Lock Your MongoDB: Don’t Be Too Open for Business

If we needed reminding about security, a recently published paper "MongoDB databases at risk", has run a port scan and identified nearly 40,000 instances of MongoDB databases visible to the public internet, yet with no authorization or authentication.

Although the actual figure may be higher, or lower, the fact that there are 40,000 open MongoDB databases is disturbing. Among those open databases was one that appeared to be a customer databases for over eight million users of a French ISP and another with payment information and customer details for a German online retailer.

The paper's authors, students from CISPA at Saarland University, place some of the blame with a focus on single machine use in MongoDB's defaults and the documentation not being explicit enough for users who want to expose their database to the internet. Of course, it's the user's ultimate responsibility to secure their database, so what should they do?

If they are running a MongoDB installation of their own and it's accessible over the net, then you need to turn on authentication. If you are running a MongoDB for a local system though, you need to make sure it isn't talking to the network. By default, MongoDB's binary distribution binds to all interfaces on a system so just running MongoDB can leave it accessible. Some Linux distributions package MongoDB configured only to work with the localhost interface, but don't assume your MongoDB is configured like that. You can check if a database installation is set up for local users only by looking in the mongodb.conf file for bind_ip=127.0.0.1. If there isn't, add one or run mongod with a --bind_ip 127.0.0.1 to stop it being visible on the network. Not having a bind_ip setting is what makes MongoDB connect to all interfaces.

Of course, that only applies if you need a local database with no incoming connections. If you do want to have clients remotely connect to your database you are going to need to lock it down by creating user accounts and to do that you need to create a user account with admin privileges that can create those user accounts. But by default there's no admin accounts configured on MongoDB.

It's not a catch-22 situation. When there's no users in the admin database, MongoDB will accept accounts to connect via the localhost interface. This will let you connect, use admin and run db.addUser("name","password") to create an admin user. You can now connect as admin with mongo specifying that name and password and add users to each database you create within the MongoDB server by running use databasename and db.addUser("dbusername","dbuserpassword").

It’s only common sense, and it will only stop exploratory network probes, or at least the kinds that the paper’s authors used. That's not the end of it though. It's up to database admins, to make sure they use strong unique passwords. Weak passwords can be brute forced or, worse, easily guessed. To help with strong passwords, we recommend you use a password management application like LastPass or 1Password, but if you just want to quickly generate a password, check out LastPass's online Password Generator

Of course there is an alternative. When we configure MongoDB databases at Compose, we make sure that all access to the database requires a user name and password. And we give you a user management front end on the web so you don't have to create admin users on localhost. It's a time saver and that's just one of the ways you'll find your MongoDB database is better when it comes from Compose.