MongoDB with Async Python Transcripts
Chapter: Deployment
Lecture: Limit Network Access with VPCs and Firewall
Login or
purchase this course
to watch this video and the rest of the course contents.
0:00
In order to get MongoDB set up, we're going to need to run a bunch of commands. So I'm going to put those into a certain part of our project here.
0:10
We'll also need a couple of configuration files. So while there won't really be much code here, we're going to go ahead and make another chapter.
0:20
Chapter 11 deployment, let's say. I'll go ahead and mark that as a source as root, unmark that as a source as root,
0:29
and I'm going to paste a couple files. We have our MongoDB config, which we'll talk about in a minute,
0:38
and those steps that I told you, this is the first step for the server, this we don't really need. We're going to have those steps, that's installing,
0:50
optionally installing ZSH and OMIZshell, And then we're going to start working on protecting the server.
0:59
So the next thing that we want to do is we want to make sure that there's no way to talk to the server at all.
1:06
We're going to use something called the uncomplicated firewall because it's uncomplicated.
1:15
So let's go back to our server and we're going to run uncomplicated firewall, deny any connections.
1:23
You got to be really careful here. We do want this thing to be able to talk outbound. So we're going
1:32
to allow going and the most important, not the most, one of the very most important things is
1:39
if we're going to block all incoming connections, we still need to be able to
1:43
admin the server over SSH. So we're going to say allow SSH. Okay, so we can, we should still be
1:51
able to access it. Now, none of this is actually yet applied, because we have not enabled it.
1:57
So we have w enable, it says you may be breaking the system, especially if you did not have this,
2:05
you may never ever come back, we'll be fine. And let's just double check by disconnecting. Reconnecting. Alright, everything is good.
2:17
We can get into here, but only from SSH, nothing else. Now, the final thing we need to configure in our uncomplicated firewall
2:28
is what inbound requests we're going to allow into the server. We have two options. We could whitelist the allowed incoming connections
2:41
and say we're only going to let connections come to. You can see down here I have these two servers. This is me just testing before,
2:48
but these are the ones we're going to be working with. We have this web app, which is that IP address,
2:53
and we have our MongoDB server, which is this one. So one option is to say we only allow connections from this IP address.
3:03
It could be the public one or ideally, whenever we create a set of resources or servers over on DigitalOcean we have a virtual private network, a VPC.
3:15
So those are already protected IP addresses, right? They only make sense to things within that network.
3:22
So we could work with a public IP address, but ideally let's just work with our virtual private network here, in which case this would be the one.
3:31
We technically, if we had a more complicated setup, we could say allow anything to connect
3:36
to the server, but only allow the server to exist publicly on the virtual network. So there's some options here that we could choose.
3:47
Going back here, that's what this thing says. Only use from any to any port here if MongoDB is only listening on a virtual IP address.
4:01
Alternatively, we could put this here like this for this specific example. And let's say, what port do we want to listen on?
4:08
That's probably a decent port. So we also want to listen on not the default port. The default is 27017.
4:22
One of the things people do when they're scanning for vulnerable MongoDB servers is go to every
4:27
IP address they can find or guess and try to connect to that, you know, that IP address, that port.
4:34
So by using a different port, it's not like a super secure type of thing, but it just
4:38
is one more step that doesn't advertise and scream to the world, ""Here's my MongoDB server, come try to talk to it.
4:45
So we're going to use that here, in which case that's the MongoDB server port there.
4:52
I'm going to put any, but I want to triply underline this only works, this is only good
4:57
enough if this is going to be inside the virtual network. If MongoDB is only available in the
5:03
virtual network. I'll show you how to do that in a little bit. So last thing to do, we want
5:07
to run this. So far we don't have MongoDB installed yet and we haven't told it where
5:12
it is publicly available or open on the network. So no big deal, there's no rush to do anything
5:18
about that. But this is the final step for configuring that firewall. Alright, so everything
5:26
looks set here, we have a limit network access. That's a really important thing. It's one
5:32
of the very, very first thing that MongoDB suggests. So we're good to go.