How to Secure the MongoDB Database

MongoDB is a NoSQL database, it is a non–relational database that comes under the document family of databases. MongoDB supports a JSON-like structure for storing data. It allows us to store unstructured data as it has a flexible structure, it provides users with indexing support. MongoDB supports high availability as it stores two or more copies of the data, it uses horizontal scaling to handle data, which helps by reducing the load of the data by evenly distributing data across multiple servers to prevent crashing.

This article covers the need for a secure database and different ways in which we can secure the MongoDB database.

Need for a Secure Database

• Security is very important in databases like MongoDB so that the sensitive information that an organization stores in mongoDB is protected from unauthorized access. Any data breaches in databases can lead to a huge loss for the organization using the database as it is used to store all the sensitive information about their users and the organizations.
• The most basic way to protect the data we store in MongoDB is to limit network exposure. Limiting network exposure means restricting the ways through which a network can be assessed so that the possibility of a potential attack is reduced and also through this practice the network or system accessibility is reduced.

Different Ways to Secure MongoDB

1. Changing Default Port

Changing default port allows us to prevent our database from being attacked from automated attacks which can be done on the already known ports. MongoDB uses port 27017 as its default port and is commonly targeted by automated attackers, changing this port adds a layer of security for our database as it makes it harder for attackers to identify the port which MongoDB is using.

How can We Change the MongoDB Port?

• Step 1 Find the configuration File: MongoDB uses a configuration file known as ‘mongod.conf‘. This is the file which contains all the settings for the mongoDB server. Use a text editor to open the ‘mongod.conf’.
• Step 2 Locating the “net” section: Inside the ‘mongod.conf’ file we will find a “net” section.If the “net” section is not present you can add it manually.
• Step 3 Changing the port number: Inside the “net” section, there will be a line which would be mentioning the port as 27017 {‘port : 27017’} which is the default port. Change this port number to the port number of our choice.
• Step 4 Saving the changes: Save all changes that are made and to apply them restart the MongoDB service. we can restart our MongoDB server using the below command for Linux.

Command:

`sudo service mongod restart`

Explanation: We should never use changing default port as the only way to secure mongoDB as it is not safe to use it alone, but we can use it as a added measure to make the mongoDB more secure.

2. Restrict listen Interface(-s)

• Restricting the listen interface for MongoDB, helps in controlling which networks interface the MongoDB server is accessible from. This is a security measure which can sometime means that we can select where the mongoDB server would be able to work. For example, if we bind the MongoDB to localhost it means that the database will only be accessible from the local machine. This would help us to reduce the potential attacks and reduce the risk of unauthorized access from any external network and helps to prevent the database.
• To implement this we can use the ‘mongod‘ command as shown below:

Command:

mongod --bind_ip localhost

Explanation: Through this only MongoDB will only be able to communicate to localhost, stopping it from connecting from external networks.

If we want some other IP address to be able to communicate with the MongoDB along with the localhost we can use the below command.

Command:

mongod --bind_ip localhost, ip address

3. Using Unix Domain Sockets

• Through the use of Unix domain sockets we can provide a method for inter -process communication. Unix domain socket is supported by MongoDB as a method of communication between the database server and clients. This provides security as the communication remains local and hence reduces exposure to network based attacks.

4. Restrict Network Access with a Firewall

• We can protect the MongoDB database through Firewall. Firewalls help in securing MongoDB by controlling incoming and outgoing network traffic. They act as a barrier between the MongoDB server and the external networks that try to access that database. Using proper rules, we can prohibit IP-specific network ranges, from unauthorized connections.

5. Use of SSH Port Forwarding

• SSH port forwarding helps in providing security to the communication between the client and server by tunneling traffic through an encrypted SSH connection. It makes a secure connection from a remote machine to MongoDB server without exposing the database port.

6. Use of SSH Reverse Tunneling

• This method is useful when a MongoDB server is behind a firewall, and it should be accessed securely from a remote location. It is used to establish a secure connection from a remote server to the client.

