abdulito
commented
8 years ago Hi Jonny,
Thanks for pointing this out. We will update mongoctl's documentation and keep you posted.
Thanks!
Open JonnyBurger opened 8 years ago
abdulito
commented
8 years ago Hi Jonny,
Thanks for pointing this out. We will update mongoctl's documentation and keep you posted.
Thanks!
Hey everyone,
I would like to propose that we do something against the rising amount of open, insecure MongoDB instances exposed to the public.
By default, mongoctl sets up a Mongo server with no
authparameter in the config, meaning that if you use mongoctl on a server, everybody can connect to it, if you know the IP or domain. This problem is so widespread, that over 35,000 MongoDB instances are public, and hackers actively exploit this.This is not a bug in mongoctl, and these things happen because developers don't inform themselves enough, but nonetheless I think we should put a big, fat warning up on this repo, because a lot of users are falling into this trap. And that's because we easily let them:
authparameter in the mongoctl documentation and hidden deep in the MongoDB documentation.I confess that I also did not read the docs in detail and had a database out in the wild – fortunately I was able to fix it before something bad happened because DigitalOcean sent me this email:
With ~6000 installs per year, mongoctl has some significance when it comes to the number of open Mongo databases out there. While mongoctl is not guilty for this, it should be a lot easier for developers to figure out how to set up a secure MongoDB.
That's why I propose that the Github repo and the mongoctl website get a prominent warning "Make sure to use
{auth: true}in production!", because really, that is the essential information which more people need to know.Best, Jonny