00:01 Alright, so on the left here we're logged into our MongoDB server
00:03 and let's go to the web server, we're logged in here,
00:12 now on the web server, just for now, I'm going to set up the Mongo shell
00:16 so that we can sort of simulate talking to this
00:20 from the web application, our little fake web application in Python
00:24 which we haven't gotten to yet, but we'll do that later in this chapter.
00:26 And we already added the list here, so we're going to install, apt install this,
00:31
00:38 ok so let's go Mongo, you're going to run something great, not the right one,
00:42 okay, so before we do anything let's see if we can get to our Mongo server,
00:48 and the answer will be no,
00:52 so here this is the host name of the Mongo server,
00:57 right now if I try to connect to it, it's going to say no,
01:00 if I come over here and I type mongo it connects, what is going on?
01:05 Remember this, remember it's listening only on local host. 01:14 So we're going to want to change this, but not before we make it safe,
01:17 so we don't want to just tell it to listen on the open internet right away
01:22 so let's first block access to all of these ports
01:27 and everything basically except for initially ssh,
01:31 so what we're going to use is we are going to use something built into Ubuntu
01:36 called uncomplicated firewall.
01:40 The first thing that we're going to do is say ufw default deny incoming.
01:45 By default we're blocking all of the ports.
01:51 Now, we're going to say allow outgoing,
01:55 so by default allow our server to get back out, that's cool.
01:58 The other thing that we want to allow, unless this is going to be
02:02 the very last time we see the server,
02:04 we're going to need to allow ssh back to this server.
02:07 Not default, just allow ssh.
02:14 Okay, great, it updated for ipv4 and ipv6, that's pretty sweet.
02:19 Now the last thing is a moment of truth, we're going to enable it,
02:23 we could ask the status, it's not enabled,
02:28 it says you know, if you are blocking ssh, you're going to be done for; we're not.
02:34 And let's just verify, just connect, reconnect, okay, we're good.
02:40 So at least now nothing can talk to any port except for 22 ssh, at all on this server.
02:47 The one final thing to do, let's go over here and say ping the web server,
02:58 so this, that's the ip address of the web server,
03:04 what I want is to allow the web server to get to the Mongo server,
03:09 so one more thing I'll say ufw allow from here,
03:14 so uncomplicated firewall allow from this to any port
03:18 and we're going to give it a port here and normally you would type this,
03:23 27017,  that's the default port,
03:29 but the very next thing we are going to do is say
03:32 running MongoDB on the default port probably is a stupid idea,
03:35 everyone is scanning the wide open internet for 27017
03:38 and then seeing what kind of havoc they can wreak upon that.
03:41 So even though we think our firewalls are blocking the wide open internet
03:45 for everything except for ssh— let's go ahead and change the port,
03:51 so we're going to say 100001 is the port we're going to run Mongo,
03:55 so we're going to allow that thing to come back to 10001,
03:57 where MongoDB is going to be listening.
04:01 Okay, rule added. So it is running,  it's listening on just that port.
04:07 Next thing to do is we're going to want to go and change the port here,
04:12
04:15 like this, and change this port, 10001.
04:19
04:23 Excellent, okay, so MongoDB, we're going to have to go do a service restart,
04:30 now if I type Mongo fail, but if I say --port, like that, we're good.
04:36 So it looks like everything is working over here.
04:39 It's still not going to listen to us,
04:45 because we're still not listening on the public internet,
04:49 we're just listening on local host.
04:52 Okay, but this is one step in the right path,
04:55 we've got basically the firewall here restricting access to everything,
05:00 except for wide open ssh and MongoDB
05:05 on a default port only from the web server.
05:08 Let's while we're over here go ahead and do this as well.
05:11 Just assuming that you're treating this as your web server,
05:14 let's go ahead do the same thing.
05:18 So by default we're going to do deny incoming allow outgoing,
05:23
05:28 allow ssh, and let's say allow 80 and 443 to simulate this being the web server,
05:37 we're not actually going to run a website, like I said,
05:40 but that is what I would do, and then we would do an enable.
05:44 It says are you sure you want to do this, we'll exit one more time,
05:46 make sure we can get back, and we can, fabulous.
05:49 So now, we've got that server sort of foul lock down just to play along,
05:54 this one is like actually lock down and this thing can talk to it,
05:57 but this one is not listening.
05:59 I don't want to make that one listen, until we go through a few other steps,
06:01 so you are going to have to hold off on having this whole connection thing working.