Vinyll's blog

( Python, Javascript & Web stuff… )

Securing your MongoDB

Here is the attack that happened to Neomad in May 2017.

The database was cleared out with a message similar to:

harak1r1 … SEND 0.25 BTC TO THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !"

(The space before the exclamation point make me think he's French)

The Neomad project was an early beta testing stage. Therefore no big data nor users. Though I had to restore some of the data I had and investitage to secure a little more for the next releases.

MongoDB came out with a vulnerability setup to hardening security.

The core functionality I noted is not to run the Mongo Database with a simple mongod but instead run it with mongod --auth, which requires authentication for managing the database. Doh!

You should do that when initialising your database.

In short, here are the steps:

  1. Launch you database insecurely (don't ever do this again): mongod
  2. Create the admin user: db.createUser({user: '<MyAdminUsername>', pwd: '<My4dm1nP455w0rD>', roles:[{role: "userAdminAnyDatabase",db: "admin"}]});
  3. Stop your database: mongod --shutdown
  4. Launch your database securely: mongod --auth
  5. Login with your credentials: mongo -u "<MyAdminUsername>" -p "<My4dm1nP455w0rD>" --authenticationDatabase "admin"
  6. Create your application's database and it's owner: db.createUser({user: '<MyUser>', password: '<MyU53rPwd>', roles: [ { role: "readWrite", db: "<MyDBName>" }})

You could also change your port from 27017 to something more random.

By vinyll on May 11, 2017


Comments