MongoDB 3.2 – Hardening and User Access Control

MongoDB 3.2 – Hardening and User Access Control

MongoDB has been on the news for being one of the most insecure NoSQL database software. By default, it is insecure with absolutely no security measures in place. Oracle and other various database software usually has a default admin user created and doesn’t allow any non-user to login to the database. However, MongoDB allows all user to login to the system on port 27017. Unless, of course, you lock in down 🙂

The MongoDB documentation has all the information you need to lock it down. Once you start MongoDB with –auth parameter, the system is effectively locked down. Recently, I had the job of securing a MongoDB cluster. One of the more difficult task is applying RBAC policies to your environment as you will need to understand the application/users access your MongoDB cluster.

My tips on securing your MongoDB cluster.

  1. Enable TLS for all MongoDB components (mongos, config servers and shard servers)
  2. Encrypt your drives that are storing MongoDB data
  3. Use x509 authentication mechanism
  4. Disable TLS1.0 and TLS1.1 TLS protocol
  5. Use RequireSSL for “SSLMode” parameter
  6. Use mutual TLS authentication to authenticate your application too
  7. Don’t use a self signed certificate. Get one from a public CA.
  8. Create a superuser with root and backup role. (This will be your “oracle” user in Oracle DB context)
  9. Create a local superuser with root, __system and backup role on each sharded replica set. This user will be required for shard maintenance

Things you should know about TLS

  1. Remove unnecessary parameter (CAFile,  clusterFile) from your configuration file else mongod will hit errors while parsing them. Don’t even put them in the configuration file with empty string.
  2. MongoDB automatically enable authorization when you enable TLS. So remember to create your users before that! (link)
  3. MongoDB does not have a parameter for choosing which ciphersuite to use.

Once you enable TLS, you will need to work around the authentication mechanism in MongoDB. Some tips below will be helpful.

When you are only using TLS but not client authentication

Create a superuser via mongos

use admin
db.createUser( { user: "superuser", pwd: "password", roles: ["root", "backup"] }, { w:"majority", wtimeout: 5000} )

Create a role via mongos

use admin
db.createRole( { role: "readWrite", privileges: [ { resource: { db: "database_name", collection: "collection_name" }, actions: ["find", "insert"] } ], roles:[ ] }, { w: "majority" } )

How to login to the MongoDB cluster via mongos

# mongo 10.1.64.11:27017/admin --authenticationDatabase admin
mongo> db.auth("username","password")

When you are using both TLS and client authentication

Create a superuser via mongos

db.getSiblingDB("$external").runCommand(
 {
 createUser: "CN=superuser,OU=Test ,O=Test,L=UK,ST=London,C=UK",
 roles: [
 { role: 'root', db: 'admin' },
 { role: 'backup', db: 'admin'},
 { role: __system, db:'admin}
 ],
 writeConcern: { w: "majority" , wtimeout: 5000 }
 }
)

Create a role via mongos

use admin
db.createRole( { role: "readWrite", privileges: [ { resource: { db: "database_name", collection: "collection_name" }, actions: ["find", "insert"] } ], roles:[ ] }, { w: "majority" } )

How to login to the MongoDB cluster via mongos

db.getSiblingDB("$external").auth(
 {
 mechanism: "MONGODB-X509",
 user: "CN=superuser,OU=Test ,O=Test,L=UK,ST=London,C=UK"
 }
)

How to list all your mutual TLS authentication users

db.getSiblingDB("$external").runCommand( { usersInfo: 1 } )

Hope this helps!

 

Regards,
Wei Shan

Advertisements
  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: