I didn't say they were your servers... Just servers in general. And the fact that I said one had someone logged in as root kind of implies that you can log in as root, right? Also, logging in as root is not the same as having root "available" to everyone.
On Mon, Apr 15, 2013 at 11:07 AM, Keith Gable <zi...@ignition-project.com>wrote: > Trick question: none of my servers allow root logins (PermitRootLogin No in > sshd.conf) > > If CouchDB is wide open, the worst that can happen is your CouchDB data is > deleted. If root is available, the worst that can happen is a total > destruction of all data on the machine, potential compromise of other > servers (because the password or key is known), and a really bad day. If > you were using key-based authentication, it would be slightly better, but > why not log in as you@server and use sudo if needed? Certainly you don't > need root to do SSH tunneling. > > > > --- > Keith Gable > A+, Network+, and Storage+ Certified Professional > Apple Certified Technical Coordinator > Mobile Application Developer / Web Developer > > > On Mon, Apr 15, 2013 at 9:55 AM, Tim Tisdall <tisd...@gmail.com> wrote: > > > Still don't see how ssh'ing in as root is anywhere as bad as having your > > CouchDB open to the world with no password... > > > > If you had two machines, one with no password and public access to > CouchDB > > and another one with someone logged in via SSH as root and someone asked > > you to delete the DB on one of those machines, which one would you go > > after? > > > > > > On Mon, Apr 15, 2013 at 10:23 AM, Keith Gable < > zi...@ignition-project.com > > >wrote: > > > > > wow indeed. > > > > > > --- > > > Keith Gable > > > A+, Network+, and Storage+ Certified Professional > > > Apple Certified Technical Coordinator > > > Mobile Application Developer / Web Developer > > > > > > > > > On Mon, Apr 15, 2013 at 9:18 AM, Robert Newson <rnew...@apache.org> > > wrote: > > > > > > > wow. > > > > > > > > On 15 April 2013 15:15, Tim Tisdall <tisd...@gmail.com> wrote: > > > > > What's wrong with ssh'ing as root? > > > > > > > > > > > > > > > On Mon, Apr 15, 2013 at 10:08 AM, Keith Gable < > > > > zi...@ignition-project.com>wrote: > > > > > > > > > >> But you're SSHing as root, which is probably worse than opening > > > CouchDB > > > > to > > > > >> the world with no password. > > > > >> > > > > >> --- > > > > >> Keith Gable > > > > >> A+, Network+, and Storage+ Certified Professional > > > > >> Apple Certified Technical Coordinator > > > > >> Mobile Application Developer / Web Developer > > > > >> > > > > >> > > > > >> On Mon, Apr 15, 2013 at 8:45 AM, Tim Tisdall <tisd...@gmail.com> > > > wrote: > > > > >> > > > > >> > Instead of opening CouchDB to the world, I simply access it by > > > > >> > port-forwarding through ssh when I connect to the machine. Like > > > this: > > > > >> > > > > > >> > ssh -L 5984:127.0.0.1:5984 r...@mymachine.com > > > > >> > > > > > >> > Then on my local machine I can simply access > > > > >> http://localhost:5984/_utils/and > > > > >> > up comes futon. It depends on your use-case, but this works > well > > > for > > > > me. > > > > >> > > > > > >> > > > > > >> > > > > > >> > On Mon, Apr 15, 2013 at 7:14 AM, Stefan Reich < > > > > >> > stefan.reich.maker.of....