MongoDB Security Hardening scheme to prevent data leaks from being blackmailed

Wake up in the morning, found that the production database was deleted, leaving a database called "Please_read", the contents are as follows:

"Info": "Your DB is backed on our servers, to restore send 0.1 BTC to the Bitcoin Address then send an email with Your Server IP ",
"Bitcoin Address": "Addresses",
"Email": "[email protected]"

The database is deployed on Amazon, using the default 27017 port, and the firewall settings are open to 0.0.0.0/32 (dead!). ）

The database also does not have a password set.

Here's how to harden MongoDB:

Vulnerability Hazard

When the MongoDB service is turned on, if no parameters are added, the default is no permission validation. The logged-on user can use the default port without a password to perform arbitrary operations on the database (including increase, delete, change, check and other high-risk actions), and can access the database remotely.

Cause of vulnerability

After the MongoDB service is installed, there is an admin database by default, at which time the admin database is empty and no permission-related information is logged. When Admin.system.users is not available to a user, even if the-auth parameter is added when MongoDB starts, if no user is added to the admin database, no authentication can be done at this time (regardless of whether it is started with the-auth parameter). Until you add a user to the admin.system.users. The core scenario for hardening is to implement MongoDB's authentication and authorization services only after the user is added to the admin.system.users.

If you are a MongoDB administrator, you can also check for further intrusion behavior using the following methods:

1. Check that MongoDB logs are complete and confirm that the source IP address and time, behavior of the deleted database are executed.

2. Check the MongoDB account to see if you have not added the password for the Admin user (using the db.system.users.find() command).

3. Check Gridfs to see if any files are stored (using db.fs.files.find() commands).

4. Check the log file to see which users have access to MongoDB (using show log global commands)

2. Use the-BIND_IP option.

   This option restricts the listening interface IP. When you start MongoDB, the --bind_ip 192.168.0.1 DB instance will only listen for 192.168.0.1 requests by using the to represent the start IP address binding.

3. Start the role-based login authentication feature.

   Create a user in the admin database, such as user name supper, password supwdxsf67%h (for example, do not use this account password).

   2. In an environment that does not have authentication enabled, log on to the database.

      [[email protected] bin]$ ./mongo 127.0.0.1:27028(The default port is modified here)
      MongoDB shell version: 2.0.1
connecting to: 127.0.0.1:27028/test

   4. Switch to the admin database.

      > use admin
switched to db admin
>

   6. Create an administrator account.

      > db.addUser("supper", "supWDxsf67%H")Or
      >db.createUser({user:"supper",pwd:"supWDxsf67%H",roles:["root"]})

      { "n" : 0, "connectionId" : 4, "err" : null, "ok" : 1 }
{
"user" : "supper",
"readOnly" : false,
"pwd" : "51a481f72b8b8218df9fee50b3737c44",
"_id" : ObjectId("4f2bc0d357a309043c6947a4")
}

      The Administrator account will be in system.users.

      > db.getCollectionNames()
[ "system.indexes", "system.users", "system.version" ]

      Description

      • MongoDB starts with the V3 version and cancels the use of the AddUser method, creating the user with the Db.createuser method.
      • Account does not set as a common account, the password needs to meet a certain degree of complexity, the length of at least eight or more, and include uppercase and lowercase letters, numbers, special character mix, do not use birthday, name, ID card number and other common password.

   8. Verify that the user is created successfully.

      > db.auth("supper","supWDxsf67%H")
> exit
bye

   10. End the process and restart the MongoDB service.

       ./mongod --dbpath=/path/mongodb --bind_ip=192.168.0.1 --port=27028 --fork=true logpath=/path/mongod.log &

       Description

   • Admin.system.users will save user information that is larger than the user rights set in other databases, with super-privileges, meaning that users created in admin can manipulate other database data in MongoDB.

   • MongoDB system, the database is created by the Superuser, a database can contain multiple users, a user can only be in a database, users in different databases may have the same name.

   • Users of a particular database (such as DB1) User1 not be able to access other database DB2, but can access data created by other users under this database.

   • Users with the same name in different databases cannot log in to other databases, such as DB1, DB2, and User1, to User1 log in DB1 and not be able to log on to DB2 for database operations.

   • Users created in the Admin database have super permissions to manipulate data objects for any database within the MONGODB system.

   • The user in the database can be authenticated using Db.auth (), or 1 if the validation succeeds, otherwise 0 is returned. Db.auth () can only authenticate user information for the database to which the logged-on user belongs, and cannot verify user information for other databases.

