Security threat to Neo4j :

[Navrattan Yadav]

Some background:

 

   . We are Using Neo4j 2.0 Library and creating database using java code . We are not using any rest APIs provided by Ne04J.

   . We not using any server(Neo4j Community and Enterprises server ) to open database.

   . Server: Aamazon with Ubuntu (Encryption on for every request and response)

   

Security Issue:

  .Whenever a new relation gets created, few extra nodes get added to the newly created node and surprising that node is created from

   nigerian IP and always dont have any outgoing relations .  

  .Is there any possibility that our Neo4J instance is compromised as hacker is able to traverse and run lot of Cipher commands for

   which we did not expose any query?

Things we did to fix the issue:

1. Starting using Query parameters.

2. Remove Neo4j Server (only opening DB using java)

We still believe we have security threat as newly created nodes get associated with random nodes (all from Nigeria). 

Thanks for the help in Advance.

[Nigel Small]

Is your database port open to the Internet? Standard practice would be to have an application layer on top of your database which would prevent external access.

--
You received this message because you are subscribed to the Google Groups "Neo4j" group.
To unsubscribe from this group and stop receiving emails from it, send an email to neo4j+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[navrattan....@gmail.com]

We have port open 7474 and 7473 .

Sent from my BlackBerry 10 smartphone.

From: Nigel Small Sent: Thursday, December 12, 2013 8:46 PM To: Neo4J Reply To: ne...@googlegroups.com Subject: Re: [Neo4j] Security threat to Neo4j :

You received this message because you are subscribed to a topic in the Google Groups "Neo4j" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/neo4j/-vs6uFXhC2c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to neo4j+un...@googlegroups.com.

[Wes Freeman]

If you have ports 7474 and 7473 open, then you ARE using server?

Wes

[Nigel Small]

The default server configuration has a section like this:

# Let the webserver only listen on the specified IP. Default is localhost (only

# accept local connections). Uncomment to allow any connection. Please see the

# security section in the neo4j manual before modifying this.

#org.neo4j.server.webserver.address=0.0.0.0

The default values ensure that only the localhost can connect to the database so that external access cannot occur. Have you amended this to enable 0.0.0.0 or similar?

[Lasse Westh-Nielsen]

On 12/12/2013, at 16.10, Navrattan Yadav <navrattan....@gmail.com> wrote:

Server: Aamazon with Ubuntu (Encryption on for every request and response)

By "encryption" I guess you mean you have HTTPS enabled?

Anyway: if you do not have an AWS security group protecting that server then anyone can access it, HTTPS or not. And you really should not do that.

 - Lasse

[Navrattan Yadav]

no. we are not using server.

Thanks and Regards

Navrattan Yadav

[Navrattan Yadav]

we have sever. and  this line is commented.

#org.neo4j.server.webserver.address=0.0.0.0

but our server is not running. we are not using that.

[Mark Needham]

Could you run these commands and paste the results?

lsof -i :7473
lsof -i :7474

[Navrattan Yadav]

i run both of commands : but no result :

root@ip-172-31-8-121:/home/ubuntu# lsof -i :7474

root@ip-172-31-8-121:/home/ubuntu# lsof -i :7473

root@ip-172-31-8-121:/home/ubuntu#

[Mark Needham]

So that means theres nothing running on ports 7374 and 7474 unless you have server running as root in which case I don't think those commands would show you anything.

Btw how do you know which IP the nodes are being created from?

[Navrattan Yadav]

We dont have HTTPS for our rest apis. We use standard Base encryptions for every request and response.

--
You received this message because you are subscribed to a topic in the Google Groups "Neo4j" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/neo4j/-vs6uFXhC2c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to neo4j+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Navrattan Yadav]

We dont have HTTPS that directly access our rest apis. 

Yes, We have security group enabled on AWS and few ports are open including 7474 and 7473 but after the attack we removed the enterprise Ne04j server therefore in theory nothing is running on this port even though they are open.

 According to my minimum knowledge with Neo4j  we feel only apache instance is running and thats the one thats talking to Neo4j DB.

I am confused about 1 thing though. Is Neo4J server and Neo4j Web Admin one and same thing.  We tried using this link but then dint go further as we think only

apache instance is running. Are we correct ?

On Thu, Dec 12, 2013 at 9:45 PM, Lasse Westh-Nielsen <lasse.wes...@neopersistence.com> wrote:

--
You received this message because you are subscribed to a topic in the Google Groups "Neo4j" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/neo4j/-vs6uFXhC2c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to neo4j+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Michael Hunger]

Can you please detail exactly what you're doing with Neo4j, how your architecture looks like and what ports are open on that machine and why?

And how you figured out the nigerian IP's.

I think you should terminate that machine (might be infected) and set up a clean instance with only what you need and only ports open to a trusted network.

