If use EC2 you can allow specific ports and ip address for incoming request by change inbound settings in your security group.
On Saturday, January 7, 2017 at 4:30:31 AM UTC+7, George Song wrote: > > Hi everyone, > > We recently discovered a security vulnerability using Open edX Full Stack > or native installation methods. The vulnerability is due to the fact that > MongoDB will accept connections from outside the server, with the default > admin user and password. > Am I Vulnerable? > > There are two things to check, both require you to login into the server > where your MongoDB is installed. > > 1. > > Is my port open to the world? > > $ netstat -plunt | grep 27017 > tcp 0 0 0.0.0.0:27017 0.0.0.0:* LISTEN > > If you see 0.0.0.0:27017, then your MongoDB is accepting connections > from anyone who can reach this machine, unless you’ve activated a firewall > on the machine or upstream in your network. > 2. > > Am I using the default admin account and password? > > $ mongo admin -u admin -p password --eval "db.getMongo().getDBNames()" > MongoDB shell version: 2.6.12 > connecting to: admin > admin,edxapp,local,cs_comments_service_development > > If this command runs successfully, then you are using the default > admin account and password. > > If you’re able to complete both steps, then *your MongoDB is vulnerable*. > What Should I Do? > > The quickest way to address this vulnerability is to configure your > MongoDB to only accept requests from within the same server. > > 1. > > Edit /etc/mongod.conf and add the following line to the end of the > file: > > bind_ip = 127.0.0.1 > > 2. > > Restart the mongod service. > - > > If you’re on Ubuntu 12.04: > > sudo service mongod restart > > - > > If you’re on Ubuntu 16.04: > > sudo systemctl restart mongod > > 3. > > Verify that MongoDB is now only listening on 127.0.0.1: > > $ netstat -plunt | grep 27017 > tcp 0 127.0.0.1:27017 0.0.0.0:* LISTEN > > > Another additional step you can take is to install UFW > <https://help.ubuntu.com/community/UFW> and only allow specific ports for > incoming requests (for example, http:80, https:443, ssh:22). > For future installations, please refer to > https://openedx.atlassian.net/wiki/display/OpenOPS/How+to+Override+Default+Configuration+Passwords+and+Verify+Exposed+Services > for > more comprehensive security information. > > -- > George > -- You received this message because you are subscribed to the Google Groups "General Open edX discussion" group. To view this discussion on the web visit https://groups.google.com/d/msgid/edx-code/508beda7-0e42-4593-a4ab-6a31cdfdbe7e%40googlegroups.com.
