MongoDB provides a range of components to enhance the security of your data. Data security is most important in MongoDB-so it uses these components to reduce the exposure surface. Here are 10 tips you can use to improve the security of your personal or cloud MongoDB servers.
1. Enable auth-enabling Auth is also a good security practice even when deploying MongoDB servers in a trusted network. It can provide "deep defense" when your network is under attack. Edit the configuration file to enable Auth.
Copy Code code as follows:
2. Do not expose the production environment database to the Internet-restricting physical access to the database is a very important measure of security. If it is not necessary, do not expose the production environment database to the Internet. If an attacker could not physically connect to the MongoDB server, the data would not be more secure than it is now. If you deploy your services on Amazon Web Services (AWS), you should deploy the database in a private subnet of the virtual Private cloud (VPC).
3. Use of firewalls-use of firewalls can limit which entities are allowed to connect to the MongoDB server. The best thing to do is just allow your own application server to access the database. If you can't deploy to Amazon Web Services (AWS), you can use the security Group feature to restrict access. If you deploy a service on a host that does not support a firewall-capable provider, you can use "iptables" to make a simple configuration of the server yourself. Please refer to MongoDB's documentation to implement the configuration iptables for the specific environment you are facing.
4. Create a replication server cluster using the key file-Specify the shared key file and enable communication between the MongoDB instances of the replication cluster. Add the KeyFile parameter to the configuration file as follows. The contents of this file must be the same on all machines in the replication cluster.
Copy Code code as follows:
KeyFile =/srv/mongodb/keyfile
5. Prohibit HTTP state interface-by default MongoDB runs the HTTP interface on port 28017 to provide the main status page. It is recommended that you do not use this interface in a production environment, preferably by banning this interface. Use the "nohttpinterface" configuration setting to disable this HTTP interface.
Copy Code code as follows:
6. No rest interface-it is recommended that you do not enable the MongoDB rest interface in a production environment. This interface does not support any authentication. This interface is closed by default. If you use the "Rest" configuration option to open this interface, you should turn it off in the production system.
Copy Code code as follows:
7. Configure bind_ip-If your system uses multiple network interfaces, then you can use the "bind_ip" option to limit the MONGODB server to only listen on the interface associated with the configuration item. By default, MongoDB binds all interfaces.
Copy Code code as follows:
BIND_IP = 10.10.0.25,10.10.0.26
8. Enable ssl-If you do not use SSL, the data you transmit between the MongoDB client and the MongoDB server is plaintext and is susceptible to eavesdropping, tampering, and "man-in-the-middle" attacks. Enabling SSL is important if you are connected to a MONGODB server through a network of unsecured networks such as the Internet.
9. role-based Authentication-MongoDB supports role-based authentication so you can control the actions that each user can perform with fine-grained controls. Using a role-based authentication build can restrict access to the database, not all users are administrators. For more information, refer to the documentation for the role.
10. Enterprise-Class MongoDB and kerberos-enterprise-class MongoDB inherit Kerberos authentication. For more information on this, refer to the MongoDB documentation. A user name/password based system is inherently unsafe, so use Kerberos based authentication if possible.