MongoDB Security has been in the news this week for all the wrong reasons. All the talk has been about the 40,000 or so databases that were found exposed by a group of students based in Germany. Some of the databases even contained production data. It’s egregious on several levels – not only do you have production data on an unauthenticated database, but it is also left open to the internet. The only surprising thing is that it took this long to get exposed. If you don’t want your MongoDB servers to be in the news, here are three simple steps to improve the security of your MongoDB installation:
Always Enable Authentication
It’s important to enable authentication for all of your MongoDB clusters. Even if it is a development installation, always enable authentication and make sure your workflows are geared to be able to support authentication. More details about adding users and roles can be found here.
You can also go one step further and use X509 certificates instead of passwords for authentication. This is will protect you from any password-based attacks like a ‘Dictionary’ attack. If you have the enterprise build of MongoDB, you can also use Kerberos for authentication.
Lock Down Access with Firewalls
All access to your database servers needs to be on a “need to” basis, and you can use firewalls to lock down access. The typical configuration is to lock down access so only your application servers and IT team have access to the servers. If you’re on Amazon AWS, use security groups to lock down access to the servers. Finally, the most important point – Don’t expose your database to the internet! There are only a few good reasons to ever expose your database to the internet.
Use Isolated networks
Most public clouds today offer options to deploy your servers in an isolated network space that’s not reachable from the public internet. You can reach out to the internet, but no internet traffic can get to you. For example, AWS offers Virtual Private Clouds (VPC) and Azure offers Virtual Networks (VNET). These isolated networks provide in-depth defense for your database installation. On AWS, you can deploy your database servers on a private subnet in a VPC – even if there’s a misconfiguration, your databases servers are not exposed to the internet.
Below are some other relevant articles on MongoDB security. If you have further questions please reach out to us at firstname.lastname@example.org.