Today, i was testing my current project, and realized that there was a problem with my database. After reviewing it, i found a message asking me to send some bitcoins !!!
Your Database is downloaded and backed up on our secured servers. To recover your lost data: Send 0.6 BTC to our BitCoin Address and Contact us by eMail with your server IP Address and a Proof of Payment. Any eMail without your server IP Address and a Proof of Payment together will be ignored. We will drop the backup after 24 hours. You are welcome!
Hahaha, that was found in my database, but it is funny, because:
- I knew that my database was opened to everybody. I had a manual solution, but i was looking for an automated one.
- I had no sensitive data inside the database, only “test data” (i can restore the main db structure with a json file, and also i can send more data to the Db with some arduinos connected to the ethernet)
- I knew that this will happen. But, i was especting this happens within a few months, not weeks !
- Since my database is served by a Docker Container, i can restart it and create a new database with “test” data using a json file (within seconds).
I had found several web pages explaining how to achieve this SECURE MongoDb, but they explain how to do it manually after creating the database.
Don’t think i don’t look for secure systems, don’t misunderstand me, this was more about having fast achievements and lefting known issues for later. Now, i needed to stop the development and improve this security issue.
Also, Digital Ocean sent me a Warning a couple of weeks ago, when the Container was started.
I have a docker container, so i wanted the secure authentication be ready and configured after creating the container (That was the main reason why i was delaying the authentication improvement)
After a couple of hours i found the automated solution that i needed:
So, my docker-compose.yml file has the following code …
mongodb: image: mongo:4.1.1-xenial restart: always env_file: - .env # Ports for mongdb must not be exposed in Production (only for testing purposes) ports: - "27017:27017" volumes: - "./data/mongodb:/data/db" - "./fixtures/mongodb:/docker-entrypoint-initdb.d"
And my .env file looks like:
# MongoDB part MONGO_INITDB_ROOT_USERNAME=username MONGO_INITDB_ROOT_PASSWORD=XxxxxxxxX
Since my database was empty, only with the message asking for bitcoins, i destroyed the container and created a new one with a new database.
Also, i needed to update the Class used to connect to the database (adding new auth credentials)
by: Juan Pablo Donayre