Securing an OrientDB database on your Ubuntu server

OrientDB is an open source data management system which operates in Java. It is also what is known as a multi-model database, meaning that it supports all kinds of models, from graph and document to key/value and object models.

Users opt for this Java application not just because it is easy to use but also because it is highly secure, since connecting to the server instance and connecting to a database both require authentication.

With this in mind, let’s see what steps you should take to properly secure an OrientDB Database on your Ubuntu server.

  • A very important step to take before you start securing the application is making sure the operating system it is running on is also secure. In that sense, you should set up a firewall. Next, you’ll want to restrict access to the OrientDB web server. To do that, you need to find its configuration file.
/opt/orientdb/config/orientdb-server-config.xml
  • Once you’ve located it, open it for editing, like so:
   sudo nano /opt/orientdb/config/orientdb-server-config.xml
  • Navigate to the listeners tag.
. . .

<listeners>

  <listener protocol="binary" socket="default" port-range="2424-2430" ip-address="0.0.0.0"/>

  <listener protocol="http" socket="default" port-range="2480-2490" ip-address="0.0.0.0">

  . . .

</listeners>

. . .

 

  • Modify the IP parameters from 0.0.0to 127.0.0.1.
  • Restart the service to make sure the changes have taken place.
  • Next, you’ll need to delete the guest account and modify the permissions in the configuration file you’ve opened before.
  • A good way to boost the server security is to give read-write access to the config directory only to the OrientDB user. The default permission of that directory is 755.
sudo chmod 600 /opt/orientdb/config
  • From now on, the rest of the security changes will be done via the OrientDB console, so you’ll need to connect to it.
sudo /opt/orientdb/bin/console.sh
  • Each server instance comes with two user accounts: guest and root. It is recommended that you drop the guest user, seeing as it has limited privileges anyway. That can be done like so:
orientdb> drop server user guest
  • Next, you should restrict access to the OrientDB database. To do that, you have to perform three actions: change the password of the admin account, suspend the writer account, and finally, delete the reader
  • To make these changes, you’ll need to connect to the database whose accounts you intend to manage. In this example, we’re connected to the GratefulDeadConcertsdatabase, a sample database that ships with every OrientDB installation
connect remote:127.0.0.1/GratefulDeadConcerts admin admin
  • To change the password for the adminuser, use the following command:
orientdb {db=GratefulDeadConcerts}> update ouser set password = 'new_account_password' where name = 'admin'
  • To disable the writeruser, change the status from ACTIVE to SUSPENDED.
orientdb {db=GratefulDeadConcerts}> update ouser set status= 'SUSPENDED' where name = 'writer'
  • Finally, to delete the readeraccount from the database entirely, use:
orientdb {db=GratefulDeadConcerts}> drop user reader

 

And with this, you’ll completed all the steps of this security tutorial!

Leave a Reply