You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In Neo4J 3.x.x (up to the latest 3.5.17) when you are attempting to make a remote DB online backup using
neo4j-admin backup ...
the script connects to a remote database without any security credentials.
Effectively this means that when you have your DB open with the backup port open anybody could connect to your DB from the outside and copy all your data.
This is not normal and it's a huge security flaw. You should inform your users about this.
You yourselves recommend to do remote backups from a different server not to overload the production environment and yet in 7 years that this function has been available this security flaw has not been addressed or explicitly mentioned in your docs.
The text was updated successfully, but these errors were encountered:
I agree that there should be some kind of authenticatition, but personally, I don’t see that as a dealbreaker. Alltough, users has to be careful and know what they are doing. I think that remote backups are suggested that you don’t create extra load to the database servers.
You can, for example, have backup machines are in the same environment/tenant than database -servers, so you can use ”internal” network. Remote access is blocked from outside of the tenant and you are safe.
If you wish to do remote backups securely, you should configure the backup server and client to use SSL/TLS, as documented here. There is, as yet, no concept of Neo4j user authentication when performing a backup, as backups are not considered to be a per-user process. Instead they are performed by a sysadmin/operator.
I hope that helps?
For what its worth I think the docs could be more explicit about this case: perhaps providing a worked example. I'll see if we can improve them.
In Neo4J 3.x.x (up to the latest 3.5.17) when you are attempting to make a remote DB online backup using
the script connects to a remote database without any security credentials.
Effectively this means that when you have your DB open with the backup port open anybody could connect to your DB from the outside and copy all your data.
I raised this issue numerous times on Neo4J forums, but nobody cares: https://community.neo4j.com/t/is-there-any-password-protection-for-making-online-backups/20372/6
So I'm just trying to reach the developers here.
This is not normal and it's a huge security flaw. You should inform your users about this.
You yourselves recommend to do remote backups from a different server not to overload the production environment and yet in 7 years that this function has been available this security flaw has not been addressed or explicitly mentioned in your docs.
The text was updated successfully, but these errors were encountered: