How to secure MongoDB – because it isn't by default and thousands of DBs are being hacked
Stop right now and make sure you've configured it correctly
The rise in ransomware attacks on MongoDB installations prompted the database maker last week to issue advice on how to avoid being victimized.
As of Sunday, security researcher and Microsoft developer Niall Merrigan identified more than 27,000 MongoDB databases seized by ransomware. By Tuesday afternoon Pacific Time, an online spreadsheet maintained by Merrigan and fellow security researcher Victor Gevers listed 32,643 victims.
The attacks involve hackers who copy data from insecure databases, delete the original, and ask for a ransom of a few hundred dollars worth of Bitcoin to return the stolen data back to the owner.
Where MySQL, PostgreSQL, and other relational databases tend to default to local installation and some form of authorization, MongoDB databases are exposed to the internet by default, and don't require credentials immediately by default.
Veracode CTO Chris Wysopal in a Twitter post argues that software should be secure as soon as it is installed. "Why isn't the MongoDB security checklist the default?" he said. "Software with insecure default configuration is broken."
Infosec bod Gevers, in an interview conducted through Twitter direct messages, said he has criticized MongoDB in the past but insisted that the database owner has to take responsibility for software configuration. It is, he said, "the responsibility of the owner to use it right."
Gevers said he believed the growth in poorly configured MongoDB installations was a reflection of time-to-market pressures. "People are happy to follow a tutorial to install a server, but have no idea what they are doing," he said. He also laid some blame on DevOps automation, which makes it trivial to spin up remote servers without necessarily securing them properly.
The security researcher advises following MongoDB's security recommendations, or at the very least blocking port 27017 on your firewall or configuring MongoDB to listen only to 127.0.0.1 in
/etc/mongodb.conf, and then restarting the database.
A spokesperson for New York City-headquartered MongoDB, in an email interview, insisted that MongoDB is not less secure than relational databases like MySQL and PostgresSQL, and pointed to the company's list of security best practices.
"MongoDB has the robust security capabilities that one would expect from a modern database," the spokesperson said. "It is the nature of database software that administrators can switch certain options on and off. This is not specific to MongoDB, and it is important for the way many applications may be developed."
Citing the importance of being open-source software, the spokesperson stressed that the company is committed to the community and its contributions.
"Being open-source also means that anyone can download the product and deploy it however they want," the spokesperson added. "Ultimately, database security comes down to two things: well made software and responsible use. For example, with MongoDB Atlas, our production-ready managed database as a service, access control is enabled by default. Users of MongoDB Cloud Manager or Ops Manager can enable alerts to detect if their deployment is internet exposed." ®