Back in 2016, I wrote a blog post about setting up MongoDB in production and how to setup an external client to connect to a remote machine. I wrote about security specifically in a production setting.
I tend to stay away from all hacking discussions just because that type of material tends to attract the wrong type of people. During the time that I wrote the blog post, I went on StackOverflow and answered a couple of questions regarding security and MongoDB. The question that I answered was this one.
The answer that I provided was the most down voted answer out of all of them. Why was that?
The simple answer is that there is a group of people out in the world that doesn’t want to allow the information of securing MongoDB to be spread to those that want to secure their databases correctly. This would only make sense if they could loose something and in this case, it’s nothing but dead presidents $$ to be exact it’s 0.3 bitcoins.
Which is the reason why I’m writing this blog post, one of my clients reached out to me complaining that their users were not able to login to their accounts? This was an application that I helped put together a couple of years back and it never had any issues until this day.
After doing a bit of research… look at the message that I found on the server.
As you can see the “hacker” is requesting some money. I guess hackers also have bills to pay, a quick little side thing you can do here is to check with the block chain and see if their address has received any money.
I put together a couple questions that you might have when securing a MongoDB instance.
How to check if MongoDB is vulnerable?
The easiest way to check if MongoDB is vulnerable from any possible hackers is to just start with the basics. Can you access MongoDB from the internet? Don’t know how to do this? Install MongoDB on your local machine and run this command.
You are going to want to replace the
000.000.000.000 with the IP address of your remote machine. If you get dropped into a terminal that allows you to query the database, you have a MongoDB instance that is vulnerable.
You are going to want to secure this as soon as possible!
How to check if MongoDB has been hacked?
Let’s say that you find out that MongoDB is vulnerable but you are not sure if the database has been tampered with. You are going to want to start digging through the logs to find any possible signs of tampering with the database. Typically you will be able to find the logs for MongoDB at this location.
Start going through the system log and look for the keyword drop.
If you see something like this or similar, you are going to want to open up an issue with your organization of a data breach. Depending for who or what your application is servicing this can be a BIG deal the police departments or even the legal department might have to get involved. This is a REAL problem and you need to make sure the right individuals are aware of what’s happening.
If you don’t see anything out of the ordinary continue to secure the MongoDB database.
I got hacked now what?
They are going to request some money from you and if you pay that amount your data is going to get released. This is a complete lie, they have deleted your data and now they want to delete your bank account balance WHAT EVER YOU DO DON’T PAY THEM you might run into a small panic attack if you found out that your database has been breached, I want you to keep your cool and NOT pay any amount of ransom that they might be asking for.
How to secure MongoDB in production?
This is the most difficult question to answer, I’m going to give you some guidelines of how to go about it but I’m not going to get down to the specifics. First, you want to start with the basics. What version of MongoDB are you running?
This is IMPORTANT knowing what version of MongoDB you are running is going to help you find out what type of help you are going to need. Once you find the version of MongoDB that you are running you have a couple of options.
- Update to a newer version
- Keep and secure the current version.
If you decide to update MongoDB this is the commands that you need to run on a Linux server.
If you decide to keep the current version of MongoDB keep in mind the version number you are going to need it over and over again.
Head over to the Security Reference guide but before you start reading the material you are going to want to pay close attention to the version of the documentation that you are reading. Make sure the version matches up with the instance of MongoDB that you are securing.
Once you are looking at the documentation of the version of MongoDB that you are running you are going to want to create a user. Depending on the version of MongoDB that you have this could be different commands but this is what it would look like in 2.6.
Again all of this can be found in the documentation, the important part here is user, pwd, and roles. Once you create the user you are going to want to allow the user to modify that data within the database that you want to provide access to.
username with the user from the
createUser() function and provide the names of the database’s that you want to grant access. This might be multiple databases if you are hosting more than one application.
Exit the mongo shell.
You now have a working username and password setup with MongoDB! Congrats, you are getting closer to a secure instance of MongoDB. You now have to enable the secure functionality of MongoDB that it ships with open this file
vim /etc/mongodb.conf, inside this file, you are going to want to uncomment out the following lines.
Verify that you can log into MongoDB with credentials
If you can login without problems you have a secure instance of MongoDB! Congratulations… Small problem, though, your applications can’t access MongoDB. Since you secured MongoDB you are going to have to allow your applications to log in with the credentials that you created.
I talk about having config files on the Full-Stack course that I teach, but not having any knowledge of how you have MongoDB configured with your application you are going to want to read up on the Connection String URI Format to make sure that you use the correct syntax.
If you have a config file it might look like this.
Next step is not required but if you really want to nail this down create the following rules for your firewall.
There you have it a secure instance of MongoDB.
Till next time,