I am trying to open up port on my Ubuntu machine to allow me to connect the Mongo using an external program. I ran this which is the command line to open a new port:
sudo iptables -A INPUT -p tcp --dport 27017 -j ACCEPT
but when I ran this to check if the new rule was there...
sudo netstat -ntlp | grep LISTEN
...the new port wasn't in the list - any ideas?
I think the mangodb instance was not started, apart from that ,sudo netstat -ntlp | grep LISTEN gives the list ports that are active are being used now, first start your Mango instance sudo service mongodb start , then run this command sudo netstat -ntlp | grep LISTEN if you find 27017 in the list, then sudo iptables -L chack your iptable rule is added or not. If it is in that list good else, sudo iptables -A INPUT -p tcp --dport 27017 -j ACCEPT
you can get more details on mangodb port and traffic # http://docs.mongodb.org/manual/tutorial/configure-linux-iptables-firewall/
In this case the Mongo config file needed updating to use port 27017. Once I had done this and restarted the service, the new port change was visible on in the list.
Related
Got a server exposed to the recent MongoDB ransom scam. https://www.bleepingcomputer.com/news/security/mongodb-databases-held-for-ransom-by-mysterious-attacker/
I closed it down until I fixed this.
What's the easiest way to fix this? Is to add a user?
mongo
use admin
db.createUser( { user: "root", pwd: "password", roles: [ "root" ] } )
Is this enough to avoid getting hacked?
Expanding on #Sammye's comment mongodb has often no password for a database user. This is especially problematic if the database is facing the public internet because, just by trying the right port on the ip adress of your server everyone in the internet could theoretically connect to the database server.
To prevent this it is always a good idea to limit the traffic that can reach your server and its ports by a firewall.
Here is a sample iptables configuration (for ubuntu):
the following commands allow all traffic to localhost and to the ports 22 (ssh), 80 (http) and 443 (https)
# accept local traffic
sudo iptables -A INPUT -i lo -j ACCEPT
# allow established connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# allow connections to ports 22, 80, 443
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
these commands block the rest of the traffic:
# drops the rest of the traffic to the server
# sudo iptables -P INPUT DROP
# disables the possibility to route traffic through the server (you may or may not want to use this)
# sudo iptables -P FORWARD DROP
# makes it possible to send data from the server
# sudo iptables -P OUTPUT ACCEPT
Before running any of these iptables commands it is always a good idea to set up a cronjob that resets your iptables configuration every 5 minutes. In that case if something goes wrong (you lock yourself out of the server for example because you forgot to enable port 22 in your firewall) the rules get reset and you can fix the issue.
this is a script from the iptables ubunt wiki to reset the firewall:
https://help.ubuntu.com/community/IptablesHowTo
echo "Stopping firewall and allowing everyone..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
when everything is finished and seems to be working do not forget to install the package iptables-persistent (by default the iptables rules only exist until the server is restarted)
sudo apt-get install iptables-persistent
this is by far not a complete guide on how to secure your server with iptables as firewall but I hope that it can get you started.
Now the database is only reachable from the server on not from the public internet anymore. To access your database from the public internet anyways you will have to create a ssh tunnel to your server:
ssh youruser#yourdomain_or_ip_adress -f -N -L 27019:yourdomain_or_ip_adress:27019
-f -N -L 27019 <-- here you define the port that should be used on your machine for the database traffic
yourdomain_or_ip_adress:27019 <-- this is the port that the database runs on on your server
When this is done you should be able to access the database from your server at your local machine at 127.0.0.1:27019.
This is a more general way to secure any application that runs on a server that is exposed to the internet.
There is also an official guide on how to specifically secure mongodb internally you can find it here: https://docs.mongodb.com/manual/administration/security-checklist/
This is my iptables script which i run in bash. The saving of the configurations is part of the script.
#!/bin/bash
#
# iptables-konfigurasjon
#
# Set default rule to ACCEPT to avoid being locked out
iptables -P INPUT ACCEPT
# Flush all excisting rules
iptables -F
# New default rules
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# localhost:
iptables -A INPUT -i lo -j ACCEPT
# Not entirely shure what this is about....:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH.
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow http traffic for tomcat:
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
# Save rules:
/sbin/service iptables save
But, after testing it seems that these rules have no effect after all.
Example: If I comment out the line for allowing traffic to my tomcat server, I can still reach my tomcat server from outside.... even after a reboot.
What's wrong with my script?
BTW: I'm using CentOS 6.
after saving the newly added rules to your iptables, you have to restart the service so that changes take effect.
