I’m very new to Mongo, I’ve developed a project running on a digital ocean instance, I’ve enabled remote connections and bind it to 0.0.0.0, so enabling remote connections from app ip’s, I don’t have SSL/TLS installed, I want to know is it safe to access mongo remotely without TLS, is it safe from Man in middle attacks and sniffing?
I also received the following email from digital ocean:-
"We’ve received a notification from 3rd party security researchers, the Shadowserver Foundation, that your Droplet at <ip_addr> is running a MongoDB instance configured in a way that may be insecure.
This configuration may allow attackers to potentially access your MongoDB instance and remove or modify data hosted within it. This note is not to inform you that there has been a data compromise, but rather that your data might be at risk. "
The wordings of the email seem to indicate that you’re running the MongoDB server without auth turned on (e.g. the mongod was not supplied a --auth parameter or similar in the config file). If this is accurate, coupled with binding to 0.0.0.0 means that anyone in the internet can go into the server and modify anything in it.
If you don’t use auth, you should see something like this in the mongod log:
2020-02-18T13:53:26.421+1100 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database.
2020-02-18T13:53:26.422+1100 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.
With regard to your specific question:
I want to know is it safe to access mongo remotely without TLS, is it safe from Man in middle attacks and sniffing?
Auth and TLS are two different things. Without TLS, communication between the client and the server can be “sniffed” (e.g. “in the clear”). Without auth, anyone that can access the server can connect to your server and change things like an admin. Without auth and binding to 0.0.0.0, anyone in the internet can connect to your server and change things like an admin.
Generally there are a couple of ways to provide security for the database:
Restrict access to the server, so that only certain known IP can connect to it (e.g. the app server, or a REST API frontend).