There have been reports not too long ago of MongoDB databases becoming targets of ransomware attacks. This happens where publicly exposed databases are backed up and deleted with a ransom message. Also, there have been anecdotal reports where database owners have yet to regain their data even after coughing up the ransom of 300 or more bitcoins. Hence, it is recommended that the ransom not be paid.
In a report in Jan 2017, over 10,000 databases have been affected. Hackers are said to be using http://www.shodan.io to identify MongoDB databases connected to the internet with no sufficient password protection.
Minimum security measures
At a minimum, it is recommended to perform the following:
- bind the MongoDB server to a private IP (e.g. localhost)
- update default port
- configure access control
For the step by step tutorial, please refer to: securing-mongodb
Security measures check list
There is wealth of resource on docs.MongoDB.com. Unfortunately, they are not default and instead require an administrator to implement them. Depending on solution requirements, either some or all will need to be implemented e.g. HIPAA or PCI-DSS compliance.
The following are the list of measures recommended by MongoDB:
- Enable Access Control and Enforce Authentication
- Configure Role-Based Access Control
- Encrypt Communication
- Encrypt and Protect Data
- Limit Network Exposure
- Audit System Activity
- Run MongoDB with a Dedicated User
- Run MongoDB with Secure Configuration Options
- Request a Security Technical Implementation Guide (where applicable)
- Consider Security Standards Compliance
For more detail, please refer to: security-checklist
Quick check
The following snippet will check if anonymous access is possible to the database. Databases shall be displayed if anonymous access is possible. Key in the following at command prompt to find out.Step 1: Mongo.exe –host <hostname>
Step 2: Show databases
Conclusion
The security measures listed here are applicable to other NoSQL or document based databases like Elasticsearch, CouchDB and Hadoop. It is also by no means finite as your environment and situation may be more complex or extensive.
Implementing base security measures is great selling point to clients and potential clients alike. It gives peace of mind that it is now harder for hackers and our data is safer.
[As written by one of our Consultants]