edit-icon download-icon

Harden MongoDB service security

Last Updated: May 08, 2018

Follow these guidelines to harden MongoDB service security, fix vulnerabilities, and safeguard the security of your business and apps.

Vulnerability details

Vulnerability hazard

If you do not add any parameters after activating the MongoDB service, a permission authentication is not implemented by default. Users who have logged on to the service can perform any action (including add, delete, edit, query, and other high-risk actions) on the database without a password through the default port, and remotely access the database.

Vulnerability cause

After the MongoDB service is installed, an admin database is generated by default. The admin database is empty and no permission information is logged. Even if the “-auth” parameter is added at the MongoDB start, if admin.system.users contains no users, you can perform any action without authentication until you have added a user to admin.system.users. The hardening method validates MongoDB’s authentication and authorization services only after a user is added to admin.system.users.

Vulnerability self-check

  • Log on to the Alibaba Cloud Security console and use Server Guard MongoDB check to identify whether you are vulnerable to this security risk.

  • If you are a MongoDB administrator, you can also follow these steps to check for further intrusion:

    1. Check whether the MongoDB log is complete and confirm the source IP address, time, and activity of the request for deleting the database.

    2. Check the MongoDB account to see whether a password has been added for the admin user through the db.system.users.find() command.

    3. Check GridFS to see whether any files are stored using the db.fs.files.find() command.

    4. Check the log file to see which users have accessed the MongoDB through the show log global command.

Hardening method against MongoDB unauthorized access vulnerabilities

Note: If you need to build a MongoDB database, we strongly recommend installing the MongoDB Server service using yum rpm.

  1. Modify the default port.

    Modify the default MongoDB port (TCP 27017 by default) to a different port.

  2. Do not deploy MongoDB servers directly on the Internet or DMZ.

    1. Use the security group or the local operating system firewall to control which IP addresses are allowed access. If the database only provides services for intranet servers, we recommend disabling publishing the MongoDB service to the Internet.

    2. The security group is equivalent to the firewall. The default Internet inbound security group policy is to allow access to all ports on the Internet.

    3. Remove the default security group and block the service by adding a rule to deny all access.

    4. Add rules to allow access to the service based on your business needs.

  3. Use the “-bind_ip” option.

    This option restricts the listening interface IP address. When you start MongoDB, use --bind_ip 192.168.0.1 to start the IP address binding so that the database instance only listens for requests from 192.168.0.1.

  4. Enable role-based logon authentication.

    For example, you can create a user called “super” in the admin database, and set the password to “supWDxsf67%H”. Note that these credentials are for demonstration purposes only; do not use this account and password in actual scenarios.

    1. Log on to the database with authentication disabled.

      [mongodb@rac3 bin]$ ./mongo 127.0.0.1:27028 (Here the default port is modified.)
      MongoDB shell version: 2.0.1
      connecting to: 127.0.0.1:27028/test

    2. Switch to the admin database.

      > use admin
      switched to db admin
      >

    3. Create the administrator account.

      > db.addUser("supper", "supWDxsf67%H")or
      >db.createUser({user:"supper",pwd:"supWDxsf67%H",roles:["root"]})

      { "n" : 0, "connectionId" : 4, "err" : null, "ok" : 1 }
      {
      "user" : "supper",
      "readOnly" : false,
      "pwd" : "51a481f72b8b8218df9fee50b3737c44",
      "_id" : ObjectId("4f2bc0d357a309043c6947a4")
      }

      The administrator account is in system.users.

      > db.getCollectionNames()
      [ "system.indexes", "system.users", "system.version" ]

      Note:

      • The addUser method cannot be used in MongoDB versions later than V3. Instead, use db.createUser to generate new users.
      • For security purposes, the account name must not be a common word, and the password must be complex. A password can contain uppercase and lowercase letters, digits, and special characters. Do not use a birth date, name, ID number, or common password.
    4. Verify that the user has been created successfully.

      > db.auth("supper","supWDxsf67%H")
      > exit
      bye

    5. Terminate the process and restart the MongoDB service.

      ./mongod --dbpath=/path/mongodb --bind_ip=192.168.0.1 --port=27028 --fork=true logpath=/path/mongod.log &

      Note:

    • The admin.system.users stores information for users with higher user privileges than users in other databases, and has the super privilege. Therefore, users created in the admin database can perform operations on data in other databases in MongoDB.

    • In the MongoDB system, a database is created by a super user. It can contain multiple users, but each user may only exist in one database at a time. However, users in different databases can share the same name.

    • User1 in a particular database (such as DB1) cannot access database DB2, but can access data created by other users in DB1.

    • Users with the same name in different databases cannot log on to other databases. For example, if both DB1 and DB2 have user1, after user1 logs on to DB1, it cannot concurrently log on to DB2.

    • Users created in the admin database have super privileges, and can perform operations on any data object in any database in the MongoDB system.

    • You can use db.auth () to validate users in the database. If the validation is successful, 1 is returned; otherwise, 0 is returned. The db.auth() method can only validate user information of the database where the user belongs, and cannot validate user information in other databases.

  5. Disable HTTP and RESTful ports.

    MongoDB comes with an HTTP service and supports RESTful interfaces (by default, these interfaces are disabled after V2.6). By default, MongoDB uses the default port to listen for web services, but generally does not require remote management over the web. We recommend disabling this option.
    Modify the configuration file or select the “-nohttpinterface” parameter at startup.

    nohttpinterface = false

  6. Activate log auditing.

    The audit feature can be used to record all user executed operations on the database. These records allow the system administrator to analyze what events occurred in a database at any particular time.

