Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MongoDB - Allow access from anywhere (rule) #1199

Merged
merged 2 commits into from
Apr 5, 2024
Merged

MongoDB - Allow access from anywhere (rule) #1199

merged 2 commits into from
Apr 5, 2024

Conversation

akozlovets098
Copy link
Contributor

@akozlovets098 akozlovets098 commented Apr 5, 2024
edited by arielkr256
Loading

Goal

Detect when 0.0.0.0 is added to the project's IP access list, which allows access from anywhere.

Categorization

https://attack.mitre.org/techniques/T1021/

Strategy Abstract

Atlas only allows client connections to the database deployment from entries in the project's IP access list. Detect when 0.0.0.0 is added to that list, which allows access from anywhere.

Technical Context

Allow access to project from anywhere to generate relevant logs.

Blind Spots and Assumptions

Assumes proper MongoDB Atlas logging.

False Positives

Could be legitimate administrator activity for specific project.

Validation

Allow access to project from anywhere to trigger alerts.

Priority

Medium

Response

Check if this activity was legitimate. If not, delete 0.0.0.0 from the list of allowed ips.

Additional Resources

https://www.mongodb.com/docs/atlas/security/ip-access-list/

@akozlovets098 akozlovets098 requested review from a team April 5, 2024 12:00
@arielkr256 arielkr256 enabled auto-merge (squash) April 5, 2024 15:26
arielkr256
arielkr256 approved these changes Apr 5, 2024
View reviewed changes
Copy link
Contributor

@arielkr256 arielkr256 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome!

@arielkr256 arielkr256 merged commit a168668 into release Apr 5, 2024
5 checks passed
@arielkr256 arielkr256 deleted the THREAT-268-MongoDB---Allow-access-from-anywhere branch April 5, 2024 15:26
egibs pushed a commit that referenced this pull request Apr 9, 2024
@akozlovets098 @arielkr256
MongoDB - Allow access from anywhere (rule) (#1199)
9d6e10e 
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arielkr256 arielkr256 arielkr256 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@akozlovets098 @arielkr256