Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add security warning about open MongoDB instances #24

Open
JonnyBurger opened this issue Dec 21, 2015 · 1 comment
Open

Add security warning about open MongoDB instances #24

JonnyBurger opened this issue Dec 21, 2015 · 1 comment

Comments

@JonnyBurger
Copy link

Hey everyone,

I would like to propose that we do something against the rising amount of open, insecure MongoDB instances exposed to the public.

By default, mongoctl sets up a Mongo server with no auth parameter in the config, meaning that if you use mongoctl on a server, everybody can connect to it, if you know the IP or domain. This problem is so widespread, that over 35,000 MongoDB instances are public, and hackers actively exploit this.

This is not a bug in mongoctl, and these things happen because developers don't inform themselves enough, but nonetheless I think we should put a big, fat warning up on this repo, because a lot of users are falling into this trap. And that's because we easily let them:

  • Users intuitively create a user and password after installing MongoDB, but do not realize that the database is still accessible using no credentials
  • No mention of the auth parameter in the mongoctl documentation and hidden deep in the MongoDB documentation.
  • mongoctl hides the configuration under the surface and comes "packaged with out-of-the-box configurations"
  • Because of the easy setup, mongoctl is most often used by beginners, and because of it's cluster ability, it is most often used in production.

I confess that I also did not read the docs in detail and had a database out in the wild – fortunately I was able to fix it before something bad happened because DigitalOcean sent me this email:

bildschirmfoto 2015-12-21 um 18 13 39

With ~6000 installs per year, mongoctl has some significance when it comes to the number of open Mongo databases out there. While mongoctl is not guilty for this, it should be a lot easier for developers to figure out how to set up a secure MongoDB.

That's why I propose that the Github repo and the mongoctl website get a prominent warning "Make sure to use {auth: true} in production!", because really, that is the essential information which more people need to know.

Best,
Jonny
@abdulito
Copy link
Contributor

Hi Jonny,

Thanks for pointing this out. We will update mongoctl's documentation and keep you posted.

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@abdulito @JonnyBurger