Seems someone has set their domain to use my server. It’s not a mirror, the database and everything works and updates with mine. Is there a way to make it so my server will only respond to requests from my domain? He’s basically stealing my content, and he’s showing up on google instead of me.
I’m using node.
something like this https://www.npmjs.com/package/vhost
or this https://www.npmjs.com/package/vhosts
or this https://github.com/expressjs/vhost ?
I’m still looking into them
@skeddtemp Like @Woet says, it’s a matter of configuring the web server.
You’re probably running Nginx, but might as well be Apache.
And make sure you’re not running Node.js on a public port. It should only be accessibly through a reverse proxy from the web server.
https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-server-blocks-virtual-hosts-on-ubuntu-16-04 this sounds like it?
@skeddtemp
No, this is more like it:
https://www.digitalocean.com/community/tutorials/how-to-set-up-a-node-js-application-for-production-on-ubuntu-14-04#set-up-reverse-proxy-server
It’s the reverse proxy part which is what you want.
Node.js has an internal web server, but it’s not very advanced, so that’s why you add Nginx or another web server in front of it.
Okay so I already followed that tutorial and did all the steps in the “Set Up Nginx as a Reverse Proxy Server” section.
Is there something I need to do with pm2 which I have running my node file?
@skeddtemp Needed to start a new answer because we maxed out the thread.
Great, no, I don’t think you need to mess with pm2, but you need to make sure that nothing besides Nginx is listening on the external ports.
Run this command lsof -iTCP -sTCP:LISTEN -P
Are all of the ports listed here accessable externally?
Heres the list:
sshd
sshd
mongod
nginx
nginx
nginx
nginx
nginx
nginx
node\x20/
sshd
sshd
@skeddtemp
I can’t see which interface it listens on from that list.
Maybe you should setup a firewall.
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1490 root 3u IPv4 14472 0t0 TCP *:22 (LISTEN)
sshd 1490 root 4u IPv6 14483 0t0 TCP *:22 (LISTEN)
mongod 17901 root 6u IPv4 578756 0t0 TCP *:27017 (LISTEN)
nginx 21205 root 6u IPv4 1117068 0t0 TCP *:80 (LISTEN)
nginx 21205 root 7u IPv6 1117069 0t0 TCP *:80 (LISTEN)
nginx 21205 root 8u IPv4 1117070 0t0 TCP *:443 (LISTEN)
nginx 21206 www-data 6u IPv4 1117068 0t0 TCP *:80 (LISTEN)
nginx 21206 www-data 7u IPv6 1117069 0t0 TCP *:80 (LISTEN)
nginx 21206 www-data 8u IPv4 1117070 0t0 TCP *:443 (LISTEN)
node\x20/ 21258 root 11u IPv6 1118094 0t0 TCP *:3000 (LISTEN)
sshd 23840 root 8u IPv6 1128812 0t0 TCP ip6-localhost:6010 (LISTEN)
sshd 23840 root 9u IPv4 1128813 0t0 TCP localhost:6010 (LISTEN)
full list. So is the problem the * instead of localhost ports?
@skeddtemp
Okay, very important. Your MongoDB is accessible from the outside. You need to secure that. Unless you have a very good reason it should be publicly available, then put it on localhost.
Everything with * means it listens on all interfaces (public and local).
The localhost only listens on, well, the local host.
So your Node.js is also listening on all interfaces on 3000, make listen on localhost only.
Do I do this through configuration of each program or is there a universal way?
@skeddtemp Creating a new answer, since we maxed out the other thread.
You should install each service (what you call program), so it’s secure. That would be my recommendation.
But you could just setup the firewall to block everything and then open the ports you want accessible from the outside.
Have a look at this tutorial:
https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-16-04
I followed, here is the output
sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
22 ALLOW IN Anywhere
80 ALLOW IN Anywhere
443 ALLOW IN Anywhere
80,443/tcp (Nginx Full) ALLOW IN Anywhere
22 (v6) ALLOW IN Anywhere (v6)
80 (v6) ALLOW IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)
80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6)
lsof -iTCP -sTCP:LISTEN -P
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1384 root 3u IPv4 14397 0t0 TCP *:22 (LISTEN)
sshd 1384 root 4u IPv6 14410 0t0 TCP *:22 (LISTEN)
nginx 1510 root 6u IPv4 15432 0t0 TCP *:80 (LISTEN)
nginx 1510 root 7u IPv6 15433 0t0 TCP *:80 (LISTEN)
nginx 1510 root 8u IPv4 15434 0t0 TCP *:443 (LISTEN)
nginx 1511 www-data 6u IPv4 15432 0t0 TCP *:80 (LISTEN)
nginx 1511 www-data 7u IPv6 15433 0t0 TCP *:80 (LISTEN)
nginx 1511 www-data 8u IPv4 15434 0t0 TCP *:443 (LISTEN)
node\x20/ 1533 root 11u IPv6 16106 0t0 TCP *:3000 (LISTEN)
mongod 1578 root 6u IPv4 16026 0t0 TCP *:27017 (LISTEN)
sshd 1644 root 8u IPv6 16632 0t0 TCP ip6-localhost:6010 (LISTEN)
sshd 1644 root 9u IPv4 16633 0t0 TCP localhost:6010 (LISTEN)
Nothing seems to have changed though. I thought I denied everything so shouldn’t mongo be blocked now? At this point I’d be willing to pay someone to do it. Any idea how I could go about that?
