I've just been recently playing with MongoDB on one of my Dev servers not doing anything too serious and despite knowing better I allowed remote connections from any IP. Within a few days the database was 'hacked' with a ransom attempt. I shrugged it off and decided to go ahead and bind the IP to my personal public IP and the local server thinking it would shut down the breach.
Nope. Database has once again been compromised so I decided to take a look at the log and it clear as day shows that connection was completed from an IP that was not included in my config. How could this still be happening?
Additionally I did execute service mongodb restart after making the ipbind changes.
Here is the network interface section of my config
# network interfaces
net:
port: 27017
bindIp: [127.0.0.1,90.207.xxx.xxx,76.94.xxx.xxx,23.23.xxx.xxx]
The bindIp setting is a list of the IP addresses your MongoDB server listens to, not a firewall to limit remote access. If your server has a private and a public IP, the bindIp list should be at most three entries: 127.0.0.1 (localhost), the private IP, and the public IP.
Ideally you should limit your MongoDB deployment to only listen to localhost or a private IP, and connect remotely via SSH or VPN.
Security in depth requires multiple measures as outlined in the MongoDB security checklist.
For example, in addition to correcting your bindIp setting you should:
- Enable access control & enforce authentication.
- Configure your
mongod and mongos servers to require SSL for all network communication.
- Configure a firewall for your deployment.
- Make sure you are running a supported release of MongoDB (eg. MongoDB 3.0 or newer as at January, 2017).
- Make sure you have updated to the latest minor release for your MongoDB production series (i.e. latest 3.2.x if you are using MongoDB 3.2).
- Make sure you've applied the latest O/S security updates.
try
netstat -tulpn | grep mongod
then you will come to know on which ip's the mongo service is binded...
I found the problem. [xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx] must not be the correct syntax for IP binding. For testing I changed the IP bind back to
# network interfaces
net:
port: 27017
bindIp: 127.0.0.1
Which did infact block my connection attempts so I then tried
# network interfaces
net:
port: 27017
bindIp: [127.0.0.1,1.1.1.1]
Which is a blatantly wrong IP and it let me connect no questions asked. I had copied this syntax off a previous stackoverflow question. Now I just need to find the appropriate way to do this.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 姐就是有狂的资本 的文章《MongoDB being accessed by unauthorized IP》','https://www.manongdao.com/article-503382.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}