Got a server exposed to the recent MongoDB ransom scam. https://www.bleepingcomputer.com/news/security/mongodb-databases-held-for-ransom-by-mysterious-attacker/
I closed it down until I fixed this.
What's the easiest way to fix this? Is to add a user?
mongo
use admin
db.createUser( { user: "root", pwd: "password", roles: [ "root" ] } )
Is this enough to avoid getting hacked?
Expanding on #Sammye's comment mongodb has often no password for a database user. This is especially problematic if the database is facing the public internet because, just by trying the right port on the ip adress of your server everyone in the internet could theoretically connect to the database server.
To prevent this it is always a good idea to limit the traffic that can reach your server and its ports by a firewall.
Here is a sample iptables configuration (for ubuntu):
the following commands allow all traffic to localhost and to the ports 22 (ssh), 80 (http) and 443 (https)
# accept local traffic
sudo iptables -A INPUT -i lo -j ACCEPT
# allow established connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# allow connections to ports 22, 80, 443
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
these commands block the rest of the traffic:
# drops the rest of the traffic to the server
# sudo iptables -P INPUT DROP
# disables the possibility to route traffic through the server (you may or may not want to use this)
# sudo iptables -P FORWARD DROP
# makes it possible to send data from the server
# sudo iptables -P OUTPUT ACCEPT
Before running any of these iptables commands it is always a good idea to set up a cronjob that resets your iptables configuration every 5 minutes. In that case if something goes wrong (you lock yourself out of the server for example because you forgot to enable port 22 in your firewall) the rules get reset and you can fix the issue.
this is a script from the iptables ubunt wiki to reset the firewall:
https://help.ubuntu.com/community/IptablesHowTo
echo "Stopping firewall and allowing everyone..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
when everything is finished and seems to be working do not forget to install the package iptables-persistent (by default the iptables rules only exist until the server is restarted)
sudo apt-get install iptables-persistent
this is by far not a complete guide on how to secure your server with iptables as firewall but I hope that it can get you started.
Now the database is only reachable from the server on not from the public internet anymore. To access your database from the public internet anyways you will have to create a ssh tunnel to your server:
ssh youruser#yourdomain_or_ip_adress -f -N -L 27019:yourdomain_or_ip_adress:27019
-f -N -L 27019 <-- here you define the port that should be used on your machine for the database traffic
yourdomain_or_ip_adress:27019 <-- this is the port that the database runs on on your server
When this is done you should be able to access the database from your server at your local machine at 127.0.0.1:27019.
This is a more general way to secure any application that runs on a server that is exposed to the internet.
There is also an official guide on how to specifically secure mongodb internally you can find it here: https://docs.mongodb.com/manual/administration/security-checklist/
Related
I have access remote postgesql psql -h xxx.xxx.xxx.xxx -p 1486 postgres
It's show this error
psql: could not connect to server: Connection refused
Is the server running on host "xxx.xxx.xxx.xxx" and accepting
TCP/IP connections on port 1486?
postgresql.conf file
listen_addresses = '*'
pg_hba.conf file
host all all 0.0.0.0/0 md5
Also apply open 1486 port
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d X.X.X.X --dport 1486 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s X.X.X.X --sport 1486 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
It's return same error.
It's hard to give a canonical answer but here are a few things to try (some of them may not apply / be possible):
Ping the IP address in question - is the server up at all / reachable? Are there other services on the box that can be reached?
Connect from a local connection on the server itself, assuming you have console or ssh access
If you have local access and network based access doesn't work, is unix-domain socket access allowed and if so, does that work?
Check the port config in postgresql.conf - is it really where you think it is?
Has the config file been edited since the last server restart? The parameters you listed all require server restarts to take effect.
Is it actually using the config file you think it is? Running "SHOW config_file;" as superuser will help if you can make a local connection
What happens is you do telnet 1486? Do you get a network connection or similar error?
Get a pcap and check what's happening at the network level (wireshark or tcpdump will help)
I'm trying to use Rundeck on Ubuntu 14.04.
How do I change the web interface port from 4440 (default) to 80?
