Allow MongoDB remote access for specific IP - linux

I have an application server with some PHP code on it which needs to access a distant MongoDB server.
In order to do this I want to allow remote access on my MongoDB server, but only for the application server IP.
I understand that I need to change the bind_ip value located in /etc/mongodb.conf in order to do this.
I changed it from bind_ip=127.0.0.1 to bind_ip=111.222.33.44 (where 111.222.33.44 is my application server IP), but it doesn't work (my PHP code says "Connection refused"). However, if I set the value to bind_ip=0.0.0.0, it works. Why? I don't want to let anyone try to connect on my MongoDB server.

The bind_ip tells the mongod on which IP address to listen on for incoming connections. So if you set it to 127.0.0.1, the mongod would only listen on localhost, and – vice versa – you could only connect when on the same machine.
When setting it to a different IP address, each host able to communicate with said IP can connect to MongoDB.
In order to make sure only your application server can talk to your MongoDB instance, you need to configure a firewall either on the server running MongoDB or somewhere in front of it.

As far as I see mongodb only allow you to set a single IP for connection (or 0.0.0.0 for any IP)
What you can do to secure your mongo instance is to use firewall like iptables to only allow specific IP's.
Run the following commands for every IP you want to allow:
iptables -A INPUT -s 111.222.33.44 -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d 111.222.33.44 -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT
and than to block all else (blocked some other ports used by mongodb)
iptables -A INPUT -p tcp --dport 27017 -j DROP
iptables -A INPUT -p tcp --dport 27018 -j DROP
iptables -A INPUT -p tcp --dport 27019 -j DROP
have a look at the Make iptables Rules Persistent section of the mongo guide on how to make those rules survive reboot.

Related

How to restrict access to my subversion server (i.e. svnserve) by IP address, so only my IP can checkout, commit, etc.?

I'm using Ubuntu and I have my subversion server running as you can see below:
root 31422 1 0 06:45 ? 00:00:00 /usr/bin/svnserve -d -r /var/svn/repos --log-file=/var/log/svnserve.log
I want to whitelist my subversion server, in other words, I want to allow only my IP address to checkout, commit, log, etc. Does svnserve support that?
NOTE: I'm not using Apache to access my subversion.
svnserve listens on TCP port 3690 by default, so you can use any firewalling solution the restrict access to this port. For example with iptables:
# Let the internal network access it
iptables -A INPUT -s 192.168.0.0/8 -p tcp --dport 3690 -j ACCEPT
# Let a specific external IP access it
iptables -A INPUT -s 1.1.1.1 -p tcp --dport 3690 -j ACCEPT
# Drop all the rest
iptables -A INPUT -p tcp --dport 3690 -j DROP
It would however be better security-wise if you would switch to apache + dav_svn as you get SSL encryption and user authentication and it's not too complicated to setup: http://svnbook.red-bean.com/en/1.7/svn.serverconfig.httpd.html

In-kernel packet forwarding from one port to multiple ports

On a Linux-based system I need data incoming on a TCP port to be automatically redirected to other 50 local ports without going through user-space's send/recv. Each port needs to receive a copy of all incoming traffic. All ports are local to the same machine.
I've discarded the splice syscall due to the limit of one endpoint being a file. I guess that iptables is the right tool for this purpose, but I can't figure out the right syntax for this purpose. It should be something similar to:
iptables -t nat -A PREROUTING -p tcp --dport <in_port> -j REDIRECT --to-ports <out_port1>-<out_port50>
I wonder e.g. if the option -m multiport is needed.

