Re: MongoDB Security Defaults
On 02/16/2015 06:56 AM, Marek Skalický wrote: Hello, this change was in version 2.6.6-4. I were cleaning config files, adding new options,... I didn't want to change any default configuration. Ah, makes sense. That mongod documentation is ripe for misinterpretation. So bind_ip change isn't intended. I wrongly understood this mongod comment: --bind_ip arg comma separated list of ip addresses to listen on - all local ips by default Thanks for reporting. I've fixed it and there should be upgrade to version 2.6.7-4 ASAP https://koji.fedoraproject.org/koji/taskinfo?taskID=8949655 https://koji.fedoraproject.org/koji/taskinfo?taskID=8949651 Thanks for fixing this so quickly, much appreciated. Marek Ryan S. Brown píše v Pá 13. 02. 2015 v 08:26 -0500: Hello, After reading this article[1] on how many totally unsecured mongodb installations there are on the internet, I noticed a recent (and worrying) change in the defaults on Fedora's mongodb package. In January, the Fedora rawhide package for mongo[2] was changed to listen on all interfaces by default, but I haven't been able to find any information about why it was changed. To help protect users, I think the default should be changed back to localhost only. Operators can change this setting post-install if needed, hopefully after assessing how risky it is to have an open-world database. This change could probably be reverted safely as-is, since (I hope) nobody is running production mongo clusters on rawhide. Debian and Ubuntu have mongodb set to (by default) only listen on localhost[3], which is sane and normal for a database that does *no authentication of any kind* by default. The same has been true of MongoDB Inc.'s[4] example config since approximately 2013[5]. [1]: http://thehackernews.com/2015/02/mongodb-database-hacking.html [2]: http://pkgs.fedoraproject.org/cgit/mongodb.git/tree/mongodb.conf?id=be37804b64d9a9b8e8f305d5a89a9c477deac619 [3]: http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/utopic/mongodb/utopic/view/head:/debian/mongodb.conf [4]: https://github.com/mongodb/mongo/blob/master/rpm/mongod.conf [5]: https://github.com/mongodb/mongo/commit/f8699f77f90ff9b24d23729644ee7cd7ed0e9600 -- Ryan Brown / Software Engineer, Openstack / Red Hat, Inc. -- Ryan Brown / Software Engineer, Openstack / Red Hat, Inc. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
MongoDB Security Defaults
Hello, After reading this article[1] on how many totally unsecured mongodb installations there are on the internet, I noticed a recent (and worrying) change in the defaults on Fedora's mongodb package. In January, the Fedora rawhide package for mongo[2] was changed to listen on all interfaces by default, but I haven't been able to find any information about why it was changed. To help protect users, I think the default should be changed back to localhost only. Operators can change this setting post-install if needed, hopefully after assessing how risky it is to have an open-world database. This change could probably be reverted safely as-is, since (I hope) nobody is running production mongo clusters on rawhide. Debian and Ubuntu have mongodb set to (by default) only listen on localhost[3], which is sane and normal for a database that does *no authentication of any kind* by default. The same has been true of MongoDB Inc.'s[4] example config since approximately 2013[5]. [1]: http://thehackernews.com/2015/02/mongodb-database-hacking.html [2]: http://pkgs.fedoraproject.org/cgit/mongodb.git/tree/mongodb.conf?id=be37804b64d9a9b8e8f305d5a89a9c477deac619 [3]: http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/utopic/mongodb/utopic/view/head:/debian/mongodb.conf [4]: https://github.com/mongodb/mongo/blob/master/rpm/mongod.conf [5]: https://github.com/mongodb/mongo/commit/f8699f77f90ff9b24d23729644ee7cd7ed0e9600 -- Ryan Brown / Software Engineer, Openstack / Red Hat, Inc. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: MongoDB Security Defaults
On 02/13/2015 11:25 AM, Frank Ch. Eigler wrote: Ryan S. Brown rya...@redhat.com writes: [...] In January, the Fedora rawhide package for mongo[2] was changed to listen on all interfaces by default [...] To help protect users, I think the default should be changed back to localhost only. [...] We have a slew of network-servers in the fedora distribution. Apprx. none of them are supposed to be turned on just by virtue of rpm installation (so, require an explicit systemctl enable), and apprx. none of them get through the system-default firewalld setup. The out-of-the-box risk is therefore nil. As far as the firewall setup: if they wouldn't get through the firewall, then there's already extra configuration for operators that want to make it available to everyone. Why not also have it listen by default on localhost as an additional safety measure. Especially since *that's how it is in all current releases*. There's no benefit to moving away from the (sane) default of localhost-only. If you'd like to pursue a distro-wide change for this interface-binding level of security, please consider pursuing it via a Fedora Change type process rather than piecemeal package-by-package. I didn't consider this as a distro-wide change, I'll look at the existing policies and see if there are any that cover this. -- Ryan Brown / Software Engineer, Openstack / Red Hat, Inc. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: MongoDB Security Defaults
On Fri, Feb 13, 2015 at 11:37 PM, Ryan S. Brown rya...@redhat.com wrote: On 02/13/2015 11:25 AM, Frank Ch. Eigler wrote: Ryan S. Brown rya...@redhat.com writes: [...] In January, the Fedora rawhide package for mongo[2] was changed to listen on all interfaces by default [...] To help protect users, I think the default should be changed back to localhost only. [...] We have a slew of network-servers in the fedora distribution. Apprx. none of them are supposed to be turned on just by virtue of rpm installation (so, require an explicit systemctl enable), and apprx. none of them get through the system-default firewalld setup. The out-of-the-box risk is therefore nil. As far as the firewall setup: if they wouldn't get through the firewall, then there's already extra configuration for operators that want to make it available to everyone. Why not also have it listen by default on localhost as an additional safety measure. Especially since *that's how it is in all current releases*. There's no benefit to moving away from the (sane) default of localhost-only. Indeed. If you want to use the service over the network you'd have to configure it anyways (and set passwords, keys etc.) so asking the admin to additionally enable listen on interface X is not unreasonable. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct