Unauthorized access to a MongoDB database can result in data leaks, data deletion, or even extortion.

Background information

To ensure the security of your business and applications, Cloud Firewall provides a solution to fix the vulnerability of unauthorized access to a MongoDB database.

After MongoDB is installed, an admin database is created. The admin database is empty by default. You cannot view user authentication information in the database.

By default, MongoDB has no requirements for user authentification. If you do not configure parameters when you start MongoDB, user authentication is not required for access to the MongoDB database. As a result, users do not require a password to remotely access the MongoDB database. Then, the users can perform operations on the database by using the default port. These operations include high-risk operations that are performed to insert, delete, modify, or query data.

To address this issue, you must add users to the admin.system.users collection. This way, user authentication is enabled for MongoDB.

Solution

  1. Configure access control policies in Cloud Firewall.
    1. Configure MongoDB to make sure that MongoDB provides services only for servers on an internal network.
      Log on to the Cloud Firewall console and choose Traffic Analysis > Internet Access. On the Internet Access page, click the Open Applications tab and check whether MongoDB communicates with the Internet. If MongoDB provides services only for servers on an internal network, we recommend that you configure MongoDB to prevent MongoDB from being exposed to the Internet.

      Run the following command to bind MongoDB to an IP address to make sure that MongoDB provides services only for servers on an internal network. In this example, bind MongoDB to the internal IP address 192.168.XX.XX. 

      mongod --bind_ip 192.168.XX.XX
    2. Allow requests only from trusted source IP addresses.

      In the Cloud Firewall console, choose Access Control > Internet Firewall. Click the Inbound Policies tab. On the Inbound Policies tab, configure an access control policy to allow requests only from trusted source IP addresses to MongoDB.

      1. On the Inbound Policies tab, click Address Books. On the IPv4 Address Books tab, create an address book and add all trusted source IP addresses to the address book.
      2. On the Inbound Policies tab, click Create Policy. In the Create Inbound Policy dialog box, configure the parameters. Parameter configurations:
        • Source: Select the address book that you create.
        • Destination: Enter the public IP address of the server on which MongoDB is installed.
        • Protocol: Select TCP, which specifies Internet traffic.
        • Port: Set this parameter to 0/0, which specifies all ports for the trusted source IP addresses.
        • Configure other parameters as prompted.
    3. Deny all requests from untrusted source IP addresses.

      In the Cloud Firewall console, choose Access Control > Internet Firewall. Click the Inbound Policies tab. On the Inbound Policies tab, configure an access control policy to deny all requests from untrusted source IP addresses.

      On the Inbound Policies tab, click Create Policy. In the Create Inbound Policy dialog box, configure the parameters. Parameter configurations:

      • Source: Set this parameter to 0.0.0.0/0, which specifies all source IP addresses.
      • Destination: Enter the public IP address of the server on which MongoDB is installed.
      • Protocol Type: Select TCP, which specifies Internet traffic.
      • Port: Set this parameter to 0/0, which specifies all ports for untrusted source IP addresses.
      • Configure other parameters as prompted.
  2. Enable role-based user authentication.
    1. Log on to MongoDB. Make sure that user authentication is disabled when you run the following command: 
      [mongodbrac3 bin]$ ./mongo 127.0.0.1:27028 (The default port is changed.)
MongoDB shell version: 2.0.1
connecting to: 127.0.0.1:27028/test
    2. Switch to the admin database. 
      > use admin
switched to db admin
      Note An administrator account can be created only in the admin database.
    3. Create an administrator account in the admin database. In this example, the username is su****, and the password is supWDx****.
      Note In MongoDB V3 and later, the addUser method is no longer supported. You can run the db.createUser command to create a user. 
      > db.addUser("su****", "supWDx****H") or
{ "n" : 0, "connectionId" : 4, "err" : null, "ok" : 1 }
> db.createUser({user:"****",pwd:"***********",roles:["root"]})
{
"user" : "****",
"readOnly" : false,
"pwd" : "**************","_id"
ObjectId("4f2bc0d357a309043c6947a4")
}
# Store the administrator account in the system.users collection. 
> db.getCollectionNames()
[ "system.indexes", "system.users", "system.version" ]

      The administrator account is stored in the system.users collection.

      Note The username cannot be a common username. The password must meet the following requirements: The password must be at least eight characters in length and must contain uppercase letters, lowercase letters, digits, and special characters. The password cannot be a common password, such as a birth date, a name, or an ID card number.
    4. Check whether the administrator account is created.

      Run the following command. If 1 is returned, the administrator account is created. 

      > db.auth("su****","supWDx****")
1
    5. Terminate the Mongodb process and restart MongoDB. 
      > db.auth("su****","supWDx****")
> exit
bye
    6. Enable user authentication.

      After user authentication is enabled, users who are not logged on to MongoDB cannot perform operations. 

      > mongod --dbpath=/path/mongodb --bind_ip=10.0.0.1 --port=27028 --fork=true logpath=/path/mongod.log --auth&
    Note
    • Users that are stored in the admin.system.users collection have super permissions, but users that are created in other databases do not. Users that are created in the admin database can perform operations on data in other databases in MongoDB.
    • In MongoDB, a database is created by a superuser. A database can contain multiple users, but a single user can be stored only in one database. Users in different databases can share the same name.
    • User1 in a database, such as DB1, cannot access a different database, such as DB2, but can access data created by other users in DB1.
    • Users who share the same name in different databases can log on to only one database. For example, if user1 exists in both DB1 and DB2 and logs on to DB1, user1 cannot log on to DB2.
    • Users created in the admin database have super permissions and can perform operations on data in all databases in MongoDB.
    • You can use the db.auth() method to authenticate users in a database. If the authentication is successful, a value of 1 is returned. Otherwise, a value of 0 is returned. The db.auth() method can authenticate only the users in the database to which the current logon user belongs. The method cannot authenticate users in other databases.

Check for intrusions

If you are a MongoDB administrator, you can take the following measures to check for intrusions:

  • Check whether the MongoDB log is complete. Then, check the IP address of the user who deletes the database and the time when the database was deleted.
  • Run the db.system.users.find() command to check whether a password is configured for each MongoDB account.
  • Run the db.fs.files.find() command to check whether other users store files by using GridFS.
  • Run the show log global command to view log files. Then, check whether other users access the MongoDB database.