  7. Use SSL encryption.

    We recommend using SSL for connections between MongoDB clusters and between the client and MongoDB instances. Using SSL does not impact performance and can guard against attacks, such as man-in-the-middle attacks.

    Note that MongoDB Community Edition does not support SSL by default. You can use MongoDB Enterprise Edition (with support for SSL), or recompile the MongoDB source code with the “-ssl” parameter to activate SSL functionality.

    The preceding configuration is saved in configuration files. See the following example.

    1. [mongodb@rac3 bin]$ vim /path/mongod.conf
    2. port=27028-------Port. The default port is 27017, the default service TCP port for MongoDB monitoring client connections. If the port is set to lower than 1024, for example 1021, you must have root privileges to start the service instead of using the mongodb account (regular accounts are not allowed to activate the service, even with the port set to 27017). Otherwise, the following error is reported: [mongo --port=1021 connection].
    3. bind_ip=192.168.0.1------The binding address, 127.0.0.1 by default. Only local connections are allowed. The process binds to this address and uses it to listen for connections to the app. If you need to connect to other servers, comment this out or change the IP address to a local address like 192.168.200.201 [other servers are connected to using mongo --host=192.168.200.201]. You can use a comma-separated list to bind multiple IP addresses.
    4. logpath=/path/mongod.log------Enable the log audit feature. This option is the log file path and can be customized.
    5. pidfilepath=/path/mongod.pid------Process ID. If this is not specified, it indicates that no PID file exists at startup. The default setting is null.
    6. auth=true------User authentication, false by default, meaning no authentication is required. When this option is set to true, authentication is required to access the database. When the database has no users, all operations are allowed without authentication. After the first user is created, all operations require authentication.
    7. logappend=true------Log writing mode. If this is set to true, append mode is activated. The default setting is to overwrite. If this setting is not specified, MongoDB overwrites existing log files at startup.
    8. fork=true------Whether to run in the background. If it is set to true, the process runs as a daemon in the backend. The default value is false.
    9. nohttpinterface = false------Whether to restrict the HTTP interface, that is, the service on port 28017. The default setting is false, meaning that HTTP interfaces are supported.

    The configuration file is loaded at MongoDB service startup.

    [mongodb@rac3 bin]$ ./mongod -f /path/mongod.conf

  8. Encrypt and save sensitive business data.

    We recommend arranging sensitive data, such as accounts, passwords, email addresses, mobile phone numbers, and ID numbers, to be stored in an encrypted format. We recommend using international general encryption algorithms or multiple-salting algorithm combinations to prevent the encryption from being cracked.

    Through this, even if hackers obtain data, they are unable to unscramble sensitive information from it. Damage is therefore minimized as the encrypted data is entirely incomprehensible.

  9. Backup data locally and remotely.

    The last line of defense against data security threats is a sound and consistent backup policy.

    Recommended: Reliable local backup + remote backup storage solutions

    • Local backup

      MongoDB backup

      1. >mongodump -h dbhost -d dbname -o dbdirectory
      2. -h:
      3. The address of the MongoDB server, such as 127.0.0.1. You can also specify the port: 127.0.0.1:27017.
      4. -d:
      5. The database instance to be backed up, for example: test.
      6. -o:
      7. The storage location for the backup data, such as: c:\data\dump. The directory must be created in advance. After the backup is complete, the system automatically creates a test directory under the dump directory to store the backup data for the database instance.

      MongoDB data recovery

      MongoDB employs the mongorestore command to restore backup data.mongodb.

      1. Syntax
      2. Script syntax for the mongorestore command is as follows:
      3. >mongorestore -h dbhost -d dbname --directoryperdb dbdirectory
      4. -h:
      5. Address of the MongoDB server
      6. -d:
      7. The database instance to be restored, such as: test. The name can be different from that of the backup, for example test2.
      8. --directoryperdb:
      9. Location of the backup data, for example c:\data\dump\test.
      10. --drop:
      11. During data restoration, the current data is deleted first, then the backup data is restored. Therefore, once the backup is complete, any data added or modified after the backup is deleted. Proceed with caution when using this option.

      The Mongodump command has the following parameters.

      SyntaxDescriptionExample
      mongodump —host HOST_NAME —port PORT_NUMBERThis command backs up all MongoDB data.mongodump —host w3cscholl.cc —port 27017
      mongodump —dbpath DB_PATH —out BACKUP_DIRECTORY-mongodump —dbpath /data/db/ —out /data/backup/
      mongodump —collection COLLECTION —db DB_NAMEThis command backs up specified database collection.mongodump —collection mycol —db test
      • Backup policies

        Full backup: This is the fastest way to restore all data, but resources costs are high and the process is time consuming.

        Full backup + incremental backup: A quicker way to restore all data, however, if problems occur when restoring the incremental data, it is impossible to restore everything.

        Build a slave database: You can directly switch the business to the slave database, provided that data in the slave database is secure and reliable.

  10. Use Alibaba Cloud MongoDB cloud service.

    Deploy Alibaba Cloud MongoDB service to guarantee not only lower costs compared to other solutions, but high security and an elimination of customer exposure to database ransom attacks.

    Introduction of Alibaba Cloud MongoDB

Thank you! We've received your feedback.