Thoughts on securing your NodeBB installation

About two weeks ago, the creator of Redis, antirez, published a blog entry in response to perceived security "faults" in Redis.

From time to time I get security reports about Redis. It’s good to get reports, but it’s odd that what I get is usually about things like Lua sandbox escaping, insecure temporary file creation, and similar issues, in a software which is designed (as we explain in our security page here http://redis.io/topics/security) to be totally insecure if exposed to the outside world.

Retrieved from http://antirez.com/news/96 (15 Nov 2015)

His post even goes in-depth and describes (with few modifications) how to utilise Redis as a vector to gain control of a host -- a hacker's dream.

Very soon after this blog post was published, we started receiving reports from owners of self-deployed NodeBB installations that their forums stopped working. Upon further investigation, it turns out Redis itself had been improperly configured for production use, allowing any malicious user to simply log in and erase all of the data stored in Redis.

His response to these compromises was surprising to me, in that it reflected a sentiment of "if you don't take the time to secure redis, it's not my fault".

While I completely understand (but do not agree with) antirez' approach, and having read the standard warning that open-source software (which Redis is) is offered AS IS, I can't help but feel as though even conducting the simplest of steps to offset the most basic of security compromises is better than doing nothing.

That said, here's a rough guide on securing your NodeBB installation. With these policies in place, you greatly decrease your risk of unauthorised access. Proper security policies in conjunction with a good backup strategy is the cornerstone of web hosting!


Use a password on your database

NodeBB is already able to interact with databases secured behind authentication. If you use Redis, require a password before access to data is granted.

In Redis, ensure that requirepass is utilised in your redis.conf.

In MongoDB, utilise user authorisation to prevent any connected client to access your databases.

Only allow access to your database via localhost

Both Redis and MongoDB have a bind_address style key in their respective configuration files. If your database is on the same server as your NodeBB, set it to 127.0.0.1 so that you can only connect to the database from the same server. Otherwise, consider using a private network and bind only to that interface.

Require SSH keys for server access

If you log in to your server with a password, consider securing it further by allowing access only to your ssh key.

Create one by running ssh-keygen -t rsa, and save the public key (found by default in ~/.ssh/id_rsa.pub) into the server's ~/.ssh/authorized_keys file.

Set up a simple firewall

Did you know Ubuntu comes with a simple firewall that you can set up on your own? By default it is off, but you can turn it on quite easily.

$ sudo ufw allow ssh
$ sudo ufw allow www
$ sudo ufw default deny incoming
$ sudo ufw enable

Additional Resources