@googlemail.com> wrote: > > > > >> > > > > > >> > > Hmm... maybe you guys can help me solve the rest of the > problem? > > > > >> (Access > > > > >> > to > > > > >> > > couchdb from outside) > > > > >> > > > > > > >> > > These are the last iptables rules in chain INPUT:; > > > > >> > > > > > > >> > > MY_REJECT all -- anywhere anywhere > > > > >> > > ACCEPT tcp -- anywhere anywhere > tcp > > > > >> dpt:5984 > > > > >> > > > > > > >> > > Is that not what it should be...? Says "anywhere"... > everywhere. > > > > Heh. > > > > >> > > > > > > >> > > Cheers, > > > > >> > > Stefan > > > > >> > > > > > > >> > > > > > > >> > > On Mon, Apr 15, 2013 at 1:08 PM, Stefan Reich < > > > > >> > > stefan.reich.maker.of....@googlemail.com> wrote: > > > > >> > > > > > > >> > > > OK, thanks for all the answers, folks. It was indeed > iptables > > > that > > > > >> > > blocked > > > > >> > > > the port. This stuff should be designed (much) better in > > > operating > > > > >> > > systems. > > > > >> > > > > > > > >> > > > Actually it's a project of mine to make that better (LuaOS > and > > > its > > > > >> > > > follow-ups). > > > > >> > > > > > > > >> > > > I got iptables to allow access locally now. Weirdly, it > still > > > > doesn't > > > > >> > > work > > > > >> > > > over the Internet. And no, the server is not behind a > > > firewall... > > > > :) > > > > >> > > > > > > > >> > > > Thanks, > > > > >> > > > Stefan > > > > >> > > > > > > > >> > > > > > > > >> > > > On Thu, Apr 11, 2013 at 3:30 AM, Andrey Kuprianov < > > > > >> > > > andrey.koupria...@gmail.com> wrote: > > > > >> > > > > > > > >> > > >> See if your local.ini bind_address is set to 0.0.0.0 so > that > > > you > > > > can > > > > >> > > >> access > > > > >> > > >> it locally and remotely. > > > > >> > > >> > > > > >> > > >> > > > > >> > > >> On Thu, Apr 11, 2013 at 2:54 AM, Stanley Iriele < > > > > >> siriele...@gmail.com > > > > >> > > >> >wrote: > > > > >> > > >> > > > > >> > > >> > A simple cat of etc/hosts... Should let you know!... And > > > maybe > > > > >> > > nsswitch > > > > >> > > >> > just to be sure > > > > >> > > >> > On Apr 10, 2013 11:22 AM, "Robert Newson" < > > > rnew...@apache.org> > > > > >> > wrote: > > > > >> > > >> > > > > > >> > > >> > > Are you sure localhost == 127.0.0.1 on your machine? > > > > >> debian/ubuntu > > > > >> > > are > > > > >> > > >> > > notorious for changing that convention. > > > > >> > > >> > > > > > > >> > > >> > > On 10 April 2013 14:20, Stanley Iriele < > > > siriele...@gmail.com > > > > > > > > > >> > > wrote: > > > > >> > > >> > > > Why are you telneting to it?...try curling it and see > > > > whatviy > > > > >> > > >> responds > > > > >> > > >> > > with > > > > >> > > >> > > > On Apr 10, 2013 10:47 AM, "Stefan Reich" < > > > > >> > > >> > > > stefan.reich.maker.of....@googlemail.com> wrote: > > > > >> > > >> > > > > > > > >> > > >> > > >> Oops, bad copy&paste - here's the actual process > info: > > > > >> > > >> > > >> > > > > >> > > >> > > >> root@pussy-riot-germany:~/luastuff# ps -aef|grep > 7651 > > > > >> > > >> > > >> couchdb 7651 7650 0 19:44 pts/0 00:00:00 > > > > >> > > >> > > >> /usr/lib/erlang/erts-5.8/bin/beam.smp -Bd -K true -- > > > -root > > > > >> > > >> > > /usr/lib/erlang > > > > >> > > >> > > >> -progname erl -- -home /var/lib/couchdb -- -noshell > > > > -noinput > > > > >> > > -sasl > > > > >> > > >> > > >> errlog_type error -couch_ini > /etc/couchdb/default.ini > > > > >> > > >> > > >> /etc/couchdb/local.ini /etc/couchdb/default.ini > > > > >> > > >> /etc/couchdb/local.ini > > > > >> > > >> > > -s > > > > >> > > >> > > >> couch -pidfile /var/run/couchdb/couchdb.pid -heart > > > > >> > > >> > > >> couchdb 7682 7651 0 19:44 ? 