The port number seems to be referred to in various config locations (including /etc/rundeck/profile and /etc/rundeck/framework.properties) but changing these had no effect for me and I can't find a specific section in the documentation on changing the web port.
Use a proxy pass with either Apache or Nginx. Its a solution..
You needed to modify these files from 4440 to 80
framework.properties
profile
rundeck-config.properties
But you will get the following java exception when trying to run in 80.
java.net.SocketException: Permission denied
Hence apache or nginx proxy pass is the working solution
Do you can use two rules iptables
iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 4440
iptables -I INPUT -p tcp --dport 4440 -j ACCEPT
I am trying to open up port on my Ubuntu machine to allow me to connect the Mongo using an external program. I ran this which is the command line to open a new port:
sudo iptables -A INPUT -p tcp --dport 27017 -j ACCEPT
but when I ran this to check if the new rule was there...
sudo netstat -ntlp | grep LISTEN
...the new port wasn't in the list - any ideas?
I think the mangodb instance was not started, apart from that ,sudo netstat -ntlp | grep LISTEN gives the list ports that are active are being used now, first start your Mango instance sudo service mongodb start , then run this command sudo netstat -ntlp | grep LISTEN if you find 27017 in the list, then sudo iptables -L chack your iptable rule is added or not. If it is in that list good else, sudo iptables -A INPUT -p tcp --dport 27017 -j ACCEPT
you can get more details on mangodb port and traffic # http://docs.mongodb.org/manual/tutorial/configure-linux-iptables-firewall/
In this case the Mongo config file needed updating to use port 27017. Once I had done this and restarted the service, the new port change was visible on in the list.
This is my iptables script which i run in bash. The saving of the configurations is part of the script.
#!/bin/bash
#
# iptables-konfigurasjon
#
# Set default rule to ACCEPT to avoid being locked out
iptables -P INPUT ACCEPT
# Flush all excisting rules
iptables -F
# New default rules
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# localhost:
iptables -A INPUT -i lo -j ACCEPT
# Not entirely shure what this is about....:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH.
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow http traffic for tomcat:
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
# Save rules:
/sbin/service iptables save
But, after testing it seems that these rules have no effect after all.
Example: If I comment out the line for allowing traffic to my tomcat server, I can still reach my tomcat server from outside.... even after a reboot.
What's wrong with my script?
BTW: I'm using CentOS 6.
after saving the newly added rules to your iptables, you have to restart the service so that changes take effect.
/sbin/service iptables restart
or
/etc/rc.d/init.d/iptables restart
You can add this in the end of script (for the CentOS):
iptables-save > /etc/sysconfig/iptables
service iptables restart
Problem
Why this happens
iptables functionalities are used by some other services like ufw or firewalld (depending on the distro you are using), which are blocking the changes made by iptables cli.
Solution
All you have to do is just remove the package firewall pkg installed on your machine
for ubuntu (debian distros) using the following command to remove the package
sudo apt purge ufw -y
I've got pgAdmin running on my XP machine. There's a Centos machine running a Postgres server on the network. The Postgres server pg_hba.conf file has the following lines
TYPE DATABASE USER CIDR-ADDRESS METHOD
host all all 10.0.0.68/32 trust
local mydb myuser password
local all postgres ident
host mydb myuser 10.0.0.68/32 password
host all postgres 10.0.0.68/32 trust
My postgresql.conf file has the following line:
listen_address = 'localhost, 10.0.20.10'
nmap -sS 10.0.20.10 shows:
PORT STATE SERVICE
5432/tcp open postgresql
I can ssh into a bash shell on the server, but I can't connect with pgAdmin. I get the following:
could not connect to server: No route to host(0x00002751/10065) Is the
server running on host "10.0.20.10" and accepting TCP/IP connections
on port 5432?
I've no idea what the problem is.
#Aidan found the solution himself:
It was a firewall issue.
service iptables stop
enabled the connection. I'll just write a rule to allow the connection.
Suppose server's IP address is 10.0.20.10 then you could just add these iptable rules as #Dark Star1 proposed in comments:
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 10.0.20.10 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 10.0.20.10 --sport 5432 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT