MongoDB is one of the growing & most adaptive cross-platform document-oriented database program solutions in the market. And, it is a widely used alternative to Relation database. As the popularity of MongoDB going up, The more it is prone to the attackers. In general, Hackers target most used software because in one go they can target multiple organizations with less effort.
Common Database Security modules: At the high level, Database Security professionals check following practices & process:
- Access control
- Keep tracking database activities. Auditing.
NOTE: There are many practices to secure the database & each section listed above needs to have a process around. If there isn’t any process around each of them then it would be really hard to investigate the issue when an incident/data breach happens.
MongoDB Security Top 10 Security guidelines to follow:
1 – Enable SSL: Enable security authentication in MongoDB configuration file (mongod.conf)
2 – Strong Password: Do not put Weak password because MongoDB does not provide lockout solution & hackers can try to figure it out the password in many attempts.
3 – Roles based access: Authorize user by the roles. Do not make everyone admin & keep admin access secure & do not share with everyone.
4 – User access control: Check excessive privileges given to users. And, check what role a user has & what access should be given to the user.
5 – Secure Replica Set: Add replication key file (MongoDB-key file). This will make sure only who has a replica key can join replica set & also encrypt the transaction between replica sets.
6 – Regular Backup: Make backup regularly. Keep an updated copy of the data in backup storage.
7– Avoid default Configuration: Avoid using standard ports to run MongoDB server in production. Hackers generally scan the servers with standard ports.
8 – Disable public access: Opening MongoDB host to the public isn’t a good practice. if your application & MongoDB instance running on the same instance, then disable public access to that machine.
9 – Avoid default MongoDB Ports: Firewall rules are enabled on MongoDB server & scanning of MongoDB ports are not permitted.
10 – Do the security Testing: Run the penetration testing & use tools like NMAP & Telnet to check the connection to your MongoDB server