Numerous organizations use MongoDB in their projects for data storage. Though MongoDB has some default security configuration yet still there is a possibility to misconfigure and leave the database into critical situations.
MongoDB allows anyone to make changes in the database, even without any authentication. As a MongoDB user, we have enabled all the security features provided. But, still, none of us can blame MongoDB for the database apocalypse.
To support the ongoing debate, our experts provide you the 10 effective and most important security options to protect your MongoDB databases.
1) Enable Authentication
This is an immediate security solution to enable authentication to protect MongoDB from public access. To enable authentication, edit your MongoDB configuration file /etc/mongod.conf. After enabling authentication to access, you must provide a username and password.
“Authentication is the process to verify the identity of the connecting client”
security: authorization: "enabled"
Mostly, attackers will try to target the non-password protected MongoDB instances since it is easy for hackers to access. So, we can avoid it if the authentication is enabled and when it is deployed in a trusted network. This will help us to protect the MongoDB instances from the attackers.
2) Use Strong Passwords
We have enabled the authentication, so do you think this gonna completely secure us from the hackers? No, it cannot assure us 100% protection unless you have not used a strong password. A weak password is a way through which the attackers can easily enter into your database. Unfavorably, MongoDB is not having any auto-lock feature to prevent from too many invalid authentications attempts so try to use some strong password generator. You can even follow this link for more insights on setting a strong password.
3) Restrict External Access
It is always good to restrict external access to your database so try to host your application in a VPC environment. In case if you don’t have any idea about VPC environment then read our blog which as exclusive guidelines about AWS VPC setup
Other side, if you want to provide external access then restrict it with IP address. To set this up, you can edit your MongoDB configuration file /etc/mongod.conf and bind your IP in it.
net: bindIp: 127.0.0.1
To configure multiple IP’s, you can use a comma-separated followed by IP’s as mentioned below,
net: bindIp: 127.0.0.1,192.168.1.254
4) Use Firewalls And Security Groups
Use firewalls to block unwanted entries. This greatly helps in restricting access through the MongoDB server. Also, listing IP addresses will help you to protect your database from the attackers.
If you are using AWS, then restrict MongoDB ports from unwanted entries using security groups. AWS security group act as a firewall to protect your database. These restrictions will keep the attackers outside your server.
For example, You can restrict ssh port 22 to only required IP address. This port is not needed for all the IP addresses.
5) Use different port to run MongoDB
Most of the attackers are seeking only for the standard MongoDB ports. So changing your default ports to run MongoDB will be the best option. Again, not sure of 100% protection from attackers but it can reduce the risk of it.
For example, By default 27017 port will be used in mongod/mongos. You can change it with the below configuration in /etc/mongod.conf
Net: port: 17027
6) Role-Based Access Control
MongoDB allows Role-Based Access Control to give access to the MongoDB system. The user is permitted with one or various roles that determine the user’s access to database resources and operations. MongoDB does not enable access control by default, we have to enable it.
security: authorization: "enabled"
After enabling the authentication, give the administrative role only to a single user. Providing access to every user makes it convenient for the attackers to crack through your database. So, this role-based access makes sure that you have proper access to the database.
Best To Read: Which Is Best? Aggregation or Map Reduce – MongoDB
7) Add Key Files to set up the replica set
Specifying the shared key file is to enable communication between your MongoDB instances in the replica set. Enabling replica set keyfile will enable authentication in MongoDB implicitly.
Another most crucial reason is to host the file which are able to join the replica set. Once keyfile is enabled, the authentication of the replica set will be encrypted. This ensures the security from the attacker.
8) Disabling MongoDB status page
MongoDB gives an HTTP interface status page running on port 28017. This interface is not recommended for production thus we have to disable using the “nohttpinterface” configuration in /etc/mongod.conf
nohttpinterface = true
9) Enable Encryption
Encrypting Data in transport
TLS or SSL are the two way which used to transfer the data between the Database and the application. These are the most commonly used protocols to secure the data. MongoDB supports TLS/SSL to encrypt all its network traffic and the TLS/SSL make sure that MongoDB network traffic is only readable by the intended client. If you don’t use encryption between your Mongo client and Mongo server then attackers can easily hack your data. Refer this link for more information
Encrypting Data at Rest
MongoDB enterprise 3.2 offers storage based key encryption at the file level. All database files are encrypted with Transparent data encryption (TDE) at the storage level so to access data third party must supply decryption key for decoding data. This will give more security from attackers to your database.
Refer this link for more information
10) Regular Backup And Audit
Always make sure you have scheduled backups, with a recent copy of data and oplog. If you have the backup data then you don’t have to worry even if the attacker has erased all the database collections because you can still recover it with the help of backup and oplog. So, it’s always good to have the latest backup.
Other important activities are doing regular audits to your database for security issues, user privileges, and to check for unauthorized access logs. Regular audits will help you to identify the security vulnerabilities and necessary precaution activities to improve your security.
At Agira, We ensure all the security and best practices implemented for all our databases and clients. All the above security tips will help you to secure your MongoDB from the attackers at its best efforts.
[contact-form-7 404 "Not Found"]