How to restrict direct access to a node.js server

I have an apache web server where most of my content is hosted, and then I have a node.js server I'm using for various tasks as well. I want users to be able to get information from my node.js server only through reverse proxy from my apache server. I understand how to set up a reverse proxy using mod_proxy on the apache side, but how can I restrict access to the node server except through an apache virtual host? One option I'm sure would work is to host my node server on a separate box and block any ip address except the apache server. Is there a way though that I could have them both running on the same machine and configure node to reject requests except from the apache server?
You could have the running on the same box. In the Node server have something like the following:
if(req.socket.remoteAddress !== '127.0.0.1'){
res.writeHead(403, {"Content-Type": "text/plain"});
res.write('403 Access Denied');
res.end();
} else {
// allow access
doSomething();
}
Of course, that allows other processes on the same box to connect to the Node server.
I've done this using iptables, allowing incoming connections to port 80 for the webserver. Access to port 3000 from the webserver is allowed because it's coming from the same host.
Here's an example rule file:
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows connections for HTTP
-A INPUT -p tcp --dport 80 -j ACCEPT
# Allows SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Now you should read up on iptables rules and consider whether ssh access
# for everyone is really desired. Most likely you will only allow access from certain IPs.
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
Put this file on your server (e.g. /etc/iptables.up.rules), and run the iptables command to update your iptables rules.
iptables-restore < /etc/iptables.up.rules

Confluence is very slow behind firewall

I've installed Confluence on Debian Linux 7.0. It runs on 8081 port (for connector, 8091 is used as TomCat server port). I've configured Apache to act as reverse proxy and serve on https://confluence.<mydomain>.com (SSL is configured on Apache side).
The configuration worked perfect unless I set up firewall rules. It still works as expected but became extremely slow (memory and CPU utilisations are low). Switching firewall off brings the performance back to normal. The set of firewall rules for IPv4 is:
*filter
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
# Allow all loopback (lo0) traffic
-A INPUT -i lo -j ACCEPT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Allows SSH connections
-A INPUT -p tcp --dport 22 -j ACCEPT
# Allow all HTTP and HTTPS connections
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
COMMIT
IPv6 traffic is completely disabled:
*filter
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
COMMIT
I'm using Oracle JVM (1.7), startup options are configured in the following way:
JAVA_OPTS="-Xms512m -Xmx2048m -XX:MaxPermSize=1024m $JAVA_OPTS -Djava.awt.headless=true"
Confluence version is "Confluence 5.4.2 - Standalone (TAR.GZ Archive)", license is Starter (10 users). Database is locally installed PostreSQL.
Anyone has an idea on what I'm doing wrong?

Meteor on Multihomed Server?

Does anybody have any experience running Meteor on multihomed servers? We're bring an app into production, and have some servers that have two network cards each. The one interface on eth0 connects to our internal network with our Mongo cluster, and the other interface eth1 connects to our DMZ. We're well past development, and are in post-bundle workflow. So, it's a question of running the following command only on eth1:
MONGO_URL='mongodb://mongodb:27017/?replicaSet=meteor' PORT='80' ROOT_URL='http://app.domain.org' node main.js
I don't know enough about node to know exactly how to specify a single interface. Is this specified with an environment variable? In our /etc/network/interfaces file? iptables? Something else?
I'm finding resources like the following on the web, but I'm not sure if I'm on the right track with them. Does getting a node.js server running on a specific interface require this kind of fussing? Is there something easier?
https://gist.github.com/logicalparadox/2142595
how to set node.js as a service on a private server?[can't access the node application]
Any help would be much appreciated! Thanks!
Abigail
Meteor will listen on 0.0.0.0 (all interfaces) unless your specify the environment variable BIND_IP.
Explicitly- the value of BIND_IP is passed as the hostname parameter to http://nodejs.org/api/http.html#http_server_listen_port_hostname_backlog_callback
Source: https://github.com/meteor/meteor/blob/master/packages/webapp/webapp_server.js#L541
Okay, so got things working. Second ethernet card wasn't configured.
sudo nano /etc/network/interfaces
auto eth0
iface eth0 inet static
address aaa.bbb.ccc.ddd
gateway aaa.bbb.ccc.eee
auto eth1
iface eth1 inet static
address aaa.bbb.ccc.fff
gateway aaa.bbb.ccc.ggg
sudo ifconfig eth1 up
sudo /etc/init.d/networking restart
Then had to make sure firewalls were working...
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -L -n -v
Then confirmed the site was running on the correct IP address with a big of curl...
curl -XGET http://aaa.bbb.ccc.fff/main.js

Resources