Your MongoDB instance may be publicly accessible

[fshmcallister]

We detected that a MongoDB instance on {devices} may be accessible remotely. Consider either blocking port 27017 through the WoTT firewall management tool, or re-configure MongoDB to only listen on localhost.

Part of #198

[Menmarin]

Title

Remote access on MongoDB instance detected

TL;DR

We detected that a MongoDB instance on {devices} may be accessible remotely. Consider either blocking port 27017 through the WoTT firewall management tool, or reconfigure MongoDB to only listen on localhost.

MongoDB is a NoSQL, document database that is widely used by companies and individuals. Its popularity and support makes it a contender for one of the best options for database needs. Unfortunately, its popularity makes it a target for experienced and mediocre attackers alike.

MongoDB comes with a plethora of features designed to ease the process of setting up and using the platform. With these features, comes a risk of exposing your instance to attacks. One such feature is remote access. The vulnerabilities it opens up by leaving it open can be devastating. If an attacker somehow was able to get their hands on login credentials from one of your employees, they could connect to your MongoDB instance through remote access and it wouldn't be flagged as they logged in with the correct credentials. In addition, traffic over MongoDB connections are not encrypted, therefore opening the avenue for an attacker to be listening/sniffing the data being transmitted from a remote host to the database.

Wott firewall management tool has a feature that allows you to block the port 27017, which is the port used by MongoDB for remote access. Additionally, you can reconfigure the MongoDB configuration file to only listen on localhost. To do this, navigate to the config file usually found in yout etc directory and add the following line:

bind_ip = 127.0.0.1

Please remember to restart your mongodb instance as this will not take effect without doing so. For more information on how to securely configure your MongoDB instance, WoTT has a step-by-step guide to aid you.

[vpetersson]

@Menmarin This has the wrong format. Needs to be tl;dr and a longer FAQ version.

[fshmcallister]

From what I can see, I think the second paragraph onwards is the FAQ, he's just forgotten to add it in.

[fshmcallister]

Suggested changes to FAQ

MongoDB is a NoSQL document database that is widely used by companies and individuals. Its popularity and support makes it an ideal database option for developers. Unfortunately, its popularity makes it a target for experienced and amateur attackers alike.

MongoDB contains a plethora of features designed to ease the process of setting up and using its platform. One such feature is remote access which can potentially expose your system to attack.
Enabling remote access increases the risk of stolen credentials being used to access your MongoDB, as well as leaving you unnecessarily vulnerable to attack by human error, such as unprotected remote login. Additionally, traffic over MongoDB connections is not encrypted by default, therefore opening an avenue for an attacker to be listening/sniffing the data being transmitted from a remote host to the database.

WoTT's firewall management tool has a feature that allows you to block the port 27017, which is the port used by MongoDB for remote access. Additionally, you can reconfigure the MongoDB configuration file to only listen on localhost. To do this, navigate to the config file, usually /etc/mongod.conf and add the following line:

bind_ip = 127.0.0.1

Please remember to restart your MongoDB instance as this change will not take effect until you do so. For more information on how to securely configure your MongoDB instance, WoTT has a step-by-step guide to aid you.

[vpetersson]

traffic over MongoDB connections are not encrypted

by default - https://docs.mongodb.com/manual/tutorial/configure-ssl/

[fshmcallister]

updated

[vpetersson]

@fshmcallister This is missing the correct format as @a-martynovich correctly pointed out. Could you do this asap?

[fshmcallister]

TITLE
Remote access on MongoDB detected

TL;DR
We detected that a MongoDB instance may be accessible remotely. This may allow a remote attacker to gain access to your database and leak customer data. According to [Shodan](\https://www.shodan.io/\), there are over 70,000 publicly exposed MongoDB servers. Don't be one of them. Consider either blocking port 27017 through the WoTT firewall management tool, or reconfigure MongoDB to only listen on localhost.

FAQ

MongoDB is a widely used NoSQL database. Unfortunately, the default configuration in MongoDB until relatively recently was to bind on all public interfaces (rather than just localhost). Because of this, many MongoDB servers were made publicly accessible. To make matters worse, by default, MongoDB does not require any authentication, meaning that the potential attacker only needed to know the public IP of the server in order to connect and access your customer data.

We recommend that you either reconfigure your MongoDB instance to only listen on localhost (assuming the appserver talking to MongoDB runs on the same server), or creating a firewall policy to only allow connections from your appservers to port 27017 on your node. You can do the latter using WoTT's firewall management tool. You can read more about MongoDB's ports [here](https://docs.mongodb.com/manual/reference/default-mongodb-port/\).

To reconfigure your MongoDB instance to only listen on localhost, edit the config file (usually `/etc/mongod.conf`) and add/edit the following line:

```
bind_ip = 127.0.0.1
```

Please remember to restart your MongoDB instance as this change will not take effect until you do so. For more information on how to securely configure your MongoDB instance, WoTT has a step-by-step guide to aid you.

Code Snippet

None at this time.