MongoDB for Developers with Python Transcripts
Chapter: Deploying MongoDB in production (and playing it safe)
Lecture: Limit you network exposure in action
Login or
purchase this course
to watch this video and the rest of the course contents.
0:01
Alright, so on the left here we're logged into our MongoDB server
0:03
and let's go to the web server, we're logged in here,
0:12
now on the web server, just for now, I'm going to set up the Mongo shell
0:16
so that we can sort of simulate talking to this
0:20
from the web application, our little fake web application in Python
0:24
which we haven't gotten to yet, but we'll do that later in this chapter.
0:26
And we already added the list here, so we're going to install, apt install this,
0:38
ok so let's go Mongo, you're going to run something great, not the right one,
0:42
okay, so before we do anything let's see if we can get to our Mongo server,
0:48
and the answer will be no,
0:52
so here this is the host name of the Mongo server,
0:57
right now if I try to connect to it, it's going to say no,
1:00
if I come over here and I type mongo it connects, what is going on?
1:05
Remember this, remember it's listening only on local host. 01:14 So we're going to want to change this, but not before we make it safe,
1:17
so we don't want to just tell it to listen on the open internet right away
1:22
so let's first block access to all of these ports
1:27
and everything basically except for initially ssh,
1:31
so what we're going to use is we are going to use something built into Ubuntu
1:36
called uncomplicated firewall.
1:40
The first thing that we're going to do is say ufw default deny incoming.
1:45
By default we're blocking all of the ports.
1:51
Now, we're going to say allow outgoing,
1:55
so by default allow our server to get back out, that's cool.
1:58
The other thing that we want to allow, unless this is going to be
2:02
the very last time we see the server,
2:04
we're going to need to allow ssh back to this server.
2:07
Not default, just allow ssh.
2:14
Okay, great, it updated for ipv4 and ipv6, that's pretty sweet.
2:19
Now the last thing is a moment of truth, we're going to enable it,
2:23
we could ask the status, it's not enabled,
2:28
it says you know, if you are blocking ssh, you're going to be done for; we're not.
2:34
And let's just verify, just connect, reconnect, okay, we're good.
2:40
So at least now nothing can talk to any port except for 22 ssh, at all on this server.
2:47
The one final thing to do, let's go over here and say ping the web server,
2:58
so this, that's the ip address of the web server,
3:04
what I want is to allow the web server to get to the Mongo server,
3:09
so one more thing I'll say ufw allow from here,
3:14
so uncomplicated firewall allow from this to any port
3:18
and we're going to give it a port here and normally you would type this,
3:23
27017, that's the default port,
3:29
but the very next thing we are going to do is say
3:32
running MongoDB on the default port probably is a stupid idea,
3:35
everyone is scanning the wide open internet for 27017
3:38
and then seeing what kind of havoc they can wreak upon that.
3:41
So even though we think our firewalls are blocking the wide open internet
3:45
for everything except for ssh— let's go ahead and change the port,
3:51
so we're going to say 100001 is the port we're going to run Mongo,
3:55
so we're going to allow that thing to come back to 10001,
3:57
where MongoDB is going to be listening.
4:01
Okay, rule added. So it is running, it's listening on just that port.
4:07
Next thing to do is we're going to want to go and change the port here,
4:15
like this, and change this port, 10001.
4:23
Excellent, okay, so MongoDB, we're going to have to go do a service restart,
4:30
now if I type Mongo fail, but if I say --port, like that, we're good.
4:36
So it looks like everything is working over here.
4:39
It's still not going to listen to us,
4:45
because we're still not listening on the public internet,
4:49
we're just listening on local host.
4:52
Okay, but this is one step in the right path,
4:55
we've got basically the firewall here restricting access to everything,
5:00
except for wide open ssh and MongoDB
5:05
on a default port only from the web server.
5:08
Let's while we're over here go ahead and do this as well.
5:11
Just assuming that you're treating this as your web server,
5:14
let's go ahead do the same thing.
5:18
So by default we're going to do deny incoming allow outgoing,
5:28
allow ssh, and let's say allow 80 and 443 to simulate this being the web server,
5:37
we're not actually going to run a website, like I said,
5:40
but that is what I would do, and then we would do an enable.
5:44
It says are you sure you want to do this, we'll exit one more time,
5:46
make sure we can get back, and we can, fabulous.
5:49
So now, we've got that server sort of foul lock down just to play along,
5:54
this one is like actually lock down and this thing can talk to it,
5:57
but this one is not listening.
5:59
I don't want to make that one listen, until we go through a few other steps,
6:01
so you are going to have to hold off on having this whole connection thing working.