon's infra. At
> least in Google's case they handle SSL off in the tier above ... but what
> else has been hardened about these ?
> Does anyone know?
> Is there a couch_vulns.sh script one can run against a couch install to
> look for issues?
> 
> Although WannaCry was in the news last week, Couch was too in Jan -
> http://www.pcworld.com/article/3159527/security/attackers-start-wiping-data-from-couchdb-and-hadoop-databases.html
> ,
> https://lists.apache.org/thread.html/5bfd5b30613ac918276bab64a01f00cb451a19624a212b288ffe43b5@%3Cdev.couchdb.apache.org%3E
> and a consequential blog entry from this group that I can't find right now.
> 
> - Paul
> 
> * not really one click, but close.

-- 
Professional Support for Apache CouchDB:
https://neighbourhood.ie/couchdb-support/