By OrientDB CEO, Luca Garulli
After ransomware groups recently wiped off about 34,000 MongoDB database and exposed about 35,000 Elastic Search databases on the Internet*(read the full article), we advise that OrientDB users double check their OrientDB server.
OrientDB’s average level of security is much stronger than both MongoDB and ElasticSearch. However, nothing can keep you totally safe, specially if you are exposing an OrientDB server directly to the Internet and/or you haven’t changed the default password in your database.
1. If you aren’t using the default users (admin, reader and writer), then delete them.
2. If you’re using them, be sure you changed the password for all 3 default users: admin, reader and writer.
3. When you installed OrientDB for the first time, the script asked for the root password. Make sure you didn’t set something obvious such as “root“, “orientdb“, “password“, or any other simple/obvious password.
1. If you can, don’t expose the OrientDB server to the Internet.
2. Remember that starting from v2.2 you can configure stronger SALT cycles for hashed passwords. Take a look at the following page for more details: https://orientdb.com/docs/
3. If you’re working with very sensitive data, please consider using Encryption at REST with AES algorithm. For more details, take a look at the following page: http://orientdb.
4. Don’t use a password at all. Since v2.2.14, OrientDB Enterprise Edition supports authentication via symmetric keys for the Java client. See https://orientdb.com/docs/2.2/Security-Symmetric-Key-Authentication.html.
For any question, don’t hesitate to ask to the Community Group.
Thanks and keep your data safe!
Founder & CEO