• UID625
  • Fans5
  • Follows1
  • Posts68

10 Tips for Improving MongoDB Security

More Posted time:Jul 14, 2016 10:18 AM
MongoDB provides a series of components to improve data security. Data security is important for MongoDB; therefore, it uses these components to reduce the scope of exposure. The following are 10 tips to improve your personal MongoDB server or the MongoDB server in the cloud.
1. Enable auth, which is an effective security practice even when the MongoDB server is deployed in a trusted network. auth can provide deep defense when your network is attacked. Edit the related configuration file to enable auth.
auth = true
2. Do not expose the database in the production environment to the Internet unless necessary. It is an essential security measure to limit physical access to the database . Data security will be compromised if attackers are not prevented from physically connecting to the MongoDB server. If you deploy services on Amazon Web Services (AWS), you should deploy your database in the private subnet of Virtual Private Cloud (VPC). For details, refer to the blog article "Deploy MongoDB in Virtual Private Cloud (VPC)".
3. Install a firewall to limit the entities that can access the MongoDB server. The optimal measure is to allow only your application server to access the database. If you deploy services on AWS, you can use the security group feature to limit access permissions. If you deploy services on the host of a provider that does not support the firewall feature, you can use "iptables" to perform simple server configuration. Refer to the relevant MongoDB document to configure iptables in a specific environment.
4. Use the key file to establish a replication server cluster. You can specify the shared key file to enable communication between MongoDB instances in a replication cluster. The following shows how to add the keyfile parameter to the configuration file. The configuration files on all machines in the replication cluster must have the same content.
keyFile = /srv/mongodb/keyfile
5. Disable the HTTP status interface. By default, MongoDB runs the HTTP interface on Port 28017 to provide the master status page. It is recommended that the HTTP interface be disabled in the production environment. You can use "nohttpinterface" to disable the HTTP interface.
nohttpinterface = true
6. Disable the REST interface. It is recommended that the REST interface of MongoDB be not enabled in the production environment. The REST interface does not support any type of authentication. It is disabled by default. If the HTTP interface is enabled via the "rest" configuration option, you should disable it in the production environment.
rest = false
7. Configure bind_ip. If your system uses multiple network interfaces, you can use the "bind_ip" option to bind interfaces to MongoDB listening. By default, MongoDB is bound with all interfaces.
bind_ip =,
8. Enable SSL. If you do not enable SSL, data is transmitted in plaintext mode between the MongoDB client and the MongoDB server. The transmitted data is vulnerable to eavesdropping, tampering, and man-in-the-middle attacks. SSL is especially important when you connect to the MongoDB server through a non-secure network such as the Internet.
9. Perform role-based authentication. MongoDB supports role-based authentication, allowing you to perform granular control of the actions each user can execute. The role-based authentication component can be used to limit database access and prevent specific users from obtaining the administrator privilege. For details, see the documents about related roles.

10. MongoDB Enterprise inherits Kerberos authentication. For details, refer to MongoDB documents. Systems using password-based authentication methods are not secure. Use Kerberos authentication if possible.