3

I am wondering what is the security risk associated with having 0.0.0.0/0 for MongoDB databases on Atlas? I am hosting a Discord Bot on Heroku and I have been banging my head trying to figure out how to set up the static IPs with QuotaGuard. At this point, I want to know the risk and the potential problems (realistically) with allowing access from anywhere.

Mahyar Mirrashed
  • 471
  • 1
  • 3
  • 14
  • don't know anything about heroku/quotaguard, but in general if you're exposing mongo server to the world, you should definitely have authentication enabled and SSL/TLS encryption setup so that nobody can snoop on the mongo traffic. also might wanna setup some kind of brute-force prevention. but ideally you should not expose mongodb to the world and have a rest api service which is exposed to the world and only that service talks to mongodb directly which can be located in the same machine/network. – Dĵ ΝιΓΞΗΛψΚ Jul 11 '21 at 04:13
  • When you mention authentication @ĐĵΝιΓΞΗΛψΚ , is that the default stuff that I set up as the database URI with the username and password in it? Also, I did not even know brute-force prevention is a possibility with MongoDB! Mind explaining all that in an answer to this question by chance? – Mahyar Mirrashed Jul 11 '21 at 06:07
  • I have an application and was wondering this exact same thing. Were you able to find an answer? I can't get QuotaGuard to work either for my backend on Heroku so... A little annoying. – Donny groezinger Oct 27 '21 at 19:37
  • @Donnygroezinger, unfortunately, I was not able to find it properly. QuotaGuard has some links that I found on the matter but I was not able to parse it effectively. Eventually, I just purchased a virtual private server through Vultr and just host everything through there. It comes out to 72$/year but I have the ability to host literally whatever I want on that server. – Mahyar Mirrashed Oct 28 '21 at 22:28
  • Nice, I just have a front-end mobile application that sends some GET requests and so I was just wondering if keeping the mongoDB open to all IPs is really that bad... Hasn't been an easy few days with support that's for sure. Very frustrating. – Donny groezinger Oct 29 '21 at 02:22

1 Answers1

0

MongoDB is one of the trickier setups out there, but we've gotten pretty good at getting this running for a lot of customers. Since the admin's won't let us paste links of our documentation of how to do it yourself, and it's a long set of steps, I'd encourage you just to reach out to us at Support so we can help you get the connection set up and running quickly.

QuotaGuard
  • 50
  • 5