If I am to make an online backup using the
neo4j-admin backup tool remotely, as you advise, I have to open a public IP and the backup port on my Neo4J application.
However, I don't see
neo4j-admin asking for any login credentials, basically making it possible for anybody who wants to access the server and back it up.
There is no setting inside the
neo4j.conf that would only accept backup requests from a certain address.
So what does it mean? That when the online backups are done remotely, as you advise, the database may be vulnerable to somebody else just copying all the data?
What do you do to protect it then?
The documentation states that ne04j-admin must be invoked as the neo4j user. That is the user that owns the neo4j executables and the databases. So the security is handled by the OS login and the file permissions should be set to prevent unathorised access to the neo4j directories/files.
Not at all.
Look, when you launch neo4j-backup from a remote server, you simply specify the server your want to back up (IP and backup port) and no login/password credentials.
Every time I tried Neo4J didn't even ask for any login / password and simply started backing up the DB.
I'm using Neo4J Enterprise 3.3.9
@elaine.rosenberg do you have any news on that, or we just consider it as a security flaw?
just to reiterate: when making a remote backup of a Neo4J 3.3.9 DB hosted on AWS Linux EC2 instance via a public IP from another AWS server (also with Neo4J installed) the instance that is getting backed up does not ask for any password and starts to copy the DB. Most of the time it fails because my DB is too big (and I opened another issue about this) but it copies some files and some data, so I consider it as a security flaw. The DB that is being backed up does not ask for any login credentials.
Deemeetree, just to make sure:
To reproduce your setup all I need to do is to install a Neo4J 3.x and let it listen to the public ip address of the server?
Then I will be able to copy the database via neo4j-admin remotely?
I most certainly will give this a try.
Is 3.3.9 the most recent version you tried it with?
Within 3.x the 3.5 branch is the most recent, and of course there is 4.0 and 4.1 too.
Did you try those versions too?
This is not at all the question I'm asking.
I'm trying to tell you that there is a security flaw in your neo4j-admin script in that it connects to a remote server without any credentials.
You are telling me to place the backup files in a secure location — that's a completely different topic 🙂
Yes, this worked both with 3.3.9 and with 3.5.latest when I was trying to backup the DB remotely.
Another question is: how am I supposed to backup the DB if neo4j-admin backup doesn't allow me to send any credentials to connect to a remote DB?
It would be useful to add a possibility to use an SSH key or smth like that to authenticate remotely before backing things up thus avoiding this vulnerability.
Finally I got around it and tested it on one of my development servers in the cloud.
You are right 100% ; by changing the dbms.backup.address in the config to a public ip anyone can grab your data if they know the database name.
Still have to check how 4.x behaves but when you enable this option make sure you have a firewall in place restricting access to the server.
I would recommend against ever using a public IP; instead setup an environment of trusted machines communicating via a private network which you access via a VPN.
Adding an explicit warning in the operational guide is a good idea.
@neo4j_devrel can you relay this suggestion to the right person?