Finding MongoDB instances without any authentication (opens in new tab)

I've tried to reach out for a few years now and spoke about it at every opportunity but for some reason people just aren't interested in looking at databases. Most of these MongoDB instances are running old versions and given the popularity of the project I suspect that this is a tiny fraction of deployments. Btw I'm still trying to find contacts at some organizations that are affected, but it's actually surprisingly difficult to reach somebody that is in charge of security :-/ Especially with servers hosted in the cloud doing attribution is difficult!

Edit: Btw I've also tried repeatedly to get some press coverage of this issue with reporters, but nobody was interested in covering this problem.

They're entirely responsible for the damage that was inflicted. Attempting to shift the blame to you is childish at best.

I remember (maybe it was the same service shodan) a year ago, looking at its scanning interface and seeing my instance of my toy database listed as open. I didn't think anything of it, and was too lazy to do anything about, but I've been aware for quite some time now that people will do ip scans against common ports.

This later came back to bite me in the ass when I started messing around with elasticsearch. Elasticsearch had a pretty nasty default that let you run arbitrary code from its query api and within hours my box was compromised.

That's exactly the reason why I'm not reporting anything anymore. The legal aspect is just really badly designed for this kind of situation. If I find something opened or unsecured by mistake, I just go somewhere else and don't report anything so this way I don't risk anything. That's sad because it's not helping anyone but I just don't want to handle any legal stuff.

I did the same thing, spidering for open rsync shares:

http://blog.steve.org.uk/secure_your_rsync_shares__please_.h...

Some scary stuff out there, freely available with minimal effort. Of course with rsync things were generally read-only, but even so lots of family financial-data, and pictures.

blekko's search engine received a lot of automated queries looking for that kind of info -- that and SEO ranking research were our top 2 types of automated search.

>always take the necessary steps to ensure that no one is harmed.

That is always publish anonymously.

This is known for many years so author is not the first to acknowledge that problem (just do an online search). This is a known operational problem / must-avoid / best practice for Mongo deployment.

memcached has the same default to this day - listen on all interfaces, no auth.

These things are designed for use by people running them on servers that are not directly exposed to the internet. If you're running it in a dev VM with no public address, it's fine. If you're running it on a database-optimized server in your datacenter/cloud which has a firewall only allowing connections from your web-application servers to particular ports, it's fine.

In fact I wouldn't trust mongodb auth anyway, that's not it's focus, much less its strength. Leave the auth to other mechanisms designed for it.

I try not to worry about the infinite multitude of idiots who can follow some bad advice and get some software running. No matter what you do to make things foolproof, human ingenuity comes up with better fools, and in the process you make things more complicated for people who know what they're doing.

"completely unacceptable"? no, reasonable.

Regardless of my thoughts on MongoDB in particular, if you are relying upon authentication mechanisms built into infrastructure software so that you can put, say, MongoDB on a public IP address and communicate in the open, you are operating your infrastructure completely unacceptably. There is absolutely zero excuse for not doing this right, and if MongoDB's default fucked you here, you're not doing it right in the first place. You wouldn't put your Nest thermostat on the Internet, so why is your primary data store? And, even worse, if you've "done it right" and thrown HTTP basic authentication in front of it, you get to put your hands on your hips and say "ha! we're secure!" but you're one bypass or weak password away from losing your entire database.

I agree with you on reconsidering MongoDB in production, but administrators failing to secure their systems is not why. Authenticating to a database is an antipattern. Stop making database vendors add this shit: HTTP basic authentication against your NoSQL hotness in prod, on a public IP, is a complete waste of time. Put it in RFC 1918 space or lock down security groups like everybody else and stop losing databases like this. That's what's unacceptable.

Seriously, this stuff is bananas. Now you have to ship passwords around in your automation because you can't be bothered to deploy a real DMZ and private network. Then you have to use Ansible Vault or whatever, and the complexity just rapidly multiplies.

You're talking nonsense.

Most enterprise systems e.g. Hadoop listen on all interfaces as well as we are routing traffic over multiple cards e.g. Infiniband. Does that mean we should be reconsidering those choices as well ?

And it's not a gaping security hole. It's a poorly chosen default. And most normal people read and understand the configuration files before they deploy anything into production.

Yes, but then you build your own layer of auth on top of it. Signed messages should work fine, though. Its an interesting idea, for sure.

Hehe, for that matter it'd make a hell of a means of distribution for illicit materials (pirate software/movies)...

Think db nodes to find/query for torrents...

Yes, it could be that there was somebody before me that already noticed this issue and decided to exploit it :-/ I saw on Twitter that there actually was a talk in 2013 at DEFCON about these sorts of problems in NoSQL, so in certain circles it's been known for a while just not acted upon.

If somebody wants to give obblekk's suggestion a try, you can use my docker masscan container right away [0]

[0] https://registry.hub.docker.com/u/dordoka/masscan/