Last week I wrote a short news “MongoDB run naked, 200 million Chinese job resume leak!” :
According to HackenProof, a total of 202,730,434 Chinese resumes were leaked because the MongoDB database did not take any security measures.
Then a lot of people commented that MongoDB was innocent.
MongoDB is innocent, because of course the fault is not with the database, but with the people using the database not doing the necessary security configuration.
So how do we secure MongoDB? Here are three simple ways to protect MongoDB:
- Bind LAN IP addresses to prevent Internet access
- Configure a firewall to protect port 27017
- Configure accounts and passwords to control database access
The system configuration used in this tutorial is as follows:
- Ubuntu 16.04
- Mongo 4.0.5
Install MongoDB for Ubuntu 16.04
See the MongoDB documentation: Install MongoDB Community Edition on Ubuntu
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9DA31620334BD75D9DCB49F368818C72E52529D4
echo "Deb [arch = amd64, arm64] https://repo.mongodb.org/apt/ubuntu xenial/mongo - 4.0 - / - org multiverse." "| sudo tee/etc/apt/sources list. D/mongo - org - 4.0. The list sudo apt to get the update sudo apt - get the install - y mongo - org = 4.0.5 Mongodb -org-server=4.0.5 mongodb-org-shell=4.0.5 mongodb-org-mongos=4.0.5 mongodb-org-tools=4.0.5 sudo service mongod startCopy the code1. Bind LAN IP addresses to prevent Internet access
In other words, MongoDB has been hacked for so many years. Prior to version 3.6, MongoDB had a default binding of 0.0.0.0, which meant that we could access MongoDB over the Internet, so could hackers. This default configuration is a major security vulnerability that many MongoDB beginners fall through. MongoDB’s documentation on this issue is very euphemistic:
Default Bind to Localhost
MongoDB binaries, Mongod and Mongos Bind to localhost by default. From MongoDB versions 2.6 to 3.4, only the binaries from the official MongoDB RPM (Red Hat, CentOS, Fedora Linux, and derivatives) and DEB (Debian, Ubuntu, and derivatives) packages would bind to localhost by default.
That said, starting with 3.6, MongoDB is bound to localhost by default, which means we can only access MongoDB locally. As for 2.6 through 3.4, only packages downloaded from MongoDB RPM and DEB are bound to localhost by default; in other words, packages downloaded by other methods are bound to 0.0.0.0 by default. Therefore, if you are using MongoDB prior to version 3.6, pay special attention to this.
MongoDB binding to localhost works in a development environment. However, in a production environment where we usually have multiple nodes, we need to change the IP of the MongoDB binding by configuring net.bindip.
It would be a bad idea to simply configure net.bindip to 0.0.0.0 for convenience. The correct approach is to bind the LAN IP so that only nodes within the LAN can access MongoDB. Unless a hacker takes down your server, he can’t access your MongoDB.
Which IP is LAN? By standard, there are the following network segments:
- 10.0.0.0 – those
- Along – 172.31.255.255
- 192.168.0.0-192.168.255.255
The most common LAN network segments are 192.168.0.0 to 192.168.255.255.
Example Modify the MongoDB configuration file
vim /etc/mongod.conf
Copy the codeSet net.bindIp to 192.168.59.99:
net:
port: 27017
bindIp: 192.168.59.99
Copy the codeRestart the mongo
sudo service mongod restart
Copy the code2. Configure a firewall to protect port 27017
MongoDB uses port 27017 by default. You should configure a local firewall to protect this port from external IP addresses.
If the MongoDB binding is 0.0.0.0 and no firewall is configured, run the nmap command to remotely scan port 27017. The result is as follows:
Nmap -p 27017 113.207.35.149 Starting nmap 6.49BETA3 (https://nmap.org) at 2019-01-19 14:17 CST NMAP Scan Reportfor113.207.35.149 Host is up (latency). PORT STATE SERVICE 27017/ TCP open mongod Nmapdone: 1 IP address (1 host up) scanned in 14.34 seconds
Copy the codePort 27017 is “open”, which means we can access the MongoDB database remotely.
