All Products
Search
Document Center

Cloud Firewall:Defend against unauthorized access to MongoDB databases

Last Updated:Mar 11, 2024

Unauthorized access to MongoDB databases can result in data leaks, data deletion, or even extortion.

Background information

To ensure the security of your business and applications, Cloud Firewall provides a solution to fix the vulnerability of unauthorized access to MongoDB databases.

After the MongoDB service is installed, an admin database is created. The admin database is empty by default. You cannot view any user authentication-related information in the database.

By default, MongoDB does not require user authentication. If you do not configure parameters when you start the MongoDB service, user authentication is not required for access to MongoDB databases. Users can perform operations on MongoDB databases over the default port in password-free mode. The operations include high-risk operations that can be performed to insert, delete, modify, or query data. Users can also remotely access the databases.

To address the issues, you must add users to the admin.system.users collection. This way, user authentication is enabled for MongoDB databases.

Solution

  1. Configure access control policies in Cloud Firewall.

    1. Configure a policy to allow access to the MongoDB service only from servers that are deployed on an internal network.

      Log on to the Cloud Firewall console. In the left-side navigation pane, choose Traffic Analysis > Internet Exposure. On the Internet Exposure page, go to the Exposure Details > Open Applications tab. Then, view the public IP address of the MongoDB service. If the MongoDB service is intended only for internal network servers, we recommend that you configure settings to prohibit the MongoDB service from being exposed to the Internet.

      Run the following command to bind the MongoDB service to an IP address to allow access to the service only from internal network servers. In this example, the private IP address 192.168.XX.XX is bound to the MongoDB service, and the service monitors only the requests from the IP address.

      mongod --bind_ip 192.168.XX.XX
    2. Configure access control policies to allow access to the MongoDB service only from trusted sources.

    1. Configure an Allow policy to allow access to the MongoDB service only from trusted sources.

      Log on to the Cloud Firewall console. In the left-side navigation pane, choose Access Control > Internet Border. On the Internet Border page, click the Inbound tab and configure a policy to allow access to the MongoDB service only from the servers that depend on MongoDB databases.

      1. On the Inbound tab, click Address Books. On the Custom Address Book > IPv4 Address Book tab, create an address book and add all trusted sources of the MongoDB service to the address book.

      2. On the Inbound tab, click Create Policy. On the Create Inbound Policy > Create Policy tab, specify the address book to create an Allow policy.

        • Source: Specify the address box that contains the trusted sources of the MongoDB service.

        • Destination: Specify the public IP address of the MongoDB service.

        • Protocol Type: Select TCP, which indicates Internet access traffic.

        • Port: Specify 0/0, which indicates all ports of the trusted sources.

    2. Configure a Deny policy to deny access to the MongoDB service from all sources.

      In the left-side navigation pane, choose Access Control > Internet Border. On the page that appears, click the Inbound tab and configure a policy to deny access to the MongoDB service from all sources.

      On the Inbound tab, click Create Policy. On the Create Inbound Policy > Create Policy tab, create a policy to deny access to the MongoDB service from all sources.

      • Source: Specify 0.0.0.0/0, which indicates all sources.

      • Destination: Specify the public IP address of the MongoDB service.

      • Protocol Type: Select TCP, which indicates Internet access traffic.

      • Port: Specify 0/0, which indicates all ports of the sources.

  2. Enable role-based user authentication.

    1. Run the following command to log on to your database before user authentication is enabled:

      ./mongo 127.0.0.1:27028 (The default port is not used.)
    2. Run the following command to switch to the admin database:

      use admin
      switched to db admin
      Note

      An administrator account can be created only in the admin database.

    3. Run the following command to create an administrator account in the admin database. In this example, the username is su****, and the password is supWDx****.

      Note

      In MongoDB V3 and later, the addUser method is no longer supported. You can run the db.createUser command to create a user.

      db.addUser("su****", "supWDx****") or
      { "n" : 0, "connectionId" : 4, "err" : null, "ok" : 1 }
      db.createUser({user:"****",pwd:"***********",roles:["root"]})
      {
      "user" : "****",
      "readOnly" : false,
      "pwd" : "**************","_id"
      ObjectId("4f2bc0d357a309043c6947a4")
      }
      # Store the administrator account in the system.users collection. 
      db.getCollectionNames()
      [ "system.indexes", "system.users", "system.version" ]

      The created administrator account is stored in the system.users collection.

      Note

      Do not specify a common username. Do not specify a common password, such as a birth date, name, or ID card number. Specify a password that is at least eight characters in length and contains uppercase letters, lowercase letters, digits, and special characters.

    4. Verify that the administrator account is created.

      Run the following command. If 1 is returned, the administrator account is created.

      db.auth("su****","supWDx****")
      1
                                      
    5. Terminate the Mongodb process and restart the MongoDB service.

      db.auth("su****","supWDx****")
      exit
      bye
    6. Run the following command to enable user authentication.

      After user authentication is enabled, users that do not log on to the MongoDB database cannot perform operations on the database.

      mongod --dbpath=/path/mongodb --bind_ip=10.0.0.1 --port=27028 --fork=true logpath=/path/mongod.log --auth&
    Note
    • Users that are stored in the admin.system.users collection have superuser permissions, but users that are created in other databases do not. Users that are created in the admin database can perform operations on data in other databases within the current MongoDB system.

    • In a MongoDB system, a database is created by a superuser. A database can store multiple users, but a user can be stored only in one database. Users in different databases can share the same name.

    • For example, User1 stored in DB1 cannot access DB2 but can access the data that is created by other users stored in DB1.

    • Users who share the same name in different databases can log on to only one database. For example, if User1 exists in both DB1 and DB2 and logs on to DB1, User1 cannot log on to DB2.

    • Users created in the admin database have superuser permissions and can perform operations on data in all databases within the current MongoDB system.

    • You can use the db.auth() method to authenticate users in a database. If the authentication is successful, a value of 1 is returned. Otherwise, a value of 0 is returned. The db.auth() method can authenticate only the users in the database to which the current logon user belongs. The method cannot authenticate users in other databases.

Check for intrusions

If you are an administrator of a MongoDB database, you can take the following measures to check for intrusions:

  • Check whether MongoDB logs are complete. Then, check the IP address of the user who deletes the database and the time when the database was deleted.

  • Run the db.system.users.find() command to check whether a password is configured for each MongoDB account.

  • Run the db.fs.files.find() command to check whether other users store files by using GridFS.

  • Run the show log global command to view log files. Then, check whether other users access the MongoDB database.