Externally available CouchDB security
I have an externally available couchdb instance that I will be spinning up. Due to my replication requirements, anybody could potentially attempt to authenticate with the machine.
This obviously worries me, so I've been doing some research and I'm not quite finding the answers that I'm looking for. Here are my questions:
Is there any way to get an email when an authentication failure occurs? I don't want to be brute forced.
If #1 is not possible, is there any way to throttle authentication attempts? Such as 1 authentication attempt per second?
This maybe should be split into multiple questions. Let me know if I should do so. Thanks
I don't know about 2. It may have a delay already.
For 1, you'd have to create a service that does this yourself. If your logging level is set to "info", the couch.log file contains every http connection made to the server. You can filter this for requests with 401. It doesn't seem to say whether the username was an admin username or not though.
This is me trying to log in as an admin with, first the wrong password, then the right one:
[Mon, 29 Sep 2014 08:46:51 GMT] [info] [<0.21047.0>] 127.0.0.1 - - POST /_session 401 [Mon, 29 Sep 2014 08:46:51 GMT] [info] [<0.21047.0>] 127.0.0.1 - - GET /_session 200 [Mon, 29 Sep 2014 08:46:56 GMT] [info] [<0.21047.0>] 127.0.0.1 - - POST /_session 200 [Mon, 29 Sep 2014 08:46:56 GMT] [info] [<0.21047.0>] 127.0.0.1 - - GET /_session 200
It wouldn't be hard to make a service that consumes the log, and e-mails you whenever a line ends in 401.
You can access the log through the REST API at /_log. Details are here: HTTP API /_log