I moved the infrastructure of cronasaservice.com to a new hosting provider recently. A few days after the move I received a strange email (thank you German security services).
Dear Sir or Madam,
MongoDB is a popular NoSQL database system commonly used as a backend
for web applications. Access to a MongoDB server should be restricted
to trusted systems (for example, the related web application server).
If a MongoDB server is openly accessible from the Internet, an attacker
can take advantage of this to access the server and modify or delete
data, or even obtain sensitive information like customer data from
an online shop.
Affected systems on your network:
Format: ASN | IP | Timestamp (UTC) | Mongodb version
xxx | xxxx | xxx | x.x.x
We would like to ask you to check this issue and take appropriate
steps to secure the MongoDB servers on the affected systems or notify
your customers accordingly.
I found this strange as had (configured UFW)[https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-14-04] to block everything except port 80. I ran a few port scanners and sure enough the mongodb port 27017 was open.
After some googling, it seemed a few people were having the same issue. It turns out Docker was the culprit here. It was overriding the UFW rules to set it’s own iptables rules. Luckily the fix is pretty simple.
To stop Docker overwriting the iptables, simply edit
Uncomment the following line:
The result should be:
DOCKER_OPTS="--dns 18.104.22.168 --dns 22.214.171.124 --iptables=false"
Next, restart docker using
service docker restart.
You might need to restart some docker containers at this point (I did as I was using Docker Compose).
This isn’t quite the end of the story for Ubuntu users. The docker service on Ubuntu doesn’t use the
etc/default/docker file by default. In order to change this you need to update the service.
And under the [Service] section, add the following:
In the following line starting
ExecStart= you need to add
$DOCKER_OPTS at the end. It should look something like this:
ExecStart=/usr/bin/dockerd -H fd:// $DOCKER_OPTS