Michael

You received this message because you are subscribed to the Google Groups "Neo4j" group.

To unsubscribe from this group and stop receiving emails from it, send an email to neo4j+un...@googlegroups.com.

[Navrattan Yadav]

Hi Michael,

Thanks for reverting back. Im sure with your feedback we would be able to have secured ne04j architecture.

We are building a social sharing network based on phonebook, activities and interest and leveraging power of neo4j for building relations.

We are using AWS EC2 instance UBUNTU 12.4 (with private key) and have Tomcat, Neo4J server (Enterprise mode in disabled mode),tomcat, java,phpadmin and

mysql.We have Application layer on rest apis (Only way user can access rest api is after doing base-256 of initial login info) that can be accessed

via web and mobile apps. We do not directly expose any neo4j database and mysql database (we are using jar file from neo4j). 

Open ports are:

20 - 21 0.0.0.0/0 Delete

22 (SSH) 0.0.0.0/0 Delete

80 (HTTP) 0.0.0.0/0 Delete

443 (HTTPS) 0.0.0.0/0 Delete

1024 - 1028 0.0.0.0/0 Delete

3306 (MYSQL) 0.0.0.0/0 Delete

3478 - 3479 0.0.0.0/0 Delete

5222 0.0.0.0/0 Delete

5229 0.0.0.0/0 Delete

5269 0.0.0.0/0 Delete

5280 0.0.0.0/0 Delete

7070 0.0.0.0/0 Delete

7443 0.0.0.0/0 Delete

7473 0.0.0.0/0 Delete

7474 0.0.0.0/0 Delete

7777 0.0.0.0/0 Delete

8000 0.0.0.0/0 Delete

8079 0.0.0.0/0 Delete

8080 (HTTP*) 0.0.0.0/0 Delete

We found that one of the node always get added to different nodes,We checked the phone number and then added logs and can see in tomcat logs the IP

address from where the request is coming from.Not sure if IP address is spoofed but this is what we see in logs.Its same IP everytime.

I am not a server guy thats why may be exposed something by mistake but can anyone access neo4j data without rest apis or without neo4j server? 

Surprising thing is whenever a new node gets created in next few seconds few nigerian nodes(their ip, phone number is from nigeria, they are always same

) shows up in friend list.

 we dont have any rest api that can update anyones relation.

Thanks in Advance.

[Lasse Westh-Nielsen]

Navrattan,

So your application layer lives in the cloud alongside your Neo4j Server - good. I assume you have application servers and database servers separate?

But make sure your database server is safely tucked away on AWS. There are basically two ways of doing that:

1) VPC: http://aws.amazon.com/vpc/ - I think this is their gold plated solution, when I last looked at this ~2 years ago it was immature but I think this should be your first port of call.

2) Security groups' origin policies: http://aws.amazon.com/ec2/faqs/#How_do_I_prevent_other_people_from_viewing_my_systems - simply have machines in your DB group only accessible from machines in your App group. When I last built such a system it was good enough for a large UK corporate, so ought to be useful to you too?

So basically, on your DB servers only port 7474 ought to be open, and only open _from certain machines_ (and SSH for management of course).

Good luck!

(Neo Technology)<-[:WORK_FOR]-(I)-[:DEVELOP]->(Neo4j)

[Navrattan Yadav]

Hi,

Thanks for the reply.

Yes our application layer is on cloud . We never expose any database layer directly to any of app but we haven't done any of the points mentioned below.

Once we do these changes we will let everyone know the status.We tried manually cleaning nodes but these nodes get created again.

Anything else you think we might have missed for better security.

[Lasse Westh-Nielsen]

On Tue, Dec 17, 2013 at 4:48 PM, Navrattan Yadav <navrattan....@gmail.com> wrote:

We never expose any database layer directly to any of app but we haven't done any of the points mentioned below

Navrattan,

If you are running Neo4j Server in AWS with neither a VPC or security groups with origin policies, then your database _could be_ accessible to the world whether you like it or not.

In fact, from your home laptop, if you access the instance's public DNS (the ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com form) on port 7474, what do you get?

[Navrattan Yadav]

Hi ,

Thanks for the help.

We are unable to access 7474 port from any public IP but as you proposed we have changed the access policy.

@Michael: Do you think we exposed something unintentionally on neo4j ?

--

You received this message because you are subscribed to a topic in the Google Groups "Neo4j" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/neo4j/-vs6uFXhC2c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to neo4j+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Antonio VonG]

Navrattan,

from what you were saying:

Whenever a new relation gets created, few extra nodes get added to the newly created node and surprising that node is created from

nigerian IP and always dont have any outgoing relations

 

 ...as newly created nodes get associated with random nodes (all from Nigeria).

this could all be happening in your application layer, you should check your codes and start writing tests on your local machine.

Regards,

Antonio