7. Connect from a Bastion Host

• A bastion host also known as the jump host is an intermediary server that acts as a secure gateway to access other servers, including the MongoDB server. Connecting the MongoDB through a bastion host enhances the level of security by limiting the direct access and hence protects the database.

The command we need to write to use bastion host is given below.

Command:

ssh -J bastion-host user@mongodb-server

Explanation:

• ssh: This is the command line tool used for secure shell access.
• -J bastion-host: This part of the command specifies the jump host through which the SSH connection will be forwarded. You should provide the IP address or the hostname of the bastion host after the `-J` option.
• user@mongob-server: Here you will provide the username and hostname or the IP address of the MongoDB server to which you want to connect.

8. Enabling TLS and SSL Encryption System

• Enabling TLS and SSL encryption system method for securing the communication between any two endpoints. The encryption is a valid option for restriction the network access for MongoDB. We can also encrypt the communication between the two end points client and the MongoDB server using SSL and TLS.

Implementation of Authentication

It is a way where the user can ensure that only the specified users have access to the database. Some methods are:

1. SCRAM-SHA-256

• It stands for Salted Challenge Response Authentication Mechanism by SHA-256.It is challenging response for authentication mechanism which takes advantage of both user credentials and the server generated challenges for authenticating the user.
• For enabling the SCRAM-SHA-256 authentication in MongoDB, we need to create the accounts with valid username and password and configuring the MongoDB server for taking the advantage of SCRAM-SHA-256 as the mechanism for authentication. User has to create an account with username and password.
• When we connect to the MongoDB, we need to provide the username and password in the connection string.

2. X.509 Certificate Authentication

• It authenticate the SSL and TLS client certificates for authentication. We need to configure the server for using the SSL and TLS and which specify the paths to servers certificate and key files.

3. Use X.509 Server Authentication

• SSL/TLS certificate authentication is used in X.509 server authentication to authenticate the MongoDB server. It enhances the security of communication as it ensures that the clients connecting to the server can verify its identity.

4. Use X.509 Client Authentication

• Usage of the X.509 authentication adds an extra layer of security by ensuring that only authorized clients can connect. It requires that clients should present a valid SSL/TLS certificate to authenticate themselves to the MongoDB server.

5. Use X.509 Member Authentication

• In MongoDB sharded clusters need to authenticate every member, X.509 member authentication involves configuring each member with a certificate to authenticate itself within the cluster. This authentication step helps establish trust between cluster members.

6. Restrict Member Source IPs

• In a MongoDB cluster, we can restrict the source IPs from which members can connect. This helps in adding an additional layer of security as it allows only trusted sources to communicate.

7. Use of Role-Based Access Control

• Role Based Access Control (RBAC) involves creating roles with particular permissions and designating user to these roles. By improving the level of access control, it helps in limiting access to database, collections and operations based on user roles.

8. Enable Access and Query Logging

• Monitoring and auditing of database activities is possible through enabling access and query logging. It provides a record of connections, authentication attempts and all the queries that were executed which helps in identifying potential security incidents.

9. Use of Teleport to Secure Access

• Teleport is a modern access management solution which provides secure access to various components,including database.It offers features like identity-based access, session recording, and role-based access control to enhance security when interacting with MongoDB and other systems.
• Integrating Teleport can be beneficial for centralized access control and auditing.These security measures collectively contribute to building a robust defense against unauthorized access, data breaches, and other security threats in a MongoDB environment.

Conclusion

In conclusion, this article explains the need for securing the data stored in databases like MongoDB, how can be secure mongodb from various threats and unauthorized access. You are now able to add a security level to mongodb server by being able to changing the default port, or restricting the listen interface. You now also know how to isolate the mongodb database to improve its security. However you should keep in mind that these measures are a part of a border security strategy. Final security of mongodb includes enabling authentication,implementing SSL/TLS encryption and monitoring database activities.