MongoDB bind ip and ports

Jayadevan_Maymala · September 23, 2020, 4:51am

I need some clarity on how the bindIp in /etc/mongod.conf works. I started a new VM instance in Azure. I opened the port 27017 (it is open to public). I started a new MongoDB instance (version is 4.4). In /etc/mongod.conf, I added the private IP of the VM instance. So it has 127.0.0.1 and the private IP like this 10.0.x.x,127.0.0.1. I restarted the server. I did not enable authentication - thought I will do all that after application is set up.

The next day, I see lot of entries in the log like this:

{"t":{"$date":"2020-09-22T18:46:03.897+00:00"},"s":"I",  "c":"NETWORK",  "id":22943,   "ctx":"listener","msg":"Connection accepted","attr":{"remote":"209.17.96.210:53448","connectionId":11,"connectionCount":1}}
{"t":{"$date":"2020-09-22T19:55:23.236+00:00"},"s":"I",  "c":"NETWORK",  "id":22943,   "ctx":"listener","msg":"Connection accepted","attr":{"remote":"45.227.255.224:61000","connectionId":12,"connectionCount":1}}
{"t":{"$date":"2020-09-22T20:03:18.361+00:00"},"s":"I",  "c":"NETWORK",  "id":22943,   "ctx":"listener","msg":"Connection accepted","attr":{"remote":"38.88.252.187:44861","connectionId":13,"connectionCount":1}}
{"t":{"$date":"2020-09-22T21:04:01.448+00:00"},"s":"I",  "c":"NETWORK",  "id":22943,   "ctx":"listener","msg":"Connection accepted","attr":{"remote":"162.142.125.35:43268","connectionId":14,"connectionCount":1}}
{"t":{"$date":"2020-09-23T03:04:55.582+00:00"},"s":"I",  "c":"NETWORK",  "id":22943,   "ctx":"listener","msg":"Connection accepted","attr":{"remote":"192.241.232.202:34776","connectionId":15,"connectionCount":1}}
{"t":{"$date":"2020-09-23T04:31:06.036+00:00"},"s":"I",  "c":"NETWORK",  "id":22943,   "ctx":"listener","msg":"Connection accepted","attr":{"remote":"20.36.16.23:13312","connectionId":16,"connectionCount":1}}

Is this expected? I thought Mongo is listening only at the private IP and 127.0.0.1 and hence only someone from within the network or access to the machine will be able to connect.

kevinadi · September 25, 2020, 2:40am

Hi @Jayadevan_Maymala welcome to the community!

I’m not sure why MongoDB accepts incoming connection from the internet when you specifically only bind to private addresses. On bind ip, MongoDB does nothing special in terms of binding, as mentioned in the bind ip page. Having said that, I would highly recommend you use IP whitelisting on top of on MongoDB’s bind ip setting to limit incoming connections.

Maybe share your /etc/mongod.conf file, and some log lines from the server when it starts up so we can see what’s going on?

Best regards,
Kevin

Jayadevan_Maymala · September 25, 2020, 4:14am

Hi @kevinadi ,
I am pasting the log entries which mention which IPs MongoDB is listening on.
grep Listening ./mongod.log
{“t”:{"$date":“2020-09-22T08:45:38.054+00:00”},“s”:“I”, “c”:“NETWORK”, “id”:23015, “ctx”:“listener”,“msg”:“Listening on”,“attr”:{“address”:"/tmp/mongodb-27017.sock"}}
{“t”:{"$date":“2020-09-22T08:45:38.054+00:00”},“s”:“I”, “c”:“NETWORK”, “id”:23015, “ctx”:“listener”,“msg”:“Listening on”,“attr”:{“address”:“127.0.0.1”}}
{“t”:{"$date":“2020-09-22T10:57:24.262+00:00”},“s”:“I”, “c”:“NETWORK”, “id”:23015, “ctx”:“listener”,“msg”:“Listening on”,“attr”:{“address”:"/tmp/mongodb-27017.sock"}}
{“t”:{"$date":“2020-09-22T10:57:24.262+00:00”},“s”:“I”, “c”:“NETWORK”, “id”:23015, “ctx”:“listener”,“msg”:“Listening on”,“attr”:{“address”:“10.0.1.4”}}
{“t”:{"$date":“2020-09-22T10:57:24.262+00:00”},“s”:“I”, “c”:“NETWORK”, “id”:23015, “ctx”:“listener”,“msg”:“Listening on”,“attr”:{“address”:“127.0.0.1”}}

May be - hackers are sending requests to standard ports on public IPs, and Azure’s network is mapping it to the private IP and forwarding it? I have opened the port once more. Would you like to trace the path and help troubleshoot? IP is 52.172.147.136.

kevinadi · September 25, 2020, 4:34am

Hi @Jayadevan_Maymala,

Apologies, I can’t really help by connecting directly to your deployment.

However, you can check if internet connectivity is allowed by Azure by trying this experiment from another server, or possibly your co-worker’s laptop.

Best regards,
Kevin

chris · September 25, 2020, 11:43am

Yes, allowing a port on a Azure Network Security Group will send it to the hosts local ip. The internet IP is not bound on the virtual machine.

You can set the source address to allow only the IPs you want to access this port. If you don’t access the VM from a static IP you can use Just In Time Access to allow your ip when you need to access the vm.

Jayadevan_Maymala · September 25, 2020, 2:29pm

Thanks. I closed the port. There was no real need to open 27017 to public. Internal connections from the web server can go through the private IP anyway.