How To Harden MongoDB Server

Share This:

How To Harden MongoDB Server 1

MongoDB is “a document database that provides high performance, high availability, and easy scalability”. In this chapter of our InfoSec System Hardening series, we’ll walk you through some of the steps you can take to harden your MongoDB database server. You can refer to the MongoDB Server Documentation for more details about the commands and configuration changes we’ll discuss. We will give you the command line options along with the configuration file setting.

Authorization

Authorization is a set of roles to give users permissions that pair resources with allowed operations. It is suggested to use authorization to fine tune users profiles and let each user access the data or run the operations it needs. MongoDB does not enable authorization by default, but you can enable authorization using the –auth option:

$ mongod --auth
-or in the configuration file-
auth = true

Disable Localhost Exception

The localhost exception allows you to enable authorization before creating the first user in the system. When active, the localhost exception allows all connections from the localhost interface to have full access to that instance. The exception applies only when there are no users created in the MongoDB instance. To prevent unauthorized access to a cluster’s shards, you must either create an administrator on each shard or disable the localhost exception. To disable the localhost exception, add the setParameter and set the enableLocalhostAuthBypass parameter to 0 during startup.

$ mongod --setParameter enableLocalhostAuthBypass=0
-or in the configuration file-
setParameter = enableLocalhostAuthBypass=0

Disable Server Side Scripting

In some server-side operations MongoDB supports the execution of JavaScript code. To mitigate the exploitation of a possible application level vulnerability, it is suggested to disable server-side scripting. To disable server-side scripting add noscripting parameter during startup.

$ mongod --noscripting
-or in the configuration file-
noscripting = false

Disable status interface

The status interface is an HTTP server exposing a web page that contains some statistics that may be of interest to system administrators. It is suggested to disable the status interface to not expose an unused service. To disable the status interface add nohttpinterface argument during startup.

$ mongod --nohttpinterface
-or in the configuration file-
nohttpinterface = true

Disable the REST interface

The REST interface is a fully interactive administrative REST interface, which is disabled by default. This interface does not support any authentication and you should always restrict access to this interface to only allow trusted clients to connect to this port. It is suggested to leave this interface disabled.

$ mongod --rest --httpinterface
-or in the configuration file-
rest = false

Limit Network Exposure

Restriction access to the database service is a critical aspect of service security. It is suggested to not expose your database to resources that are not in need to access it. You can use the –bind_ip option on the command line at run time or use the bindIp in the configuration file to limit the network accessibility of a MongoDB program.

$ mongod --bind_ip 127.0.0.1
-or in the configuration file-
bind_ip = 127.0.0.1

Run MongoDB with a dedicated user

Privilege separation should always be used, it is suggested to run MongoDB processes with a dedicated user account (an operative system account with the minimum privileges needed to run the service). Most installers already create a dedicated user when installing MongoDB.


Share This:

 

Leave a Comment