back to article Dumb MongoDB admins spew 600 TERABYTES of unauthenticated data

Shodan hacker John Matherly says system administrators have exposed some 595.2 terabytes of data by using poorly-configured or un-patched versions of the popular MongoDB database. eBay, Foursquare, and The New York Times are some of the prominent users of the open source MongoDB which is the most popular NoSQL database. …

  1. foxyshadis

    Users using old versions of software are vulnerable to old bugs

    News at 11.

  2. Destroy All Monsters Silver badge
    Paris Hilton

    нет!

    Most exposed instances run on cloud servers including Digital Ocean, Amazon, Linode, and OVH and do so without authorisation enabled, in what Matherly says is a trend in which cloud instances are more vulnerable than datacenter hosting.

    I don't know about the others but at Amazon you have to explicitly punch holes into the Internet-facing packetfilter (which is separate from any packetfilter that may be active on the VM) to let through traffic, and why would anyone do that?

    1. Anonymous Coward
      Anonymous Coward

      Re: нет!

      At most VPS hosts you're on your own, but it's pretty easy to block everything but web and SSH traffic. Look up IPtables and Fail2ban...

      As for databases, may I suggest... Postgres? Best of both worlds these days.

      1. Destroy All Monsters Silver badge

        Re: нет!

        Dude, I don't think people who want to run MongoDB would consider PostgreSQL a solution.

        > both worlds

        What two worlds are those?

        1. amanfromarse

          Re: нет!

          Relational and native JSON types.

    2. Nelbert Noggins

      Re: нет!

      It's all too common unfortunately with cloud systems. A scary amount of Cloud servers have any port used by a service open to the entire internet, assuming someone has even bothered to put specific ports and not just all ports.

      Too much Kool-Aid and people without any background in Ops/Architect/Security believe they can do devops without an ops person because it's just a few clicks in a browser or a cli command to get a server running.

      It's only going to get worse as the number of people with a cloud ops/architect/security experience decrease. Especially amongst dev driven teams and startups who believe ops/architects/security is a roadblock and they can do it themselves because they are 'devops' experts. Until they are shown all the issues and then suddenly it's the companies fault for not hiring an ops person for their 'devops' world.

  3. Tim99 Silver badge
    Coat

    But

    Mongo DB is Web Scale - YouTube Link (NSFW).

    1. Uberseehandel

      Re: But

      I laughed out loud at that. Sadly, its all too true.

      Every web designer I come across seems particularly clueless when it comes to databases, as do their bosses. Almost all the time NoSQL = No data architecture (or consistency). = another generation hairless statisticians. (Note to web designers - the ORM does nor obviate the need for Data analysis and design - if you don't understand that, read Joe Celko)

      Even today's CIO types rarely understand the need for proper Data Analysis and Design.

      I can see real world use cases for MongoDB type architectures, but if it matters, it calls for one of the RDBMS heavyweights.

      In passing, I'll add that CIOs would make life easier if they didn't hire Oracle DBAs to run non Oracle DBMS, that only ever ends in tears.

  4. yo_G

    seriously, can I short mongo?

    How can I bet against overhyped, under-delivering startups like this?

    I suppose I could go long Oracle, I guess, but that seems like a lot of exposure against random ERP businesses that I know nothing about.

  5. yossarianuk

    Firewall ?

    Wouldn't the most simple of iptables rules prevent the issue also?

    No authentication though - surely there is no excuse ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Firewall ?

      I thought the same, the default firewall rules would have prevented this. iptables defaults to allow localhost/loopback traffic and just because it's bound to all interfaces, someone must still have opened the port(s) on the firewall for it to be Internet accessible.

      "Matherly says the near 30,000 databases are exposed through the use of older versions of the platform that fail to bind to localhost."

      Personally I'm of the view that unless customers need to directly connect to a service, it should be behind a VPN (i.e. if they had it open to the 'net to integrate with another system, those two systems should be VPN'd if they can't be physically located together).

    2. Uberseehandel

      Re: Firewall ?

      if you configure MongoDB, properly, as set out in the documentation for the configuration file (parameters), it is possible to explicitly control access to the database, without difficulty.

      However, DB access is almost always better controlled (when operating at scale), by using an intermediate tier that the front end connects to, and the intermediate connects to the DB using persistent connections and, in Relational-speak, stored procedures. This type of architecture allows for all sorts of arcane security, authorisation and audit features, transparent non-stop operations and huge per second transaction rates

  6. Henry Wertz 1 Gold badge

    Check your access!

    I don't care if you're using MongoDB, MySQL, PostgreSQL, or SQL Server (Well, don't actually use this please)... check your access! Can you connect to it from the outside? Then you have a problem!

    1. Anonymous Coward
      Trollface

      Re: Check your access!

      Oooooooooh, looky here! It's Mr Let's-Stop-Innovating-At-The-Speed-Of-Thought come to lecture us on his grandpaw's best practices and testing and documentation and probably on wearing braces with his seersucker pants. Dontcha know that all the cool kids now break-before-make? Dare to fail, not fail to dare!

      As Oskar WildeXploit wisely put it: the only thing worse than having your users' data scarfed via a trivially detectable cockup is not having a high enough user growth accelerator to get bought out by Googbook.

      [dropping my snark for a moment ... in the evergreen "Up the Organization" Robert Townsend recommended that senior bods should try phoning themselves to learn just how their fiefdom appears to the outside world]

  7. Anonymous Coward
    Anonymous Coward

    host based firewalls?

    so these admins don't keep the default local firewall on their boxes? if they did, the daemon wouldn't be available to the outside world even if it bound to all addresses. this is basic system admin stuff. :/

    (obviously with REQUIRED holes punched through) - reminds me of admins that just turn off SELinux etc :(

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019