Default MongoDB connection safety - node.js

I am wondering if the vanilla installation of MongoDB on Ubuntu can be accessed by the outside world? I have sensitive information thats being written to the database via Node.js (all running on the same box) and want to make sure it is safe.

I would recommend using UFW - Uncomplicated Firewall
Install UFW and enable, enter:
sudo apt-get install ufw
Check the status:
sudo ufw status verbose
Allow MongoDB and HTTP services (assuming default Mongo port):
sudo ufw allow 27017
sudo ufw allow 80
Enable the firewall:
sudo ufw enable

If you do not need connections from another instance, set the following in the configuration (which is probably the default anyway):
bind_ip = 127.0.0.1
If you need access (for example to connect to the database from your own machine for debugging,...) you can either use an SSH tunnel or set up a firewall rule (if you have a static IP; you'll obviously need to disable bind_ip).
Firewalling is a good idea in general, but if your service does not need remote connections, simply disable them. And probably use a firewall with default deny.

Related

Updating the `/etc.ufw/before.rules` file to allow `ufw` firewall redirection

I need to Configure My Server so that the ufw firewall running on it can redirect port 8080/TCP to port 80/TCP. From quick research, I know I can do it in Two ways; one is to run a command similar to;
sudo ufw allow 8080/tcp to port 80/tcp
On my Terminal. The other is to modify the /etc/ufw/before.rules file which is a file containing the iptables rules - underlying rules that ufw firewall is built on.
I am curious to know how to reconfigure the /etc/ufw/before.rules to achieve the same result.

I have a issue with Ubuntu firewall

On Ubuntu if I use the command: sudo disable ufw then it can access my server on any port.
Once I enable firewall again then I run command: sudo ufw allow 9090/tcp then I start my spring boot website on port 9090. Now I use the command: curl http://server_id:9090 => It still block me. If I disable firewall then It can run
Who know root cause? How can I enable firewall and allow on a particular port.
Thanks

Ubuntu EC2 port opening issues

I have an ubuntu server running on a EC2 AWS server. I am testing a hello world Nodejs app that I set to listen on port 9000. If I use the GUI in the AWS console to open incoming 9000 TCP port the app runs fine. But if I try and use the command line sequence shown below it wont allow connections.
sudo su
ufw allow 9000/tcp
ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 8080/tcp
ufw allow 443/tcp
ufw enable
ufw status
I ran these before doing any security group things inside my AWS EC2 instance and no luck. I am doing a school project that we only have CLI access to an EC2 thru SSH so I wanted to try and open ports through the CLI if possible. Thanks in advance for any help
If by the GUI in the AWS console you mean security groups then you should know that it does not configure ufw. Instead security groups modify firewall rules in AWS networking equipment (either the router or switch or firewall appliance assigned to your network). In some cases you will need to configure both ufw and AWS security groups to allow access especially when you use distros with a restrictive default firewall (Debian and by extension Ubuntu does not enable the firewall by default).
If you want to configure security groups from the command line or in a script you will need to use aws cli. With the aws cli installed you can do:
aws ec2 authorize-security-group-ingress --group-id $group_id --protocol tcp --port 9000 --cidr 0.0.0.0/0
Note that the aws cli does the same thing as going to your browser and configure the security group in the console but via an API. As such it does not matter where you install the aws cli. You don't need to install it on the EC2 instance. You can install it on your personal Windows or Linux or Mac machine.
There is even an app that you can install on Android and iOS to configure the security group if you are interested.

Node.js is not accessible from external IPs on Ubuntu

I try to access my node.js server running on Ubuntu. My PC is connected with TP-link router. Now, I want to access node services from other IP(not from my local host or local IPs). What can I do? I used following code.
Note: This server works fine and accessible from local IP but can't access from my public IP
http.listen(6000,"0.0.0.0",function(){
log.info("server started");
})
You have to use :-
iptables -A OUTPUT -p tcp --sport 8080 -j ACCEPT
for the outgoing rule (not dport). Apart from that, maybe there's an earlier rule that blocks the traffic? Try iptables -L.
Ubuntu have very good firewall and default system is not allow to external IP to response
In express and node js or any server like that
http.listen(6000,"0.0.0.0",function(){
log.info("server started");
})
It will work on your IP, localhost and public IP
but on external IP can't access it
first of all replace
localhost -> 0.0.0.0
when you want to run frontend and backend simultaneously
then it is better to use public IP directly instead of 0.0.0.0
If you are using ubuntu then we need to change in firewall settings using ufw
UFW is installed by default on Ubuntu. If it has been uninstalled for some reason, you can install it with apt-get:
sudo apt-get install ufw
then
sudo nano /etc/default/ufw
check this line and make it yes
IPV6=yes
save file using Ctrl-X to exit the file, then shift + y to save the changes that you made, then ENTER
At any time, you can check the status of UFW with this command:
sudo ufw status verbose
By default, UFW is disabled so you should see something like this:
Output:
Status: inactive
Not most important point
sudo ufw allow portNumber // here portNumber is port-number in integer
in your case
sudo ufw allow 6000
and allow
sudo ufw allow http
for more rules and firewall on ubuntu click here

Cannot access to CentOS from MS Windows via http

I have got installed CentOS 7 under virtual envirment.
It has proper hostname so I can ping it and it has acccess to internet inside of it and I can ping by IP and host name outside of it. Also It has working Apache and its test page is fine that has been checked locally.
Now I would like to get access to this test page from the MS Windows but I cannot. (I can ping CentOS by IP and hostname.)
Has it something to do with Iptables or firewall?
And this link doesnt help as well https://serverfault.com/questions/459267/enabling-http-access-on-port-80-for-centos-6-3-from-console
I assume some settings should be changed under CentOS but I am not sure which of them.
My question is which steps I have to execute to allow all those things?
Either disable firewalld.service
systemctl disable firewalld.service
systemctl stop firewalld.service
Or allow access to port 80
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload
Also disable SELINUX:
setenforce 0
sed -i 's/^SELINUX=enforcing/SELINUX=disabled/' /etc/sysconfig/selinux
So the answer is a simple one.
I just used Firewall settings to allow http and httpd.

Resources