MongoDB for Developers with Python Transcripts
Chapter: Deploying MongoDB in production (and playing it safe)
Lecture: Concept: Limit network exposure
0:01 Limiting network exposure in concepts, so what do we do? First of all, I said listening on the default port is just crazy
0:08 because people are going to be scanning that like nobody's business, they may scan every port on your machine, connect to it,
0:14 somehow distinguish it's a MongoDB port, but chances are that's not going to happen, chances are people are just going to check the few ports
0:22 and just move on to scanning millions or billions of other ip addresses, even if they do connect, we're going to have
0:28 some additional layers of security there, hopefully the firewall makes all of this redundant.
0:33 But still, it's a good idea to just have layers of security so here we have a port that is non default, 10001.
0:40 Now, we're also going to turn on our firewall so in fact it's very unlikely anyone can get to that from outside of our data center
0:49 other than the apps or the servers that we said explicitly they can get to it.
0:54 So by default, deny all incoming connections, allow all outgoing connections allow ssh so that we can get back in
1:01 or this is going to be the last time we ever see this server, so we're going to allow ssh and then we're going to enable it,
1:07 that's the moment of truth, it says are you sure I suggest doing this right away before you have lots of important data on the server.
1:13 And then we're also going to allow from the ip address that is the application that's based upon MongoDB, and then to any port this one here.
1:24 We've got our farewell set up, we've got MongoDB set up to be non default of firewall rules, reflect that non default port.
1:31 So this is the web app address, this is the configured MongoDB port this, we're not ready for listening on the internet yet.
1:41 Two more things, encryption of the connection, which within the same data center may be it doesn't matter
1:46 but we're going to add it anyway and authentication.