15.12.2017

foto Petr Bravenec

Petr Bravenec
Twitter: @BravenecPetr
+420 777 566 384
petr.bravenec@hobrasoft.cz

We are using CouchDB many years successfully. Few days ago our monitoring system warns us that CPU using is over 100%. Someone installed xmrig, an applicaton for crypto currencies mining. I acted quickly. I stopped CouchDB, removed intruder's database, disable access without encryption, made certificates from Let's Encrypt, changed passwords and disabled new user creation.

Precaution

Creating users

If you want to have CouchDB accessible via the Internet, as the first thing you should create an administrator account and other accounts for access to databases. CouchDB will normally permit administrator access to anyone, but it listens only on 127.0.0.1 so access is possible only from localhost. If you grant access to admins from around the world (CouchDB uses the term "Admin Party"), everyone could make with your database server anything.

Users, of course, have been created on our server. If you want to operate server without users, you receive enough warnings in the documentation:

CouchDB, The Definitive Guide – Security
Apache CouchDB 2.0 Documantation » 1. Introduction » 1.6. Security

Enable SSL access

SSL access has been always enabled on our server and our applications used encrypted access exclusively. Still, I've reviewed SSL yet once and replaced self-signed certificates with certificates from Let's Encrypt. I will not describe here how to get certificates from Let's Encrypt. I have certificates available for other services running on the server.

In the file /etc/couchdb/local.ini:

[httpd]
; Server listend on public IPv6 address (including IPv4)
bind_address = ::

[daemons]
; start HTTPS service
httpsd = {couch_httpd, start_link, [https]}

[ssl]
; path to certificates
cert_file = /home/certificates/.acme.sh/couchdb.hobrasoft.cz/fullchain.cer
key_file  = /home/certificates/.acme.sh/couchdb.hobrasoft.cz/couchdb.hobrasoft.cz.key

Disable access without SSL encryption

This required some googling and experimenting. In the configuration file /etc/couchdb/default.ini you have to disable the http service without encrypting:

[daemons]
; Remove or comment-out this line - use ; character
; httpd={couch_httpd, start_link, []}

[CouchDB-user] Disable default unsecure plain HTTP 5984

Disable new users creation

CouchDB has shocked me a little bit – virtually anyone can create new user and possibly a database in default configuration. Again, I returned to Google and found a procedure to disable user creation. I was suprised that it could not be done more simply.

In database _users in document _design/_auth you have to overwrite code in the validate_doc_update item. The user check is made inside the is_server_or_database_admin() function. The code looks like this:

//[…existing code…]
if (!is_server_or_database_admin(userCtx, secObj)) {
    if (oldDoc) { // validate non-admin updates
//[…existing code…]

You have to add new line. Than the code looks like this:

//[…existing code…]
if (!is_server_or_database_admin(userCtx, secObj)) {
    throw({forbidden: 'Users can only be created by server db admins in this specific CouchDB installation'});
    if (oldDoc) { // validate non-admin updates
//[…existing code…]

CouchDB: user creation without authentication. standard behavior?

Conclusion

The CouchDB database is very easy to setup and use in its default setting, which may conflict with security. Of course, the database can be used safely on the Internet, but is is necessary to set it up properly.

Hobrasoft s.r.o. | Contact