Hello MongoDB (Open Remote Access)

    Good day.

    I went through a search for a Habr, but did not find a post about such a problem, although a couple of times the comments of dedicated people surfaced.

    We have several VPS'ok where we use MongoDB, OS is usually Debian 6 / ubuntu, we put almost everything from packages, the benefit of all is enough. The other day, checking old servers, I discovered


    For me, of course it was a shock! An attempt to gain remote access was successful. He


    climbed into /etc/mongodb.conf, thinking that one of his colleagues could open access for himself, but there was not a word about it. Hoping that the same colleague simply deleted a similar entry, climbed into the config on the local machine (Debian 6) and also did not find anything about remote access. I ran through all known sites with MongoDB and everywhere I was able to log in.

    Immediately began to google the problem and finally found on off. website net.bindIp
    net.bindIp
    Type: string

    Default: All interfaces. ... versionchanged :: 2.6.0 The deb and rpm packages include a default configuration file that sets {{role}} to 127.0.0.1.

    Specifies the IP address that mongos or mongod binds to in order to listen for connections from applications. You may attach mongos or mongod to any interface. When attaching mongos or mongod to a publicly accessible interface, ensure that you have implemented proper authentication and firewall restrictions to protect the integrity of your database.

    To bind to multiple IP addresses, enter a list of comma separated values.

    I went through all the servers, in /etc/mongodb.conf added a line
    bind_ip = 127.0.0.1
    

    Overloaded mongoDB
    /etc/init.d/mongodb restart
    

    After which remote access was closed

    Debriefing

    I decided to figure out how it happened, of course I immediately remembered mysql, which by default has remote access closed, and of course for many, including me, it was reasonable to think that MongoDB did not invent any special grace here. I raised debian 7.4.0 (the last stable one) from scratch, and put MongoDB from the package, I already found it in the configs
    bind_ip = 127.0.0.1
    

    I recall from memory what was installed from the MongoDB repository according to an article on the off site Install MongoDB on Debian , as hosters gave VPS only on the basis of Debian 6, with a very old version of MongoDB. After installing from their repository in the configs, again, I did not find anything about remote access. The article itself also does not write anything about this, which was very disappointing.

    Neighbor Check

    Without thinking twice, I decided to check the neighbors by IP address.
    Sketched a quick PHP script
    ';
        }
    


    On what I found a very decent list of MongoDB open databases, some of course were on authorization, some just for backup, but still open.

    Breaking?

    So what can you do with this access? I started testing on my project, at least:
    • got a list of users with e-mail addresses
    • I was able to edit articles - change the text, put pictures and js-scripts
    • through mongofiles I was able to upload files to the database, but I didn’t have enough to save to a hard mind


    Summary

    Of course, someone says that this is all for speed, that the system administrator, by default, must monitor everything himself. But only VPSs are very accessible, a bunch of articles praising new databases and other software, which many simple programmers agree to work with VPS without having much administrative experience. From the MongoDB developers, I would at least expect a commented memo in the configs, since they do not want to close remote access by default
    # bind_ip = 127.0.0.1
    

    Similar articles, but already on memcached: As I found the vulnerability on phpclub.ru , 1% of all sites on Runet keep their memcached open to the world. Some statistics

    Also popular now: