MongoDB provides a range of components to enhance the security of your data. Data security is the most important in MongoDB-so it uses these components to reduce the exposure surface. Here are 10 tips you can use to improve the security of your personal or cloud MongoDB server.
1. Enable auth-Auth is also a good security practice even when you deploy a MongoDB server in a trusted network. It provides "defense-in-depth" when your network is under attack. Edit the configuration file to enable Auth
1
Auth = True
2. Do not expose a database of production environments to the Internet-limiting physical access to the database is a very important measure of security. If it is not necessary, do not expose the database of the production environment to the Internet. If an attacker cannot physically connect to a MongoDB server, the situation is compromised, and the data is no more secure than it is now. If you deploy the service on Amazon Web Services (AWS), you should deploy the database in a private subnet of a virtual private cloud (VPC). For more information on this, read the blog post, "Deploying MongoDB in a private cloud (VPC)."
3. Using firewalls-the use of firewalls can restrict which entities are allowed to connect to MongoDB servers. The best thing to do is just allow your own application server to access the database. If you can't deploy on Amazon Web Services (AWS), you can use the security Groups feature to restrict access. If you deploy the service on a host that does not support the firewall feature, you can use "iptables" to configure the server in its own simple configuration. Please refer to the MongoDB documentation for the specific environment configuration you are facing iptables.
4. Create a replication server cluster using the key file-Specify the shared key file to enable communication between the MongoDB instances of the replication cluster. Add the KeyFile parameter to the configuration file as follows. The contents of this file must be the same on all machines in the replication cluster.
1
KeyFile =/srv/mongodb/keyfile
5. Prohibit HTTP status interface-by default MongoDB runs the HTTP interface on port 28017 to provide the "primary" status page. It is recommended not to use this interface in a production environment, it is best to disallow this interface. Use the "nohttpinterface" configuration setting to disable this HTTP interface.
1
Nohttpinterface = True
6. Disable rest interface-it is not recommended to enable MongoDB's rest interface in a production environment. This interface does not support any authentication. By default, this interface is turned off. If you use the "Rest" configuration option to open this interface, you should turn it off in the production system.
1
Rest = False
7. Configure bind_ip-If your system uses multiple network interfaces, you can use the "bind_ip" option to restrict the MongoDB server from listening only on the interface associated with that configuration item. By default, MongoDB binds all interfaces.
1
BIND_IP = 10.10.0.25,10.10.0.26
8. Enable ssl-If you do not use SSL, then the data you transmit between the MongoDB client and the MongoDB server is plaintext and susceptible to eavesdropping, tampering, and "Man in the middle" attacks. If you are connecting to a MONGODB server through a non-secure network such as the Internet, it is important to enable SSL.
9. Role-based authentication-MongoDB supports role-based authentication so that you can fine-grained control over the actions that each user can perform. Using role-based authentication builds can restrict access to the database, not all users are administrators. For more information, refer to the documentation for the role.
10. Enterprise-level MongoDB and kerberos-Enterprise MongoDB inherit Kerberos authentication. For more information on this, please refer to the MongoDB documentation. A system based on a username/password is inherently unsafe, so use Kerberos-based authentication if possible.
10 ways to improve MongoDB security