@jtittle is this something you could do?
@skeddtemp Let’s see if Jonathan can assist you. He’s a very, very good system administrator.
@hansen - Thanks, appreciate that :-).
I’m playing catch-up here, so forgive me if I start on the wrong part.
If you’re simply looking to force MongoDB to listen on localhost or 127.0.0.1, then you need to edit mongodb.conf and change bind_ip to either or.
It’s been a little while since I’ve used MongoDB, though I believe that file is located either here:
/etc/mongodb.conf
or
/etc/mongodb/mongodb.conf
You’d need to run:
nano /etc/mongodb.conf
… or use the other path (if that’s where the config file is) and locate bind_ip and then change it so that it looks like:
bind_ip = 127.0.0.1
or
bind_ip = localhost
You would then need to restart MongoDB.
Once this change is made, as long as all access is local, then I would just remove the firewall rule that applies to MongoDB as you don’t need to allow it in.
To find the rule, you can run:
ufw status numbered
Find the number that shows 27017 and run:
ufw delete NUM
Where NUM is the number you found when running the first command. So, for example, if my rule was number 5 on the list, I’d run:
ufw delete 5
Thanks for the comment
I opened up /etc/mongod.conf, but that setting was already there.
# network interfaces
net:
port: 27017
bindIp: 127.0.0.1
And I hadn’t set a rule for mongo, I configured it based of the link from @hansen to I think block all ports except the ones in this list below
To Action From
-- ------ ----
[ 1] 22 ALLOW IN Anywhere
[ 2] 80 ALLOW IN Anywhere
[ 3] 443 ALLOW IN Anywhere
[ 4] Nginx Full ALLOW IN Anywhere
[ 5] 22 (v6) ALLOW IN Anywhere (v6)
[ 6] 80 (v6) ALLOW IN Anywhere (v6)
[ 7] 443 (v6) ALLOW IN Anywhere (v6)
[ 8] Nginx Full (v6) ALLOW IN Anywhere (v6)
but that’s still not working (at least I don’t think it is,
but the command lsof -iTCP -sTCP:LISTEN -P
still says
mongod 1582 root 6u IPv4 16004 0t0 TCP *:27017 (LISTEN)
(though I’m not sure exactly what this command does, maybe theres a better way to test it)
I also followed his earlier advice to try to lock down my server so it only works with my domain, but that didn’t seem to take either.
I knew I was a little rusty, so the filename is actually mongod.conf. I just spun up a new Droplet and did a quick install of MongoDB 3.4 to confirm.
If the changes you’ve posted are from your the same configuration file, then you definitely shouldn’t see * showing up as that pretty much means MongoDB is listening on 0.0.0.0 which is short for any available IP.
To confirm, I ran the same command on my quick install:
lsof -iTCP -sTCP:LISTEN -P
… which results in:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1743 root 3u IPv4 16514 0t0 TCP *:22 (LISTEN)
sshd 1743 root 4u IPv6 16516 0t0 TCP *:22 (LISTEN)
mongod 4630 mongodb 7u IPv4 25998 0t0 TCP localhost:27017 (LISTEN)
If you’ve not already, please try running:
service mongod restart
…
If that doesn’t work, please provide more details on your installation, more specifically how was MongoDB installed?
All I did to install MongoDB (3.4 on Ubuntu 16.04) on my end was run:
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 0C49F3730359A14518585931BC711F9BA15703C6
echo "deb [ arch=amd64,arm64 ] http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.4.list
sudo apt-get update
sudo apt-get install -y mongodb-org
sudo service mongod start
Trying to figure out exactly what I did, I had a few issues getting the correct version, but I think this is the last thing I did:
39 sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv EA312927
40 echo "deb http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.2 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.2.list
41 sudo apt-get update
42 sudo apt-get install -y mongodb-org
43 sudo apt-get install -y mongodb-org=3.2.12 mongodb-org-server=3.2.12 mongodb-org-shell=3.2.12 mongodb-org-mongos=3.2.12 mongodb-org-tools=3.2.12
44 echo "mongodb-org hold" | sudo dpkg --set-selections
45 echo "mongodb-org-server hold" | sudo dpkg --set-selections
46 echo "mongodb-org-shell hold" | sudo dpkg --set-selections
47 echo "mongodb-org-mongos hold" | sudo dpkg --set-selections
48 echo "mongodb-org-tools hold" | sudo dpkg --set-selections
49 touch ./lib/systemd/system/mongod.service
50 mongod --nojournal --dbpath=data
51 pm2 start mongo-start.sh --interpreter=bash
What’s the contents of mongo-start.sh?
If you’re running specific configuration via a bash script, that may be what’s setting the port, and that may be where we need to look to change it.
Sorry, I didn’t get a notification and thought no one responded. Hope someone’s still around to see this.
I created mongo-start.sh to run this code:
echo "Starting MongoDB"
#Delete the lock file preventing mongo from starting
echo "Deleting lock file"
file="./data/mongod.lock"
if [ -f $file ] ; then
rm $file
fi
#Run mongo with the repair flag
echo "Running repair"
mongod --nojournal --dbpath=data --repair
#Start mongo db
echo "Starting Mongo"
mongod --nojournal --dbpath=data
Because every time c9 shut down my server it would stop working. I don’t think it’s doing anything special when running mongo though