/sbin/service iptables restart
or
/etc/rc.d/init.d/iptables restart
You can add this in the end of script (for the CentOS):
iptables-save > /etc/sysconfig/iptables
service iptables restart
Problem
Why this happens
iptables functionalities are used by some other services like ufw or firewalld (depending on the distro you are using), which are blocking the changes made by iptables cli.
Solution
All you have to do is just remove the package firewall pkg installed on your machine
for ubuntu (debian distros) using the following command to remove the package
sudo apt purge ufw -y
I've got pgAdmin running on my XP machine. There's a Centos machine running a Postgres server on the network. The Postgres server pg_hba.conf file has the following lines
TYPE DATABASE USER CIDR-ADDRESS METHOD
host all all 10.0.0.68/32 trust
local mydb myuser password
local all postgres ident
host mydb myuser 10.0.0.68/32 password
host all postgres 10.0.0.68/32 trust
My postgresql.conf file has the following line:
listen_address = 'localhost, 10.0.20.10'
nmap -sS 10.0.20.10 shows:
PORT STATE SERVICE
5432/tcp open postgresql
I can ssh into a bash shell on the server, but I can't connect with pgAdmin. I get the following:
could not connect to server: No route to host(0x00002751/10065) Is the
server running on host "10.0.20.10" and accepting TCP/IP connections
on port 5432?
I've no idea what the problem is.
#Aidan found the solution himself:
It was a firewall issue.
service iptables stop
enabled the connection. I'll just write a rule to allow the connection.
Suppose server's IP address is 10.0.20.10 then you could just add these iptable rules as #Dark Star1 proposed in comments:
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 10.0.20.10 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 10.0.20.10 --sport 5432 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
I installed mongoDB through the official tutorial http://www.mongodb.org/display/DOCS/Building+for+Linux
The daemon starts up, a netstat-na | grep 27017 shows:
tcp 0 0 0.0.0.0:27017 0.0.0.0: * LISTEN
unix 2 [ACC] STREAM LISTENING 100949 / tmp/mongodb-27017.sock
I added these iptables rules:
-A INPUT-p tcp-m tcp - dport 27017-j ACCEPT
-A INPUT-p tcp-m tcp - dport 28017-j ACCEPT
When loading through the browser, I get well on the web management interface in 28017
If I add a remote connection on mongoHQ, I get to use the database
By cons, if I run the client locally, an error is raised:
Error: could not connect to server 127.0.0.1 shell / mongo.js: 79 except: connect failed
Same if I try to use the database on an existing project, can't connect to it.
I turn around, I do not understand, thank you in advance for your help.
Solution if you have this problem :
iptables -t filter -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -t filter -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
And it's ok ^^
Does the firewall need to be explicitly opened on port 27017 to allow outbound TCP connections?
iptables -A OUTPUT -p tcp --dport 27017 -j ACCEPT
I am having some problems with memcached and one idea I am having is that perhaps it is already running on the port I am trying to run it on, started by some other user on our network. Is there a way to tell what memcached ports are currently in use?
To see if it is running you could also try telnetting into the port:
telnet localhost 11211
If this works you will see the following (telling you that the given port is open):
Connected to localhost.
Escape character is '^]'.
Now if memcached IS running you can see some basic stats by issuing the given command:
stats
If this fails you will know that memcached is not running.
Try
netstat -ap | grep TheChosenPort#
and see if anything is listening on those TCP or UDP ports.
netstat
In Linux, check via netstat, e.g.
$ sudo netstat -nap | grep memcached
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 5067/memcached
ps
Use ps to filter the processes:
$ ps wuax | grep memcache
497 5067 0.0 1.3 384824 53928 ? Ssl Apr11 1:28 memcached -d -p 11211 -u memcached -m 64 -c 1024 -P /var/run/memcached/memcached.pid -l 127.0.0.1
The port can be found next to -p, e.g. -p 11211. If port hasn't been specified, default is 11211.
Bash
You can send stats command to the given port and see if the memcached responds, e.g.
exec 3<>/dev/tcp/localhost/11211; printf "stats\nquit\n" >&3; cat <&3
Telnet
Use telnet to connect to the host and run stats (as above), e.g.
$ telnet localhost 11211
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
stats
STAT pid 23669
STAT uptime 433859
Then hit Ctrl-] and Ctrl-D to finish.
Use the following command
ps -U user | grep -v grep | grep memcached
You can check memcached status
service memcached status
You will see a line like this at the bottom:
└─1560 /usr/bin/memcached -vv -m 64 -p 11211 -u memcache -l 127.0.0.1 -P /var/run/memcached/memcached.pid
The -p 11211 is what port it's running on.
If you're asking this question, it sounds like you're running a really old version. If you did this on a recent version, you'd see this:
% ./memcached
failed to listen on TCP port 11211: Address already in use