I need to configure robomongo in Centos so this I obtain this error:
in the next tab "Authetication" is not set.
I set in /etc/mongod.conf
'#net.bindIp: 127.0.0.1'
I add in /etc/sysconfig/iptables
-A INPUT -p tcp -m multiport --ports 27017 -m comment --comment "100 tcp/27017" -j ACCEPT
But I obtain this error? Anyone can help me?
It means that you've skipped the authentication step in the RoboMongo GUI - nothing to do with the mongodb service.
The application is only connecting to the server, and not authenticating against it (since the tab isn't filled). It's not an error per se, just a notice that you're not testing the authentication details.
Related
I have installed turn server in my godaddy server. To see that my turn server is working or not i have used https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/.
ICE Trickle in chrome output:
Chrome Output
ICE Trickle in mozilla output (version-58.0.2(64bit)):
Mozilla output
Issues i am facing:
1.webrtc works only for chrome to chrome(webrtc doesnt work for mozilla to mozilla).
2.mozilla shows "ICE failed add STUN error".
3.why there is different ICE trickle output for both the browsers?
It seems to me that turn server is not working!!
Can anybody help me with these issue i dont know what i am doing wrong. I dont know if its NAT problem or godaddy server problem or anything else. Are godaddy servers behind NAT?
Configurations i have done:
Firewall changes:
iptables -A INPUT -p tcp --dport 3478 -j ACCEPT
iptables -A INPUT -p udp --dport 3478 -j ACCEPT
iptables -A INPUT -p tcp --dport 5349 -j ACCEPT
iptables -A INPUT -p udp --dport 5349 -j ACCEPT
iptables -A INPUT -p udp --dport 49152:65535 -j ACCEPT
service iptables save
Turnserver configuration:
listening-port=3478
listening-ip=1.2.3.4(example)
external-ip=same as listening ip i.e 1.2.3.4(example)
verbose
fingerprint
realm = mydomain.com
I am running turn server using these command :
turnserver -L listening-ip -o -a -f -r mydomain.com
Got a server exposed to the recent MongoDB ransom scam. https://www.bleepingcomputer.com/news/security/mongodb-databases-held-for-ransom-by-mysterious-attacker/
I closed it down until I fixed this.
What's the easiest way to fix this? Is to add a user?
mongo
use admin
db.createUser( { user: "root", pwd: "password", roles: [ "root" ] } )
Is this enough to avoid getting hacked?
Expanding on #Sammye's comment mongodb has often no password for a database user. This is especially problematic if the database is facing the public internet because, just by trying the right port on the ip adress of your server everyone in the internet could theoretically connect to the database server.
To prevent this it is always a good idea to limit the traffic that can reach your server and its ports by a firewall.
Here is a sample iptables configuration (for ubuntu):
the following commands allow all traffic to localhost and to the ports 22 (ssh), 80 (http) and 443 (https)
# accept local traffic
sudo iptables -A INPUT -i lo -j ACCEPT
# allow established connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# allow connections to ports 22, 80, 443
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
these commands block the rest of the traffic:
# drops the rest of the traffic to the server
# sudo iptables -P INPUT DROP
# disables the possibility to route traffic through the server (you may or may not want to use this)
# sudo iptables -P FORWARD DROP
# makes it possible to send data from the server
# sudo iptables -P OUTPUT ACCEPT
Before running any of these iptables commands it is always a good idea to set up a cronjob that resets your iptables configuration every 5 minutes. In that case if something goes wrong (you lock yourself out of the server for example because you forgot to enable port 22 in your firewall) the rules get reset and you can fix the issue.
this is a script from the iptables ubunt wiki to reset the firewall:
https://help.ubuntu.com/community/IptablesHowTo
echo "Stopping firewall and allowing everyone..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
when everything is finished and seems to be working do not forget to install the package iptables-persistent (by default the iptables rules only exist until the server is restarted)
sudo apt-get install iptables-persistent
this is by far not a complete guide on how to secure your server with iptables as firewall but I hope that it can get you started.
Now the database is only reachable from the server on not from the public internet anymore. To access your database from the public internet anyways you will have to create a ssh tunnel to your server:
ssh youruser#yourdomain_or_ip_adress -f -N -L 27019:yourdomain_or_ip_adress:27019
-f -N -L 27019 <-- here you define the port that should be used on your machine for the database traffic
yourdomain_or_ip_adress:27019 <-- this is the port that the database runs on on your server
When this is done you should be able to access the database from your server at your local machine at 127.0.0.1:27019.
This is a more general way to secure any application that runs on a server that is exposed to the internet.
