MongoDB
Source: https://blog.sqreen.com/top-10-security-best-practices-for-mongodb/
The following default configuration settings should be changed in your installation of MongoDB. This guide is targeted toward the free version of MongoDB. Note that the enterprise edition allows for further security configuration, such as at-rest encryption.
The following default configuration settings should be changed in your installation of MongoDB. This guide is targeted toward the free version of MongoDB. Note that the enterprise edition allows for further security configuration, such as at-rest encryption.
1) Create an administrative user and enable access control.
MongoDB infamously does not enable access control by default. There is, however, extensive documentation on how to enable access control. This step is absolutely crucial for any program using MongoDB that is remotely public-facing as otherwise any machine can remotely connect to that program's MongoDB instance.
2) Configure TLS/SSL.
MongoDB does not have Transport Layer Security (TLS) enabled by default. This means that both queries to the database and the data retrieved are sent in plaintext. Unsecured transactions like this allow for man-in-the-middle attacks and are considered bad practice, even on a completely restricted network. To enable TLS on MongoDB, a TLS solution such as OpenSSL must be installed on the system. In the
/etc/mongod.conf configuration file, add the parameters net.tls.mode and net.tls.certificateKeyFile as follows:net:
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb.pemNote that
allowTLS and preferTLS also work for the net.tls.mode parameter, but make secured transactions non-compulsory.3) Restrict network listening to localhost.
Starting with MongoDB 3.6, network listening is restricted to
localhost by default. Older versions of the software leave the network completely exposed. The following console command will bind MongoDB to localhost:$ mongod --bind_ip localhost4) Disable Javascript execution.
MongoDB operations such as
$where and mapReduce allow for the execution of JavaScript expressions on the server. Unless your program uses this functionality, it should be disabled to prevent SQL injection vulnerabilities. This can be done by navigating to the /etc/mongod.conf configuration file and adding the following line under the security: section:javascriptEnabled: false5) Change the default database.
Whenever mongo shell is launched, a database is connected to by default, and any subsequent commands will be performed on that database. On a fresh installation of MongoDB, this database is the default
test database. To prevent unwanted operations, the following line should be added to the .mongorc.js file, where my_database is the name of your preferred default database:db = db.getSiblingDB("my_database")This can be verified by relaunching the mongo shell and running the
db command, which displays the current database connection.> db
my_database