MongoDB for Developers with Python Transcripts
Chapter: Deploying MongoDB in production (and playing it safe)
Lecture: Limit you network exposure in action
0:01 Alright, so on the left here we're logged into our MongoDB server
0:03 and let's go to the web server, we're logged in here,
0:12 now on the web server, just for now, I'm going to set up the Mongo shell
0:16 so that we can sort of simulate talking to this
0:20 from the web application, our little fake web application in Python
0:24 which we haven't gotten to yet, but we'll do that later in this chapter.
0:26 And we already added the list here, so we're going to install, apt install this,
0:38 ok so let's go Mongo, you're going to run something great, not the right one,
0:42 okay, so before we do anything let's see if we can get to our Mongo server,
0:48 and the answer will be no,
0:52 so here this is the host name of the Mongo server,
0:57 right now if I try to connect to it, it's going to say no,
1:00 if I come over here and I type mongo it connects, what is going on?
1:05 Remember this, remember it's listening only on local host. 01:14 So we're going to want to change this, but not before we make it safe,
1:17 so we don't want to just tell it to listen on the open internet right away
1:22 so let's first block access to all of these ports
1:27 and everything basically except for initially ssh,
1:31 so what we're going to use is we are going to use something built into Ubuntu
1:36 called uncomplicated firewall.
1:40 The first thing that we're going to do is say ufw default deny incoming.
1:45 By default we're blocking all of the ports.
1:51 Now, we're going to say allow outgoing,
1:55 so by default allow our server to get back out, that's cool.
1:58 The other thing that we want to allow, unless this is going to be
2:02 the very last time we see the server,
2:04 we're going to need to allow ssh back to this server.
2:07 Not default, just allow ssh.
2:14 Okay, great, it updated for ipv4 and ipv6, that's pretty sweet.
2:19 Now the last thing is a moment of truth, we're going to enable it,
2:23 we could ask the status, it's not enabled,
2:28 it says you know, if you are blocking ssh, you're going to be done for; we're not.
2:34 And let's just verify, just connect, reconnect, okay, we're good.
2:40 So at least now nothing can talk to any port except for 22 ssh, at all on this server.
2:47 The one final thing to do, let's go over here and say ping the web server,
2:58 so this, that's the ip address of the web server,
3:04 what I want is to allow the web server to get to the Mongo server,
3:09 so one more thing I'll say ufw allow from here,
3:14 so uncomplicated firewall allow from this to any port
3:18 and we're going to give it a port here and normally you would type this,
3:23 27017, that's the default port,
3:29 but the very next thing we are going to do is say
3:32 running MongoDB on the default port probably is a stupid idea,
3:35 everyone is scanning the wide open internet for 27017
3:38 and then seeing what kind of havoc they can wreak upon that.
3:41 So even though we think our firewalls are blocking the wide open internet
3:45 for everything except for ssh— let's go ahead and change the port,
3:51 so we're going to say 100001 is the port we're going to run Mongo,
3:55 so we're going to allow that thing to come back to 10001,
3:57 where MongoDB is going to be listening.
4:01 Okay, rule added. So it is running, it's listening on just that port.
4:07 Next thing to do is we're going to want to go and change the port here,
4:15 like this, and change this port, 10001.
4:23 Excellent, okay, so MongoDB, we're going to have to go do a service restart,
4:30 now if I type Mongo fail, but if I say --port, like that, we're good.
4:36 So it looks like everything is working over here.
4:39 It's still not going to listen to us,
4:45 because we're still not listening on the public internet,
4:49 we're just listening on local host.
4:52 Okay, but this is one step in the right path,
4:55 we've got basically the firewall here restricting access to everything,
5:00 except for wide open ssh and MongoDB
5:05 on a default port only from the web server.
5:08 Let's while we're over here go ahead and do this as well.
5:11 Just assuming that you're treating this as your web server,
5:14 let's go ahead do the same thing.
5:18 So by default we're going to do deny incoming allow outgoing,
5:28 allow ssh, and let's say allow 80 and 443 to simulate this being the web server,
5:37 we're not actually going to run a website, like I said,
5:40 but that is what I would do, and then we would do an enable.
5:44 It says are you sure you want to do this, we'll exit one more time,
5:46 make sure we can get back, and we can, fabulous.
5:49 So now, we've got that server sort of foul lock down just to play along,
5:54 this one is like actually lock down and this thing can talk to it,
5:57 but this one is not listening.
5:59 I don't want to make that one listen, until we go through a few other steps,
6:01 so you are going to have to hold off on having this whole connection thing working.