MongoDB for Developers with Python Transcripts
Chapter: Deploying MongoDB in production (and playing it safe)
Lecture: Limit you network exposure in action
0:01 Alright, so on the left here we're logged into our MongoDB server and let's go to the web server, we're logged in here,
0:13 now on the web server, just for now, I'm going to set up the Mongo shell so that we can sort of simulate talking to this
0:21 from the web application, our little fake web application in Python which we haven't gotten to yet, but we'll do that later in this chapter.
0:27 And we already added the list here, so we're going to install, apt install this,
0:39 ok so let's go Mongo, you're going to run something great, not the right one,
0:43 okay, so before we do anything let's see if we can get to our Mongo server, and the answer will be no,
0:53 so here this is the host name of the Mongo server, right now if I try to connect to it, it's going to say no,
1:01 if I come over here and I type mongo it connects, what is going on?
1:06 Remember this, remember it's listening only on local host. 01:14 So we're going to want to change this, but not before we make it safe,
1:18 so we don't want to just tell it to listen on the open internet right away so let's first block access to all of these ports
1:28 and everything basically except for initially ssh, so what we're going to use is we are going to use something built into Ubuntu
1:37 called uncomplicated firewall. The first thing that we're going to do is say ufw default deny incoming. By default we're blocking all of the ports.
1:52 Now, we're going to say allow outgoing, so by default allow our server to get back out, that's cool.
1:59 The other thing that we want to allow, unless this is going to be the very last time we see the server,
2:05 we're going to need to allow ssh back to this server. Not default, just allow ssh. Okay, great, it updated for ipv4 and ipv6, that's pretty sweet.
2:20 Now the last thing is a moment of truth, we're going to enable it, we could ask the status, it's not enabled,
2:29 it says you know, if you are blocking ssh, you're going to be done for; we're not. And let's just verify, just connect, reconnect, okay, we're good.
2:41 So at least now nothing can talk to any port except for 22 ssh, at all on this server.
2:48 The one final thing to do, let's go over here and say ping the web server, so this, that's the ip address of the web server,
3:05 what I want is to allow the web server to get to the Mongo server, so one more thing I'll say ufw allow from here,
3:15 so uncomplicated firewall allow from this to any port and we're going to give it a port here and normally you would type this,
3:24 27017, that's the default port, but the very next thing we are going to do is say running MongoDB on the default port probably is a stupid idea,
3:36 everyone is scanning the wide open internet for 27017 and then seeing what kind of havoc they can wreak upon that.
3:42 So even though we think our firewalls are blocking the wide open internet for everything except for ssh— let's go ahead and change the port,
3:52 so we're going to say 100001 is the port we're going to run Mongo, so we're going to allow that thing to come back to 10001,
3:58 where MongoDB is going to be listening. Okay, rule added. So it is running, it's listening on just that port.
4:08 Next thing to do is we're going to want to go and change the port here, like this, and change this port, 10001.
4:24 Excellent, okay, so MongoDB, we're going to have to go do a service restart, now if I type Mongo fail, but if I say --port, like that, we're good.
4:37 So it looks like everything is working over here. It's still not going to listen to us, because we're still not listening on the public internet,
4:50 we're just listening on local host. Okay, but this is one step in the right path,
4:56 we've got basically the firewall here restricting access to everything, except for wide open ssh and MongoDB
5:06 on a default port only from the web server. Let's while we're over here go ahead and do this as well.
5:12 Just assuming that you're treating this as your web server, let's go ahead do the same thing.
5:19 So by default we're going to do deny incoming allow outgoing, allow ssh, and let's say allow 80 and 443 to simulate this being the web server,
5:38 we're not actually going to run a website, like I said, but that is what I would do, and then we would do an enable.
5:45 It says are you sure you want to do this, we'll exit one more time, make sure we can get back, and we can, fabulous.
5:50 So now, we've got that server sort of foul lock down just to play along, this one is like actually lock down and this thing can talk to it,
5:58 but this one is not listening. I don't want to make that one listen, until we go through a few other steps,
6:02 so you are going to have to hold off on having this whole connection thing working.