mongodb hacked after a view hours of being accessible
I set up dokploy on a fresh server and configured my application. Nextjs with mongodb and replicasets enabled.
While trying to figure out ufw settings to block access from outside, but allow docker, I noticed in the mongodb log that all the tables where dropped and a new index created.
The index had a message saying that my data is backed up and I should pay x amount of bitcoin.
The collections where empty and nothing important is lost, but I wonder how someone could get in so fast.
As far as I understand the db is protected with a user and password on creation. My password was randomly generated 15 chars of letters and numbers.
Any ideas?
29 Replies
Are the docker images stored somewhere public?
Maybe problem with vps security itself?
I mean I started a new server today and installed dokploy on it and my mongodb has been fine for like 10 hours
same thing for me, installed mongo like 2 days ago with no issues
I don't think its the vps security. There is nothing installed. I use public key authentication. In the ssh logs only my IP and docker (dokploy) have logged in. Firewall is running and only 80, 443, 22 and 27017 were open.
I think it has to do with replica sets. There is also no authentication in the mongo logs besides my IP. So the attacker got in without login.
Maybe they joined the replicaset?
What firewall you have ?
@๐ ๐ฟ๐ญ๐๐น๐ฎ๐๐ฒ ufw
Can I see your settings ?
@๐ ๐ฟ๐ญ๐๐น๐ฎ๐๐ฒ which ones?
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443 ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
there was also 27017 in the same way, which I removed after the breach
22 port need to be opened only with whitelist ip
Not anywhere
If it is anywhere can be hacked
I don't have a static ip
do you have public key auth only or also password auth?
public key
you sure the connection details couldn't have been compromised, rather than the VPS itself?
@hyteq Do you mean mongo connection details?
In the logs was no authentication entry other than from my IP
Did you set any password to mongo? I usually create the mongo instance with password and I do not expose to the host when I use Docker compose and I have a backend app exposed to the host
When I create a db via dokploy, I have to set a password, so yes
I believe it was the combination of public port and replicaset. How the replicaset is configured by default in dokploy is not secure. It binds to all IPs, although it should only bind to the host IP. There are warnings everywhere in the mongo docs to secure everything before putting it public. I was expecting dokploy to handle this for me.
That's right. In my case, I handle my db instances and replicas by myself. So, let me check if I can help you creating db using Dokploy UI
@Andres Ruiz I'm fine now. I was doing differently from how I usually do, since it was convenient. I managed now with keeping it private
It was an accumulation of doing things differently and it exploded in the end ๐
I'm glad you solved it. It's normal, but when you get into the rhythm everything flows better
Thank you everyone for sharing your ideas
It's strange honestly I don't know if it's due to some missing configuration in the replica sets, I'm not a mongo expert, this is the PR
https://github.com/Dokploy/dokploy/pull/926
GitHub
feat: mongo replica sets by thewilloftheshadow ยท Pull Request #926 ...
This PR makes the default mongo database be initialized as a single node replica set.
Having a replica set is required for both Prisma to use MongoDB as well as using the MongoDB change streams fea...
@Siumauricio I never used replica sets before, but that setting to enable makes it just too easy. It looks like replica sets are by default unprotected and if you make the mistake to open the container to the internet, than you are in big trouble. Probably it should at least ask for another set of credentials to be configured to protect the replica set. I would also suggest to configure a certificate when the database is opened to the internet.
I wonder if many users use the database integration, since it lacks some options that a plain docker container has.
Maybe special features are not even necessary for the predefined database integrations.
I would like to ask, after opening the replica set, how do you connect?
@rainTrip I used MongoDB Compass with the credentials I provided when creating that database. I had to enable "Direct Connection" under "Advanced Connection Options" otherwise it wouldn't connect.
I found that I do need to enable direct connection. Does this operation cause any risks?
I seem to have been invaded by a script virus. How did you solve it?
@rainTrip I disabled replica sets
You encountered the same issue that happened to me. Replica sets have to be configured and made secure by yourself. The slider that enables replica sets does only enable replica sets, but leaves everything unconfigured in terms of security. So I suspect the set is open for anyone to join and mess with your data
I didn't spent time to learn how to configure replica sets. So I'm just not using them
OK, I understand. But my program needs to use the transaction function, so I need to use a replica set.
@rainTrip It may work if you don't expose the ports publicly.
otherwise you have to learn how to secure a replica set