There is also an official guide on how to specifically secure mongodb internally you can find it here: https://docs.mongodb.com/manual/administration/security-checklist/
I'm trying to set up a client machine so that only kinit traffic works. So far, my rules look like
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i eth0 -s 192.168.1.130 -p tcp -m tcp --sport kerberos -j ACCEPT
-A INPUT -i eth0 -s 192.168.1.130 -p udp -m udp --sport kerberos -j ACCEPT
-A OUTPUT -i eth0 -d 192.168.1.130 -p tcp -m tcp --dport kerberos -j ACCEPT
-A OUTPUT -i eth0 -d 192.168.1.130 -p udp -m udp --dport kerberos -j ACCEPT
With this as-is, when I run "kinit remuser", I keep getting the error
kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials
If I run
iptables -P INPUT ACCEPT
then "kinit remuser" works as expected. And after that first success, if I run
iptables -P INPUT DROP
it still keeps working.
I've tried using wireshark to see what I'm initially disallowing. It seems arp related, but I can't consistently see that... and I thought iptables wasn't supposed to mess with arp. I'm not seeing anything missing with "arp -n" or "ip -s neigh".
I've got the client and server configured correctly enough to work, but I'm still too new to this stuff to know what other ports I need to allow to get this working. If anyone can give me some tips I'd appreciate it.
UPDATE
Although my adapter claimed to be in promiscuous mode, it wasn't. I ended up running wireshark on the server, and saw no other port numbers needed. To verify that, I updated the rules to include
-A INPUT -s 192.168.1.130 -j ACCEPT
and as the successful kinit wireshark capture suggested, it didn't help. It's only when I open up all INPUTs that it works.
Thanks.
Hector
Kerberos is generally udp by default. I'm not that familiar with IP tables, but while port number on the server is defined the port number on the client is entirely random. So any ip based filter has to allow incoming udp packets with arbitrary client port numbers.
Similarly on the outgoing side, you need to be able to send packets with arbitrary udp ports on the client side. For kinit you only need the kerberos port, but changing passwords, etc, you will also need the kadmin ports.
Having said all that and making my best guess at what the ip tables rules mean, I think that's what you've implemented. However, you also need access to DNS srv records or a working krb5.conf.
http://wiki.unixh4cks.com/index.php/Using_DNS_SRV_records_to_find_Kerberos_realm_servers
It may be that kinit starts working when you allow incoming DNS record lookups. This would also explain why it continues to work after the first connection as it likely the DNS record is cached on the system. Is the server listed in your krb5.conf in your /etc/hosts file? If not that would explain the behaviour.
Thinking about this a bit more, what exactly do you expect to do with this ticket after you get it? The whole point of kerberos is to implement security on an open network by securing the endpoints, not by implementing firewalls.
I got it. And perhaps this only applies to me or anyone else using a HW VPN. An ICMP type 3 packet needed to be received from the gateway for the krb5 transaction to continue. My co-workers who are testing something similar on a work network aren't seeing this issue, so we'll need to figure out what's special in my case and whether it applies to other things.
The hardest part of all this was finding a wired adapter that truly supports promiscuous mode.
I installed mongoDB through the official tutorial http://www.mongodb.org/display/DOCS/Building+for+Linux
The daemon starts up, a netstat-na | grep 27017 shows:
tcp 0 0 0.0.0.0:27017 0.0.0.0: * LISTEN
unix 2 [ACC] STREAM LISTENING 100949 / tmp/mongodb-27017.sock
I added these iptables rules:
-A INPUT-p tcp-m tcp - dport 27017-j ACCEPT
-A INPUT-p tcp-m tcp - dport 28017-j ACCEPT
When loading through the browser, I get well on the web management interface in 28017
If I add a remote connection on mongoHQ, I get to use the database
By cons, if I run the client locally, an error is raised:
Error: could not connect to server 127.0.0.1 shell / mongo.js: 79 except: connect failed
Same if I try to use the database on an existing project, can't connect to it.
I turn around, I do not understand, thank you in advance for your help.
Solution if you have this problem :
iptables -t filter -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -t filter -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
And it's ok ^^
Does the firewall need to be explicitly opened on port 27017 to allow outbound TCP connections?
iptables -A OUTPUT -p tcp --dport 27017 -j ACCEPT
I have hosted an application in a machine running Red Hat Enterprise Linux 5. I started the jBoss AS using the command.
./run.sh -b 0.0.0.0
and
./run.sh -Djboss.bind.address=<<server_address>>
and
./run.sh --host=<<ipaddress>>
but using any of these commands i cannot access the application remotely. Using the the above commands I cannot even access the application on the host machine itself, using localhost as well as ip address. I am not able to figure out the problem here. I can ping the linux machine from the other windows machines.
Check iptables rules are not blocking firstly
Also are you running as a user? If so, you will not have permission to bind to a port number less than 1024.
try telneting the port from the server itself to check the service is responding e.g.
telnet localhost 8080
presuming that you are running on 8080 in the example above.
you can drop your iptables temporarily for testing if it is safe to do so by:
/etc/init.d/iptables stop
and restart them when you've finished with
/etc/init.d/iptables start
you can make a permanent change to your iptables config by adding the following line to /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT