MongoDB Instance Access

closed

#1

We had the firewall on our cryoSPARC master server set up to allow all connections on ports 39000-39010:

# These ports are used by cryoSPARC
iptables -A leave_open -p tcp --match multiport --dports 39000:39010 -j ACCEPT

The machine subsequently got flagged by information security services for having an open MongoDB port.

Much to my surprise, it turns out the MongoDB instance used by cryoSPARC allows anyone from anywhere to write to it without authentication? Is this a misconfiguration on my part? Here is my test, with some Mongo messages removed:

[cnsit@lizard ~]$ mongo --host kraken.biosci.utexas.edu:39001
MongoDB shell version v4.2.0 connecting to: mongodb://kraken.biosci.utexas.edu:39001/?compressors=disabled&gssapiServiceName=mongodb 

<snip a bunch of irrelevant messages>

meteor:PRIMARY> use security_test
switched to db security_test

meteor:PRIMARY> db.users.find()
{ "_id" : ObjectId("5daa0b7f367d5157103ff967"), "hackername" : "pgoetz" }

meteor:PRIMARY> db.users.insert({hackername: "jmclellan"})
WriteResult({ "nInserted" : 1 })

meteor:PRIMARY> db.users.find()
{ "_id" : ObjectId("5daa0b7f367d5157103ff967"), "hackername" : "pgoetz" } { "_id" : ObjectId("5daa0dfa04d2ae2aa7031e53"), "hackername" : "jmclellan" }

I created the security_test database previously and added {“hackername” : “pgoetz”} so the second connection demonstrates that the data is persistent. All the cryosparc stuff is in a database called meteor:

meteor:PRIMARY> show databases
admin           0.000GB
local           0.089GB
meteor         51.660GB
security_test   0.000GB

Mongod access control
#2

Hi @pgoetz,

Sorry for the delay.

A cryoSPARC master instance needs to be set up in a way such that ports 39000, 39001 and 39002 are available to the workers nodes and port 39000, the web application, is the only port that a user needs to access cryoSPARC. This connection to the web application over 39000 is typically done through SSH port forwarding into the internal network.

At the moment, it is assumed that anyone with access to the database port is a trusted user and that the database port is not open to all. We are working on a solution to support use cases such as user isolation and data security.

Let us know if you have any suggestions!

- Suhail