No Comments

How to safeguard your MongoDB Replication Deployment from “BOT” attacks – by enabling authentication

Nagarajan P | Technical Support Consultant, Ashnik
Singapore, 19 Aug 2020
nagarajan-blogImg

by , , No Comments

19-Aug-2020

MongoDB Authentication is one of the security features that comes along with both Community and Enterprise edition. In this blog, we will see how to enable this feature on MongoDB Replication nodes and safeguard your data from BOT attacks.

Introduction

4000+ unsecured databases exposed on the public web recently are the target of an automated ‘meow’ attack that destroyed data with any explanation. More than 97% of them are Elastic and MongoDB databases.

One of the ways to secure your database is to ensure you have proper authentication mechanism in place.

By default, there is no authentication in MongoDB. It means that it comes with empty authentication. So, we should create users and roles manually.

2020-08-17T05:19:45.763+0000 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database.
2020-08-17T05:19:45.763+0000 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.
2020-08-17T05:19:45.763+0000 I CONTROL [initandlisten]

There are lots of ways to create MongoDB authentication. The most popular and easiest way is to enable authentication on mongodb config file and enable it.

But in this post, I will show you how you could enable authentication and create user account and authenticate that user to connect with Replication nodes.

Let us start…

Authentication enabling on MongoDB

Step: 1 – Create & copy keyfile:
First, we need to generate a key file for internal communication between the replication nodes. Replica sets and sharded clusters require internal authentication between members when access control is enabled.

1. #generate Key file
2.
3. $mkdir /etc/mongodb/
4. cd /etc/mongodb/
5. $openssl rand -base64 756 > <path-to-keyfile>
6. $chmod 400 <path-to-keyfile>
7.
8. chown mongod:mongod <path-to-keyfile>

Copy this file to all the rest of the replica set members using ssh or scp to the same location. Ensure that the user running the ‘mongod’ instances is the owner of the file and can access the keyfile. Here I am suing ‘mongod’ as my owner.

Best practice is to avoid storing the keyfile on storage mediums that can be easily disconnected from the hardware hosting the mongod instances, such as a USB drive or a network attached storage device.

Step: 2 – Connect MongoDB and create admin user and authenticate

connect to mongodb instance locally if services are enabled, or connect with config file.

1. mongo –port 27017

Create admin user with respective role. Here I am creating my user as “admin” and password as “password” with root role. The good practice is to generate user login with strong password combination of {character + numeric + special character}.

1. use admin
2. db.createUser(
3. {
4. user: “admin”,
5. pwd: “password”,
6. roles: [ { role: “root”, db: “admin” } ]
7. }
8. );
9. db.auth(“admin”, “password”)

Step 3 – Add keyfile, enable authorization, and restart each replication member

So, in the previous step we completed user and password creation and we have enabled authentication to the user account. Now we need to enable authorization in the config file.

Edit mongodb config file and enable security features with keyfile details which we created in Step 1.

1. #open config file
2.
3. $sudo vi /etc/mongod.conf
4.
5. #Enable Security
6. .
7. .
8. .
9. security:
10. authorization: enabled
11. keyFile: /etc/mongodb/mongodb-keyfile

Save the config file and restart the mongodb Instance. Do this change in the rest of the secondary nodes as well. It will ensure internal communication between replica nodes enable authentication.

1. $ sudo systemctl restart mongod

That’s it! Now authentication has been enabled successfully. Connect with your user credential to test it. Also, create additional user accounts as well.

1. mongo hostname:port –authenticationDatabase “admin” -u “user” -p <password>

Conclusion

I hope this guide was useful to you. In this article we have seen how to set up MongoDB Replication with basic security using keyfile method for internal authentication between instances. For production deployment, it is recommended to upgrade key to X.509 certificate authentication. Stay tuned for my next article for more details.

0
0

  • Nagarajan is working as a Technical Support Consultant with Ashnik. With over 12 years of experience in the IT Industry, he has worked on various database technologies for domains like Retail, Telecommunication and Banking. He was working with J P Morgan Chase prior to joining Ashnik and has worked with banks like Credit Suisse, UBS earlier.

More From Nagarajan P | Technical Support Consultant, Ashnik :
19-Aug-2020