#firewal

As I’m sure many of you know, there has been a massive amount of open MongoDB servers on the internet that have been discovered, and “hackers” have been taking advantage of this. Part of what makes these attacks so easy for “hackers” is that the tools are already there, just google “mongodb-tools” and you’ll see tools like mongodump, mongoexport, mongorestore, etc, as well as of course just the mongo shell. By leveraging these tools it’s incredibly easy for “hackers” to make extremely simple scripts to automate the process of dumping, dropping, and inserting a ransom note or in some cases, just dropping and inserting a ransom note.

Let’s get into how to protect against these kind of “attacks”. Now first of all, if you are running the MongoDB instance on the same server that your code that needs to access the MongoDB is running on, this is super easy. Just get a firewall (however you should still enable authentication, read further)! You should have one regardless. I recommend firewalld, as it’s super easy to use, works great, and is in basically every single distributions repositories. For CentOS 7/RHEL you can do:

sudo yum install firewalld # installs firewalld sudo systemctl enable firewalld # enables firewalld to run on boot sudo systemctl start firewalld # starts firewalld

There you go! Now if you need to run your MongoDB server on a server different than the one that is running your app itself, it’s slightly trickier, but still ridiculously easy, we just need to add authentication and a rule on who can access port 27017 on our MongoDB server. First, do the following in the mongo shell:

use admin db.createUser({  user: "<username>",  pwd: "<password>",  roles: [ "root" ] });

Now like with Regex, it’s best to be as specific as possible, so for example, if your application only needs access to the “production_memes” database, then just create a user that has the role: { role: “readWrite”, db: “production_memes” }, of course, you still should create a root user for yourself, just don’t use it in the application.

Then we make sure MongoDB is always started with authentication. Find your MongoDB configuration (for me it’s /etc/mongodb.conf) file and add the following line:

auth = true

Now since you can also start mongodb via the “mongod” command, we should add the following in our .bashrc in case we accidentally start mongod from bash instead of systemctl start mongodb:

alias mongod='mongod --auth'

Now to use the mongo shell as root and “login” we just do:

use admin db.auth("<username>", "<password>");

There we go! If you need to connect from mongoose for example, we would do:

mongodb://<username>:<password>@localhost:27017/<dbName>?authSource=admin

Remember to read the username and password from a file in another directory so that your application won’t accidentally expose it’s credentials if the source were to get leaked somehow.

Now let’s add the rule to our firewalld configuration to only accept traffic from the app’s main server:

firewall-cmd --permanent --zone=public --add-rich-rule='  rule family="ipv4"  source address="<your app server IP address>"  port protocol="tcp" port="27017" accept'

firewall-cmd --reload

Como Bloquear con Iptables

¿Cómo bloquear direcciones IP particulares o un host con el comando iptables de Linux? Para ello es necesario utilizar las siguientes sintaxis para colocar una dirección IP o host, que se desea bloquear, con el comando iptables. Ejemplo: Bloquear las solicitudes entrantes desde la IP 1.2.3.4 El siguiente comando sirve para ignorar cualquier paquete que viene de la dirección IP 1.2.3.4:…

FIREPLACE ROUTE X GRAF

We were asked to write one of the routes for the platform Graf. The September’s route. We thought that weather will be still nice by this time of the year so we decided to prepare something for the outdoor.

First step was to ask Zioxla for a list of 5 plants that she would think worth to visit in Barcelona. Then, the American editor gave us a list of 4 places related to flowers and plants. Then, we decided to aske artist Ryan Rivadeneyra to make a route through the selected places, focusing in certain elements he would pick up from each location.

That’s the final text and photos he made for the route: http://www.graf.cat/en/ruta/agost-2015-per-quim-packard-i-angela-palacios-fireplace/

Thanks Zioxla and Ryan for the collaboration. And thanks to Graf for the invitation!

Will my firewall stop an attack ? #hacked #breach #cybercrime #security #firewall #networking

I’ve been asked this question several times since cyber security came into the spotlight. The answer is neither a firm yes or no. A firewall is designed to secure access to network segments on the inside, and objects / entities on the outside. For many years, a firewall has formed the foundation of network security, but in today’s world of Advanced Persistent Threats, is this enough ? What is a…

MikroTik RouterOS Free Download

MikroTik RouterOS Free Download

MikroTik RouterOS Free Download Latest Version ISO Image. It is full offline installer standalone setup of MikroTik RouterOS for Routers and Intel PC X86.

MikroTik RouterOS Overview

MikroTik RouterOS is an operating system based on the Linux Kernel. This OS can be…