Adequate security, got hit on DEV box with ransom

Ops and Admin
,
1

In a DEV environment I have a replica set with 3 nodes, 2 are residing at the same external IP, 1 is physically separate (and on another IP).

My docker-compose file for all three (with minor, unrelated variations):

version: '3.1'

services:

  mongo:
    image: mongo
    restart: always
    entrypoint: [ "/usr/bin/mongod", "--bind_ip_all", "--replSet", "rs0" ]
    ports:
    - 27017:27017
    environment:
      MONGO_INITDB_ROOT_USERNAME: admin
      MONGO_INITDB_ROOT_PASSWORD: ridiculouslydifficulypassword
    volumes:
      - type: bind
        source: ./data
        target: /data/db%

All 3 instances share this INITDB_ROOT USERNAME/PASSWORD.

Connection string to PRIMARY:
mongodb://admin: ridiculouslydifficulypassword@PRIMARY_IP:27027/?authMechanism=DEFAULT

Now, I got the “READ_ME” blablablabla db + document stating my data was captured, however it wasn’t deleted?

My questions:

  1. I get that --bind-ip-all is bad, although I still don’t understand what bind means? If I want to restrict access to Mongo by limiting the IP address that can connect, is this what bind is for?
  2. AFAIK I have a user account with long enough password to not be cracked. How come an attacker is still able to create a db in my instance?
  3. I have Tailscale setup, but have not applied this to the Replica Set yet. How would I be able to have the instances only connect through the Tailscale VPN?
2

In general you have misused the container image.

Fatally you have overridden the entrypoint and have not specificed --auth. The entrypoint is where the environment variables are used to set the ROOT username and password and more importantly, detect they are configured and enable authentication.

So essentially the mongo container is running without authentication.

https://hub.docker.com/_/mongo has fairly good instructions on how to use the container image correctly. Most additional options should be passed as values to the command: key in the compose-file.

This is actually the default for the container image.

Restricting access by IP address should be done via your firewall/security groups.

Addressed above, you’re running without authorization enabled because the entrypoint was overridden and --auth was not specified in the replacement.

3

Thank you for this response. My takeaway from your message and reading the information on the docker page, is that I should (at least) change the entry point line to:

entrypoint: [ "/usr/bin/mongod", "--bind_ip_all", "--auth", "--replSet", "rs0" ]

And this would enable authentication (hopefully with the given root username/password combo?

4

No. That is the wrong takeaway.

I’d still put the options on the command section. The container entrypoint is very good and it is is how the container is designed to be used.

However you will still be missing a couple of things that should be on any installation. Cluster auth (keyfile or x509) will be needed for replicaset members to connect to each other when auth is enabled. And TLS should be enabled.

There are additional steps to take to have a correctly configured mongodb:
Production Notes
Operations Checklist

You can also upskill at MongoDB University

Much of this can be avoided by using MongoDB Atlas.

1 Like
5

Ok, thank you. I’ll be reading up on MongoDB university. On Atlas, I get that, but pricing just isn’t there for the project I’m working on, with at least 50-75Gb of data, so I’m stuck using a local version.