MongoDB Security has been in the news this week for all the wrong reasons. All the talk has been about the 40,000 or so databases that were found exposed by a group of students based in Germany. Some of the databases even contained production data. It’s egregious on several levels – not only do you have production data on a unauthenticated database but it is also left open to the internet. The only surprising thing is that it took this long to get exposed. If you don’t want your mongodb servers to be on the news here are three simple steps to improve the security of your mongodb installation
- Always enable authentication Its important to enable authentication for all your mongodb clusters. Even if it is a development installation always enable authentication and make sure your workflows are geared to be able to support authentication. More details about adding users and roles can be found here. You can also go one step further and use X509 certificates instead of passwords for authentication. This is will protect you from any password based attacks like a ‘Dictionary’ attack. If you have the enterprise build of MongoDB you can also use Kerberos for authentication.
- Lock down access with Firewalls All access to your database servers needs to be on a “need to” basis. Use firewalls to lock down access. Typical configuration is to lock down access so that only your application servers and IT team has access to the servers. If you are on Amazon AWS use security groups to lock down access to the servers. Finally the most important point – Don’t expose your database to the internet , there are very few good reasons to expose your database to the internet.
- Isolated networks Most public clouds today offer options to deploy your servers in an isolated network space not reachable from the public internet. You can reach out to the internet but no internet traffic can get to you. E.g. Amazon offers Virtual Private clouds (VPC) and Azure offers Virtual networks (VNET). These isolated networks provide defence in depth for your database installation. On AWS you can deploy your database servers on a private subnet in a VPC – even if there is a misconfiguration your databases servers are not exposed to the internet.
Below are some other relevant articles on MongoDB security. If you have further questions please reach out to us at email@example.com