dokku-mongodb-plugin
dokku-mongodb-plugin copied to clipboard
jeffutter
Security issues
Just two suggestions to improve security:
-
Currently, the password files on the host system (in
/home/dokku/.mongodb/) are world-readable!-rw-r--r-- 1 dokku dokku 61 Mar 9 07:34 admin_pw -
The mongodb port is exposed to all interfaces on the host system (that is, also the public interface!):
$ docker ps ... a1204aa57208 jeffutter/mongodb:latest "/usr/bin/mongod --d 14 hours ago Up 14 hours 0.0.0.0:49154->27017/tcp dokku-mongodbThis is most certainly not what you want to do. Why do you need to bind it to the host system at all? For
mongodb:console? Anyways, even if you need to do this, you should probably bind it explicitly only to localhost (you can do that with-p:-p 127.0.0.1:27017:27017, but not with-PAFAIK).
@danielr Yeah, I agree with you on point 1. I'll see if I can take care of that in the next day or two.
Point two: I guess my original intention was for using console as well as dumping/restoring databases. And that anyone concerned with having the port open would use a firewall. I think a better solution is to expose no points and handle everything with linking, including doing console and dumps over a link. This is probably the cleanest and most secure solution - I just need to implement it.
Any update here? I am wrapping my head around how to enable secure connections from clients and hosts aswell
The quick solution to the mongodb port exposure is use iptables to block inbound traffic. I used this method, it seems to work as expected.
# Assuming eth0 is the external interface
# Block incoming traffic on eth0 to internal mongodb docker port
iptables -I DOCKER -i eth0 -p tcp --dport 27017 -j DROP
Don't forget to make these changes persist after reboots using iptables-persistent or some other technique.
