
Secure your MongoDB, Redis, etc - shahinism
https://medium.com/@shahinism/for-gods-sake-secure-your-mongo-redis-etc-4f310cf1bed2#.m01e3zylf
======
cannonpr
Having been the first 'DevOps' guy to hit the ground in a few startups I have
seen interesting deployment and access strategies to databases PHP exec("echo
$mysql_query | mysql -uadmin -ppassword"); is probably my favourite. For a lot
of frontend or fullstack teams, the business shouting, get it done, trumps any
damage they might take by a compromise. Also often they are just not aware of
how insecure the defaults are, I feel like a lot more can be done to provide
secure out of the box stacks for 'full stack' developers.

~~~
technion
I'm staring down the barrel of a startup that "deploys" using an Internet
accessible, passwordless Samba share to drag and drop PHP files from desktops
to production.

Nothing surprises me.

------
lukaslalinsky
Is this the result of the no-ops movement? Did people forget how to deploy
software? I find it hard to believe somebody would run a database on publicly
accessible ip/port.

~~~
SCHiM
For some reason redis thinks it's a good idea to listen on all interfaces by
DEFAULT so you can perhaps understand why this happens. But I mean come on,
what year is this. How often do we need to repeat that you need to use SECURE
DEFAULTS!

Short of that I find redis an nice piece of software, I only wish it was
somewhat more sane in its default configuration.

~~~
an_d_rew
In theory I totally agree with the concept of using secure defaults.

In practice, however, I have seen far too many developers spend hour after
hour trying to unwind a byzantine labyrinth of iptables and strange network
configurations, weird firewall rules and corporate policies, never mind
mangled DNS, to think that the correct solution is merely "secure defaults".

At the end of the day, developers get paid to "make it work" and unfortunately
that strongly incentivizes the "open by default" configuration mindset.

~~~
mtgx
Maybe developers should get paid "not to put us in the headlines with 1
billion accounts breached".

~~~
user5994461
Maybe developers should care about not having their companies in the headlines
instead of just pushing things out as quickly as possible.

------
joneholland
Your database should not run on a server that has a public ip. Forget
authentication (it's plaintext on redis), or binding rules, or using a
uncommon port.

It's network isolation or you will be owned.

~~~
15155
Tell this to Heroku whose Postgres instances all are publicly accessible (TCP-
wise) outside of their network.

~~~
dottedmag
Yes, why not tell this to Heroku?

------
igama
Have a read of the Internet Security Exposure report by @binaryedgeio, there
is a section regarding Data Storage, mentioning Mongo, Redis, ElasticSearch,
and some other. In Summary, it was found 627.7 TB of Data Exposed.

[http://blog.binaryedge.io/2016/10/07/internet-security-
expos...](http://blog.binaryedge.io/2016/10/07/internet-security-
exposure-2016/)

------
agotterer
In this day and age with breaches happening daily and publicly why hasn't
mongo taken security seriously and enabled authentication by default?

~~~
raverbashing
This might be useful [https://docs.mongodb.com/v3.2/administration/security-
checkl...](https://docs.mongodb.com/v3.2/administration/security-checklist/)

(But let's say binding on 0.0.0.0 or not having a firewall in the system are
not only their fault)

In the same way people can trust local addresses in Pgsql

------
diafygi
Is using spiped viable for redis connections? Can all the servers that need to
connect to the redis server all connect via spiped using the same secret key?

------
statictype
What about data in motion?

Is it viable to use an SSH tunnel with each service listening on localhost
alone and using an encrypted tunnel to send data?

~~~
tostaki
No it's not. It's secure but not reliable, your ssh tunnel will disconnect at
some point. Use firewall and/or native security.

~~~
statictype
Thanks! I read somewhere that this was a good way to secure redis for
compliances. Good to know it may not always work.

------
nodesocket
The main problem is DigitalOcean does not offer a centralized firewall, so
they assume users will and can setup iptables. If they had a centralized
firewall and default policy of all inbound traffic blocked and then you
specifically open ports on droplets it would make a huge difference.

~~~
ak2196
Ok. Repeat after me, "I will not use Digital Ocean for production. They are
not a real hosting company."

The why is left as an exercise for the reader.

~~~
user5994461
Use Digital Ocean for simple production use cases. They are a real hosting
company, they are affordable and they are simple to use.

Professional non-trivial usage should be on AWS/Google/Azure/SoftLayer.

~~~
ak2196
Bzzzt! Wrong answer, try again. They are not good for anything remotely
resembling production. Since your production should try and closely resemble
everything else I'd say they are not good for anything at all. The tag line is
"Cloud computing, designed for developers." They should be even more careful
about good practices and sound design keeping in mind the kind of customer
they are trying to get. Over the years they have done anything but that.

~~~
user5994461
They are perfectly fine for anything production resembling a guy that wants to
run 2 servers on the internet.

And they're certainly better than trying to run that on someone's home DSL
connection.

~~~
ak2196
Actually your DSL is probably more secure because it wasn't designed by
complete muppets. Who thought it a good idea to put everyone on flat Layer 2
network. Remember the time they were handing out block devices without
scrubbing. How is the new Ceph backed block service. What's the p50 latency?
What about p90?

------
mwpmaybe
stunnel. It's an incredible piece of software.

~~~
JTenerife
Do you have any thoughts / experience compared to spiped or ipsec? The author
or Redis likes spiped:
[https://redis.io/topics/encryption](https://redis.io/topics/encryption)

~~~
mwpmaybe
That's an excellent question. I've only ever used stunnel and I was blown away
by how many different things it can do / ways it can work. It does so much for
such a simple tool. antirez probably likes spiped because it does fewer
things. :)