Configure a UFW firewall
The default firewall software on Ubuntu is the UFW, which is very easy to configure. By default, the UFW is not activated:
sudo ufw status
Status: inactive
Copy the codeRun the following command to configure UFW rules and enable the firewall:
Sudo Ufw default deny Incoming // Access to all ports on the local device is prohibited by default. Sudo Ufw default allow outgoing // Allow the local device to access the external network. Sudo Ufw allow 22/ TCP // Sudo ufw Allow from 192.168.59.100 to any port 27017 // Only the server whose IP address is 192.168.59.100 on the LAN is allowed to access mongodb sudo ufwenable
Copy the codeThe rules I configured are also very easy to understand and can be seen from the command. In this case, you can view the uFW status and find that the firewall is activated:
sudo ufw status Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 80/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere 27017 ALLOW 192.168.59.100 22/ TCP (v6) ALLOW Anywhere (v6)Copy the codeThen run the nmap command to remotely scan port 27017. The result is as follows:
Nmap -p 27017 113.207.35.149 Starting nmap 6.49BETA3 (https://nmap.org) at 2019-01-19 14:40 CST NMAP Scan Reportfor113.207.35.149 Host is up (0.053s latency). PORT STATE SERVICE 27017/ TCP filtered mongod Nmapdone: 1 IP address (1 host up) scanned in 13.68 seconds
Copy the codePort 27017 is at the “filtered” level and is protected by a firewall.
Other common firewall tools on Linux are iptables, which I won’t describe here.
In addition, cloud servers support firewalls, and it is necessary to configure them. They are independent of local firewalls to ensure database security.
3. Configure the account and password to control database access
By default, MongoDB does not have an account or password, so hackers can access the database by logging in to your server. To solve this problem, configure the account password for MongoDB.
Connect the mongo
mongo
Copy the codeConfiguring the Account Password
The account name is myUserAdmin, and the password is abc123.
use admin
db.createUser(
{
user: "myUserAdmin".pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase"]})Copy the codeExample Modify the MongoDB configuration file
vim /etc/mongod.conf
Copy the codeSet security.authorization to “enabled” :
security:
authorization: enabled
Copy the codeRestart the mongo
sudo service mongod restart
Copy the codeConnect the mongo
When connecting to mongodb again, specify the account and password.
mongo -u "myUserAdmin" -p "abc123" --authenticationDatabase "admin"
Copy the codeIf you do not provide the account password, you cannot view the database, and the following error occurs:
Show DBS 2019-01-20T22:13:53.477+0800 E QUERY [js] Error: listDatabases failed:{"ok": 0."errmsg" : "command listDatabases requires authentication"."code": 13."codeName" : "Unauthorized"
}
Copy the codeIn addition, MongoDB supports the configuration of multiple accounts with different permissions to configure read and write permissions for specific databases. Such more detailed access control can enhance security. For example, interns on the team should only be given read permission, which can effectively prevent extreme situations such as library deletion due to misoperation.
conclusion
As you can see, the methods described in this article are simple and common sense, but they are necessary. As a database manager, it’s obviously very unprofessional to have none of this configured, and there’s no use blaming MongoDB because a different database would have the same problem.
According to the Security Checklist provided by the MongoDB document, we can also use TLS/SSL to encrypt MongoDB connections, which will sacrifice performance to some extent. You can configure it according to your needs.
In addition, it is very important to ensure the access security of the database, but also to ensure the security of the data, do the necessary data backup. For information on how to secure your data, see our blog “Fundebug Backs Up Data like this.”
reference
- MongoDB streaking, 200 million people job resume leakage!
- This is how Fundebug backs up data
About Fundebug
Fundebug focuses on real-time BUG monitoring for JavaScript, wechat applets, wechat games, Alipay applets, React Native, Node.js and Java online applications. Since its launch on November 11, 2016, Fundebug has handled more than 900 million error events, and paid customers include Google, 360, Kingsoft, Minming.com and many other brands. Welcome to try it for free!
Copyright statement
Reprint please indicate the author Fundebug and this article addresses: blog.fundebug.com/2019/01/21/…