Eve: Building RESTful APIs with MongoDB and Flask Transcripts
Chapter: Appendix: Deploying MongoDB
Lecture: Concept: Limit network exposure
Login or
purchase this course
to watch this video and the rest of the course contents.
0:01
Limiting network exposure in concepts, so what do we do?
0:04
First of all, I said listening on the default port is just crazy
0:07
because people are going to be scanning that like nobody's business,
0:10
they may scan every port on your machine, connect to it,
0:13
somehow distinguish it's a MongoDB port,
0:15
but chances are that's not going to happen,
0:18
chances are people are just going to check the few ports
0:21
and just move on to scanning millions or billions of other ip addresses,
0:24
even if they do connect, we're going to have
0:27
some additional layers of security there,
0:29
hopefully the firewall makes all of this redundant.
0:32
But still, it's a good idea to just have layers of security
0:35
so here we have a port that is non default, 10001.
0:39
Now, we're also going to turn on our firewall
0:43
so in fact it's very unlikely anyone can get to that from outside of our data center
0:48
other than the apps or the servers that we said explicitly they can get to it.
0:53
So by default, deny all incoming connections, allow all outgoing connections
0:57
allow ssh so that we can get back in
1:00
or this is going to be the last time we ever see this server,
1:03
so we're going to allow ssh and then we're going to enable it,
1:06
that's the moment of truth, it says are you sure
1:08
I suggest doing this right away before you have lots of important data on the server.
1:12
And then we're also going to allow from the ip address
1:15
that is the application that's based upon MongoDB,
1:19
and then to any port this one here.
1:23
We've got our farewell set up, we've got MongoDB set up
1:26
to be non default of firewall rules, reflect that non default port.
1:30
So this is the web app address, this is the configured MongoDB port
1:36
this, we're not ready for listening on the internet yet.
1:40
Two more things, encryption of the connection,
1:43
which within the same data center may be it doesn't matter
1:45
but we're going to add it anyway and authentication.