Database Security: Important security 10 tips for MongoDB

Overview

MongoDB is one of the growing & most adaptive cross-platform document-oriented database program solutions in the market. And, it is a widely used alternative to Relation database. As the popularity of MongoDB going up, The more it is prone to the attackers. In general, Hackers target most used software because in one go they can target multiple organizations with less effort.

Common Database Security modules: At the high level, Database Security professionals check following practices & process:

  • Access control
  • Auditing
  • Authentication
  • Encryption
  • Backups
  • Keep tracking database activities. Auditing.

NOTE: There are many practices to secure the database & each section listed above needs to have a process around. If there isn’t any process around each of them then it would be really hard to investigate the issue when an incident/data breach happens. 

MongoDB Security Top 10 Security guidelines to follow:

1 Enable SSL: Enable security authentication in MongoDB configuration file (mongod.conf)

2 – Strong Password: Do not put Weak password because MongoDB does not provide lockout solution & hackers can try to figure it out the password in many attempts.

3 – Roles based access: Authorize user by the roles. Do not make everyone admin & keep admin access secure & do not share with everyone.

4 User access control: Check excessive privileges given to users. And, check what role a user has & what access should be given to the user.

5 – Secure Replica Set: Add replication key file (MongoDB-key file). This will make sure only who has a replica key can join replica set & also encrypt the transaction between replica sets.

6Regular Backup: Make backup regularly. Keep an updated copy of the data in backup storage.

7Avoid default Configuration: Avoid using standard ports to run MongoDB server in production. Hackers generally scan the servers with standard ports.

8Disable public access: Opening MongoDB host to the public isn’t a good practice. if your application & MongoDB instance running on the same instance, then disable public access to that machine.

9 Avoid default MongoDB Ports: Firewall rules are enabled on MongoDB server & scanning of MongoDB ports are not permitted.

10Do the security Testing: Run the penetration testing & use tools like NMAP & Telnet to check the connection to your MongoDB server

Reference

https://docs.mongodb.com/manual/administration/security-checklist/

Advertisements


Categories: Cyber Security, Database security, MongDB security, NOSQL DB security, unstructured database security

Tags: , , , ,

1 reply

Trackbacks

  1. Secure development: How to use third-party javascript securely – Cyber Security: Awareness is the key

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.