Thanks to the BSI. Good Job!!
I received an emails from the German Federal Office for Information Security (BSI) that said that I have a MongoDB instance exposed in one of my servers. I installed MongoDB using Docker as part of a demo to a friend and I forgot to stop the container. No important information in the database, but was exposed.
But how is possible?
My firewall configuration said that the port 27017 is filtered!
Checking the result of UFW:
1 | |
Then? How is possible to access from outside if UFW said that it is filtered?
Checking now Iptables directly:
1 | |
Oh no !!! MongoDB is exposed. UFW is a liar!!! I love you. Why are you doing this to me?
Why
- UFW is showing its configuration and not in base of the real state of the Iptables.
- Docker modifies directly the network and Iptables configuration.
The solution
There is a bug open since 18 Mar 2014 (Two years ago). Docker guys looks like don't take care about this problem or maybe is not a bug, but I think that it is a big security issue that should be highlighted in the documentation. There is not an official response in the thread.
This is a copy & paste from the bug thread that is working for me:
- Set
DEFAULT_FORWARD_POLICY="ACCEPT"in/etc/default/ufw - Set
DOCKER_OPTS="–iptables=false"in/etc/default/docker
Links:
https://github.com/docker/docker/issues/4737
Solution from https://github.com/docker/docker/issues/4737#issuecomment-191653053
Reference from the BSI:
- SecurityWeek: Thousands of MongoDB Databases Found Exposed on the Internet
- Shadowserver: Accessible/Open MongoDB NoSQL Server Scanning Project
Versions:
1 | |