5. Disable HTTP and Rest ports.

   MongoDB itself comes with an HTTP service and supports the rest interface (these interfaces are turned off by default after V2.6). MongoDB defaults to using the default port to listen to Web services, generally do not need to web-based remote management, it is recommended to disable.
   Modify the configuration file or select the –nohttpinterface parameter at startup.

   nohttpinterface = false

7. Turn on the log auditing feature.

   The audit function can be used to record all relevant actions of the user on the database. These records allow the system administrator to analyze what happened during the time when the database was needed.

9. Use the SSL encryption feature.

   connections between MongoDB clusters and connections from clients to MongoDB instances should use SSL. Using SSL has no impact on performance and can protect against man-in-the-middle-like attacks.

   Note MongoDB Community Edition does not support SSL by default. You can choose MongoDB Enterprise (Support SSL), or recompile MongoDB from the source and use the-SSL option to get SSL functionality.

For all of the above configurations, it is recommended to save the configuration as a profile.

[Email protected] bin]$ vim/path/Mongod.confport=27028-------Port. Default is 27017 port, MongoDB's default service TCP port, listening for client connections. If the port setting is less than 1024, such as 1021, you need root permission to start, can not be started with the MongoDB account, (ordinary account even 27017 also failed) otherwise error: [MONGO--port=1021Connection]bind_ip=192.168.0.1------the binding address. Default 127.0.0.1, you can only connect by local. The process binds and listens for application connections from this address. If you need to connect to other servers, you need to comment out this or change the IP address to a cost machine, such as 192.168.200.201[Other servers with MONGO--host=192.168.200.201connection], you can bind multiple IP addresses with a comma-delimited list. LogPath=/path/mongod.log------turn on the log auditing feature, which is a log file path that can be customized. Pidfilepath=/path/mongod.pid------process ID, no PID file is started when it is not specified. Auth=true------user authentication, default false. No authentication is required. When set to true, access to the database requires Auth authentication, and when there are no users in the database, it is not necessary to verify or operate. Until the first user is created, then the action requires validation. Logappend=true------Write Log mode: set to True for append. The default is overwrite. If this setting is not specified, MongoDB will overwrite the existing log file at startup. Fork=true------If the background is running, set the daemon mode to true to start the process running in the background. False by default. Nohttpinterface=false------whether to prohibit HTTP interfaces, which are 28017 port-enabled services. Default false, supported.

2. Then, the configuration file is loaded when the MongoDB service is started.

   [[email protected] bin]$ ./mongod -f /path/mongod.conf

4. Encrypt storage of business-critical sensitive data.

   We recommend that you comb your business data and encrypt your critical sensitive data, such as your account number, password, email address, mobile phone numbers, identity ID, and other data. The encryption algorithm recommends selecting the international universal encryption algorithm and multiple salt combination custom algorithm to prevent the encryption algorithm from being cracked.

   Even after the hacker gets the data, it can't see the data and minimizes the loss through "can't understand" data encryption.

5. Make a local offsite backup of your data.

   A perfect backup strategy is the last straw to keep your data safe.

   Recommended: Reliable local backup + remote backup storage solution

   • Local backup

     MongoDB Backup Mode

     2. >mongodump -h dbhost -d dbname -o dbdirectory
     4. -h：
     6. MongDB所在服务器地址，例如：127.0.0.1，当然也可以指定端口号：127.0.0.1:27017
     8. -d：
     10. 需要备份的数据库实例，例如：test
     12. -o：
     14. 备份的数据存放位置，例如：c:\data\dump，该目录需要提前建立，在备份完成后，系统自动在dump目录下建立一个test目录，这个目录里面存放该数据库实例的备份数据。

     MongoDB Data Recovery

   • MongoDB uses the Mongorestore command to restore the backed up data. The syntax mongorestore command script syntax is as follows:>mongorestore-h dbhost-d dbname--directoryperdb dbdirectory-  H:mongodb server Address -D: The database instance that needs to be restored, for example: Test, this name can be different from the backup time, such as Test2. --Directoryperdb: The location of the backup data, for example: C:\data\dump\test. --drop: When recovering, delete the current data and then restore the backed up data. That is, after the recovery, add the modified data after the backup will be deleted, use with caution! 

     The list of optional parameters for the Mongodump command is shown below.

     • Backup policy

       Full backup: The fastest time to recover all data quickly, the disadvantage is that the backup cost is large, long time.

       Full backup + Incremental backup: All data can be recovered quickly, with the drawback of long recovery time and the inability to recover all data if there is a problem with the incremental data.

       Build from library: switch directly to the slave library, provided the data from the library is safe and reliable.

     • If you are deploying on a public cloud, you can configure security groups with a hardening scheme recommended by the public cloud.

MongoDB Security Hardening scheme to prevent data leaks from being blackmailed