MongoDB for Developers with Python Transcripts
Chapter: Deploying MongoDB in production (and playing it safe)
Lecture: Concept: Limit network exposure
0:01 Limiting network exposure in concepts, so what do we do?
0:04 First of all, I said listening on the default port is just crazy
0:07 because people are going to be scanning that like nobody's business,
0:10 they may scan every port on your machine, connect to it,
0:13 somehow distinguish it's a MongoDB port,
0:15 but chances are that's not going to happen,
0:18 chances are people are just going to check the few ports
0:21 and just move on to scanning millions or billions of other ip addresses,
0:24 even if they do connect, we're going to have
0:27 some additional layers of security there,
0:29 hopefully the firewall makes all of this redundant.
0:32 But still, it's a good idea to just have layers of security
0:35 so here we have a port that is non default, 10001.
0:39 Now, we're also going to turn on our firewall
0:43 so in fact it's very unlikely anyone can get to that from outside of our data center
0:48 other than the apps or the servers that we said explicitly they can get to it.
0:53 So by default, deny all incoming connections, allow all outgoing connections
0:57 allow ssh so that we can get back in
1:00 or this is going to be the last time we ever see this server,
1:03 so we're going to allow ssh and then we're going to enable it,
1:06 that's the moment of truth, it says are you sure
1:08 I suggest doing this right away before you have lots of important data on the server.
1:12 And then we're also going to allow from the ip address
1:15 that is the application that's based upon MongoDB,
1:19 and then to any port this one here.
1:23 We've got our farewell set up, we've got MongoDB set up
1:26 to be non default of firewall rules, reflect that non default port.
1:30 So this is the web app address, this is the configured MongoDB port
1:36 this, we're not ready for listening on the internet yet.
1:40 Two more things, encryption of the connection,
1:43 which within the same data center may be it doesn't matter
1:45 but we're going to add it anyway and authentication.