00:00:00 > heart > > > -pid > > > > >> 7651 > > > > >> > > >> -ht 11 > > > > >> > > >> > > >> > > > > >> > > >> > > >> Cheers, > > > > >> > > >> > > >> Stefan > > > > >> > > >> > > >> > > > > >> > > >> > > >> > > > > >> > > >> > > >> On Wed, Apr 10, 2013 at 7:46 PM, Stefan Reich < > > > > >> > > >> > > >> stefan.reich.maker.of....@googlemail.com> wrote: > > > > >> > > >> > > >> > > > > >> > > >> > > >> > Hi there! > > > > >> > > >> > > >> > > > > > >> > > >> > > >> > I'd like to start using CouchDB for my projects. > > > > >> > > >> > > >> > > > > > >> > > >> > > >> > This is on a Linux host. CouchDB installed from > > > standard > > > > >> > Debian > > > > >> > > >> > > package, > > > > >> > > >> > > >> > no settings altered. But it doesn't start > properly: > > > > >> > > >> > > >> > > > > > >> > > >> > > >> > root@pussy-riot-germany:~/luastuff# uname -a > > > > >> > > >> > > >> > Linux pussy-riot-germany 2.6.32-042stab068.8 #1 > SMP > > > Fri > > > > >> Dec 7 > > > > >> > > >> > 17:06:14 > > > > >> > > >> > > >> MSK > > > > >> > > >> > > >> > 2012 i686 GNU/Linux > > > > >> > > >> > > >> > root@pussy-riot-germany:~/luastuff# > > > /etc/init.d/couchdb > > > > >> > start > > > > >> > > >> > > >> > Starting database server: couchdb. > > > > >> > > >> > > >> > root@pussy-riot-germany:~/luastuff# > > > /etc/init.d/couchdb > > > > >> > status > > > > >> > > >> > > >> > Apache CouchDB is running as process 7651, time to > > > > relax. > > > > >> > > >> > > >> > root@pussy-riot-germany:~/luastuff# telnet > > localhost > > > > 5984 > > > > >> > > >> > > >> > Trying ::1... > > > > >> > > >> > > >> > Trying 127.0.0.1... > > > > >> > > >> > > >> > telnet: Unable to connect to remote host: > Connection > > > > >> refused > > > > >> > > >> > > >> > > > > > >> > > >> > > >> > Connection refused? > > > > >> > > >> > > >> > > > > > >> > > >> > > >> > Here's the process info: > > > > >> > > >> > > >> > > > > > >> > > >> > > >> > root@pussy-riot-germany:~/luastuff# uname -a > > > > >> > > >> > > >> > Linux pussy-riot-germany 2.6.32-042stab068.8 #1 > SMP > > > Fri > > > > >> Dec 7 > > > > >> > > >> > 17:06:14 > > > > >> > > >> > > >> MSK > > > > >> > > >> > > >> > 2012 i686 GNU/Linux > > > > >> > > >> > > >> > root@pussy-riot-germany:~/luastuff# > > > /etc/init.d/couchdb > > > > >> > start > > > > >> > > >> > > >> > Starting database server: couchdb. > > > > >> > > >> > > >> > root@pussy-riot-germany:~/luastuff# > > > /etc/init.d/couchdb > > > > >> > status > > > > >> > > >> > > >> > Apache CouchDB is running as process 7651, time to > > > > relax. > > > > >> > > >> > > >> > root@pussy-riot-germany:~/luastuff# telnet > > localhost > > > > 5984 > > > > >> > > >> > > >> > Trying ::1... > > > > >> > > >> > > >> > Trying 127.0.0.1... > > > > >> > > >> > > >> > telnet: Unable to connect to remote host: > Connection > > > > >> refused > > > > >> > > >> > > >> > > > > > >> > > >> > > >> > Please help, dear experts... :) > > > > >> > > >> > > >> > > > > > >> > > >> > > >> > Cheers, > > > > >> > > >> > > >> > Stefan > > > > >> > > >> > > >> > > > > > >> > > >> > > >> > > > > > >> > > >> > > >> > > > > >> > > >> > > > > > > >> > > >> > > > > > >> > > >> > > > > >> > > > > > > > >> > > > > > > > >> > > > > > > >> > > > > > >> > > > > > > > > > >
