Some days ago I made the following search: “databases unprotected”. It is really incredible the number of databases deployed without authentication. Most of them are just test databases published on the internet, but others are exposing sensitive data.
(Image Licensed through Create Commons via David Goehring)
As a Couchbase user, you have to follow some basic best practices to secure your deployment. You have it documented here. Some of them are:
- Never publish your database on the public internet. Sit your database on a secure zone, use a firewall and configure your rules from trusted sites
- Secure administrative access
- Use passwords with your buckets
- Do not deploy sample buckets on your production environment
- Do not deploy default bucket on your production environment
Take a look at the documentation to see the Couchbase Security features in detail.
In this entry I will focus in default bucket.
Default bucket is a database configured the first time you access the administration console. As any other bucket, you can set up parameters like memory, number of replicas and so on. Its main purpose is to provide a running database from the beginning.
This is fine for testing or developing. However, production deployments do not make use of it. In production, you typically define you own bucket with a name related with your use case, like ‘customers’, ‘profiles’, ‘catalog’ and so on.
This is also a good practice from a security point of view: using default database is an invitation to malicious agents to exploit. Never deploy the default bucket in production.
If you are using command line interface (CLI) to setup your cluster, from version 4.1 you can skip default bucket creation.
In the past (before version 4.5), if you use the web interface to configure your cluster, you had to create a default bucket. So there was an additional step to remove the default bucket in production environments.
That was before version 4.5 comes in. Now we can skip default database creation. Just click the “Skip” button in the “CREATE DEFAULT BUCKET” step:
At this point, assuming you also skip sample databases deployment, you will start with a plain Couchbase installation without any bucket. Then you can create your custom buckets for production.
So, remember, do not deploy default bucket in production. Did I tell you?