phil.eki
By:
phil.eki

Digital Ocean Firewalls are awesome for MongoDB. Why do I need ufw?

September 7, 2017 429 views
Firewall MongoDB Ubuntu

I have my appServers tagged as apps and my database server(s) tagged as db

Using purely digital ocean's firewalls, create 2 rules:

tag:db rules

Incoming

  • SSH from anywhere
  • connections only from tag:apps on port 27017.

Outgoing

  • Anything goes

tag:apps rules

Incoming

  • SSH from anywhere
  • 80/443 from anywhere

Outgoing

  • Anything goes

This seems to make a lot of sense and I feel like I :

  • Don't need to Setup ufw on any servers, because that's already taken care of
  • Don't need to Restrict incoming connections by ip with mongodb config. I can just bind to 0.0.0.0 and accept from "anywhere" since DO-firewall already does that filtering.
  • Don't need to enable auth in mongodb, (would only need to do this if sql injection was a legitimate fear)

Could anyone help me understand why I should security-wise?

1 Answer

That looks good to me! As long as you have your DO Firewalls configured properly (sounds like you do!), you won't need to set up UFW or IPTables on your Droplet.

I agree with the first two points but not so much the third. I recommend setting up auth in MongoDB either way. This will keep your data safe in case something goes wrong and yours databases become publicly accessible for some reason. Better be safe than sorry!

Have another answer? Share your knowledge.