Risk Level: High
Description:
This plugin ensures DigitalOcean clusters are not publicly accessible. You can greatly decrease the likelihood of a security breach by restricting which DigitalOcean resources or external IP addresses are allowed to access the nodes in a cluster.
About the Service :
Database: Database in DigitalOcean handles basic administrative tasks such as setup, backups and administration for various databases including MongoDB, MySQL, Redis and PostgreSQL.
Impact :
Restricting the incoming connections prevents brute force password and denial-of-service attacks from any server not explicitly permitted to connect.
Steps to Reproduce :
- Login to the digital ocean console.
- Select the project for which database accessibility needs to be checked under the PROJECTS section.
- Next, under the Resources tab, go to Database clusters, and select the cluster to be tested.
- The required database cluster will open under the Overview tab, under TRUSTED SOURCES if there is a warning statement such as, “Your cluster is open to all incoming connections”, visit the Steps for Remediation Section.
- Repeat process for other clusters under the project and also for database clusters in other projects as well.
Steps for Remediation :
- Login to the digitalOcean console.
- Select the project for which database accessibility needs to be checked under the PROJECTS section.
- Next, under the Resources tab, go to Database clusters, and select the cluster to be tested.
- The required database cluster will open under the Overview tab, under TRUSTED SOURCES if there is a warning statement such as, “Your cluster is open to all incoming connections”, click on the link stating “Secure this database cluster by restricting access”.
- Users would be redirected to the Settings tab. Click on Edit, under the Trusted sources section.
- Under add trusted sources, provide the IP addresses which are eligible to send requests to the system. Click on Save.
- Repeat the process for other open database clusters as well.