DEV Community

Graham Cox
Graham Cox

Posted on

2

MongoDB ransoms in 2017

You've almost certainly heard the news of the MongoDB ransoms that are going on. It's been a long time coming, and there's no reason for it at all.

We learnt a long time ago that it's completely unsafe to have workstations on the internet without some form of protection. Essentially, you need a firewall to keep your desktop or laptop safe.

It's also old knowledge that you should have separation of your front and back end systems.

Finally, it's common sense that your data is the single most important part of your company.

From this, I find it ludicrous that the databases a) aren't backed up, and b) aren't secured.

Backups are essential. If the data isn't backed up it might as well not exist. What's more, backups are only as good as the last time they were successfully restored. So, if you don't make backups And test them, you might as well not have the data in the first place.

This gets you to being able to get your data back, but it doesn't stop the bad guys getting their hands on it too. For that, you need to stop them getting into the database in the first place. This means a firewall and decent authentication. The database server should never be externally accessible - ever. If you need admin access, use a VPN. Simple as that.

The really ludicrous part of this is - if I understand it correctly, MongoDB supports authentication by use of x.509 certificates. This means that an attacker would need not a username and password - that can be brute forced - but an SSL certificate that is correctly signed. These are significantly more difficult to crack - to the point that if someone can reliably do so, MongoDB is the least of our worries.

Sentry image

Hands-on debugging session: instrument, monitor, and fix

Join Lazar for a hands-on session where you’ll build it, break it, debug it, and fix it. You’ll set up Sentry, track errors, use Session Replay and Tracing, and leverage some good ol’ AI to find and fix issues fast.

RSVP here →

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay