

Several thousand MongoDBs without access control on the Internet [pdf] - ifcologne
http://cispa.saarland/wp-content/uploads/2015/02/MongoDB_documentation.pdf

======
patio11
This can also happen with Memcached, Redis, and for that matter SQL databases.
If you find it on your servers, you should be very, very alarmed. (Assume that
any attacker with arbitrary access to any of these owns the box. [+]) One
easy-ish way to make sure you don't inadvertently leave a port open is to use
iptables and deny inbound connections to everything but 22, 80, and 443 by
default.

This is part of the Slicehost VPS setup guide that PickledOnion wrote back in
the day, and it's still one of the first things I do when I get a new box.
(Typically right after locking down SSH with a key requirement.)

Edit to add:

[http://articles.slicehost.com/2008/4/25/ubuntu-hardy-
setup-p...](http://articles.slicehost.com/2008/4/25/ubuntu-hardy-setup-page-1)
[http://articles.slicehost.com/assets/2007/9/4/iptables.txt](http://articles.slicehost.com/assets/2007/9/4/iptables.txt)
<\-- make sure you change the port 30000 on the SSH to whatever you use on
your boxes

[+] You might think "Well, that requires the existence of both a vulnerability
in the server and a local privilege escalation exploit", but in practice, you
can assume that the attacker has access to both of these. They also probably
aren't trying to get into _your_ box, specifically -- your box is merely one
of the several thousand Redis instances on the Internet that they're firing
e.g. a specially corrupted Unicode string to get a buffer overrun on, at which
point they will -- in a mostly automated fashion -- run metasploit (or similar
ratware) and turn that into a root shell.

~~~
Kudos
> This can also happen with Memcached, Redis, and for that matter SQL
> databases.

No one else binds to all interfaces by default.

~~~
patio11
Memcached does, for one. This is (sensibly) turned off if you do "apt-get
install memcached" or similar.

~~~
Kudos
Only if you compile memcached from source. They can afford to do this because
distro package maintainers give it sensible defaults on their behalf.

MongoDB fucks this balance up by recommending you use their package
repositories instead of distro maintained packages.

~~~
threeseed
Just to add:

[http://memcached.org/downloads](http://memcached.org/downloads)

[https://www.mongodb.org/downloads](https://www.mongodb.org/downloads)

Are identical in having normal binary downloads as the primary installation
option.

And you seem to be implying that vendor supplied repositories are somehow
unusual. They absolutely aren't.

~~~
Kudos
> Are identical in having normal binary downloads as the primary installation
> option.

I don't believe I said that MongoDB recommended their packages over compiling
from source.

> And you seem to be implying that vendor supplied repositories are somehow
> unusual.

Nope.

------
martinml
Similar, but with memcached (2010):
[http://www.sensepost.com/blog/4873.html](http://www.sensepost.com/blog/4873.html)

------
m8rl
German IT-news-site heise.de is reporting on it, I guess there'll be an
english translation soon.

[http://www.heise.de/security/meldung/Studenten-entdecken-
Tau...](http://www.heise.de/security/meldung/Studenten-entdecken-Tausende-
offene-Firmen-Datenbanken-im-Internet-2545183.html)

Original (German language) press release is here: [http://www.uni-
saarland.de/nc/en/news/article/nr/12173.html](http://www.uni-
saarland.de/nc/en/news/article/nr/12173.html)

~~~
fabian2k
And it's not just small stuff either, 8 million phone numbers and addresses in
one case. That is beyond embarrassing.

~~~
Fiahil
What is even more embarrassing, is the lack of proper acknowledgment from the
French Telecommunication provider (Bouygues Telecom?) regarding the safety of
their customers' data.

------
ryanlol
Someone posted a list to a .onion site indexing these on FD in early 2014.

[http://seclists.org/fulldisclosure/2014/May/43](http://seclists.org/fulldisclosure/2014/May/43)

Edit: Oh, seems like the site is still up at
[http://un1c0rn.net/](http://un1c0rn.net/)

[http://un1c0rn.net/search?q=tags%3Amongo](http://un1c0rn.net/search?q=tags%3Amongo)

------
meghan
We take security seriously at MongoDB. Here is a response on security best
practices from the MongoDB CTO & Co-Founder:

[http://www.mongodb.com/blog/post/mongodb-security-best-
pract...](http://www.mongodb.com/blog/post/mongodb-security-best-practices)

~~~
nailer
The first point in your article is:

> "The most popular installer for MongoDB (RPM) limits network access to
> localhost by default."

The first download for Linux at
[https://www.mongodb.org/downloads](https://www.mongodb.org/downloads) is:

> [https://fastdl.mongodb.org/linux/mongodb-
> linux-x86_64-2.6.7....](https://fastdl.mongodb.org/linux/mongodb-
> linux-x86_64-2.6.7.tgz)

At the bottom of the page there are alternate links to packages. Here is the
description:

> "MongoDB is included in several different package managers. Generally
> speaking, it is easier to simply install the prebuilt binaries from above."

If the properly packaged versions have secure defaults, maybe you should steer
people towards them?

~~~
meghan
Thanks for the suggestion, we will be updating the copy to clarify that the
packages are the preferred installation method.

~~~
nailer
Thanks for listening!

------
bawana
I tried to verify the results but am getting stuck at this:

curl $SHODANURL |grep -i class=\"ip\" |cut -d ’/’ -f 3 \ |cut -d ’"’ -f 1|uniq
>db.ip

The author at CISPA (in the linked pdf) states to 'paste the html code'
however using shodan from the command line, one only has access to 6 verbs
that shodan understands. Shodan reveals 34309 mongo databases. I can download
their ips but that requires 'query credits' using shodan. How does one use
curl here?

------
bkeroack
I'm not surprised. I've never actually gotten replication groups and access
control to work properly with MongoDB. So I gave up and relied on
network/firewall-level security. I guess some people don't even bother with
that.

------
moozeek
# 1st: accept connections from localhost

iptables -A INPUT -p tcp -s 127.0.0.1 --dport 27017 -j ACCEPT

iptables -A INPUT -p tcp -s 127.0.0.1 --dport 28017 -j ACCEPT

# 2nd: drop from all others

iptables -A INPUT -p tcp --dport 27017 -j DROP

iptables -A INPUT -p tcp --dport 28017 -j DROP

~~~
stennie
FYI, the Security section of the MongoDB manual has a checklist
([http://docs.mongodb.org/manual/administration/security-
check...](http://docs.mongodb.org/manual/administration/security-checklist/))
and example firewall configurations for iptables on Linux and netsh on
Windows: [http://docs.mongodb.org/manual/administration/security-
netwo...](http://docs.mongodb.org/manual/administration/security-network/).

------
neals
How do I know if my access control is just local? I have a few small (pet)
mongoDB projects on Digital Ocean, never spend too much time updatng and/or
securing them actually.

~~~
patio11
Assuming you have the mongo client installed on your laptop or similar, use
this in a command shell:

> mongo server.address.or.ip.goes.here

If this connects successfully, that is problematic.

------
lcfcjs
Very interesting article, thanks for the submission.

------
scrrr
Please spend a little bit more money and hire a professional who knows what he
is doing instead of just following installation tutorials.

~~~
mercurial
You'd think Bouygues Telecom's people would qualify as "professional".

~~~
pyvpx
telecom, in general, isn't filled with the brightest of bulbs. especially in
decision-making places...

------
GFK_of_xmaspast
* MongosDB

------
jorjordandan
they are probably all Meteor tutorials.

~~~
jorjordandan
I meant they are definitely not meteor tutorials.

