I received an emails from the German Federal Office for Information Security (BSI) that said that I have a MongoDB instance exposed in one of my servers.
I installed MongoDB using Docker as part of a demo to a friend and I forgot to stop the container. No important information in the database, but was exposed.
My firewall configuration said that the port 27017 is filtered!
Checking the result of UFW:
Then? How is possible to access from outside if UFW said that it is filtered?
Checking now Iptables directly:
Oh no !!!!! MongoDB is exposed. UFW is a liar!!! I love you. Why are you doing this to me?
- UFW is showing its configuration and not in base of the real state of the Iptables.
- Docker modifies directly the network and Iptables configuration.
There is a bug open since 18 Mar 2014 (Two years ago). Docker guys looks like don't take care about this problem or maybe is not a bug, but I think that it is a big security issue that should be highlighted in the documentation. There is not an official response in the thread.
This is a copy & paste from the bug thread that is working for me:
Reference from the BSI:
- SecurityWeek: Thousands of MongoDB Databases Found Exposed on the Internet
- Shadowserver: Accessible/Open MongoDB NoSQL Server Scanning Project