MongoDB Security [closed]

Question

I'm looking for "Security Best Practices" for a MongoDB Server, apart from "general" server's security best practices. Could you point me to useful resources?

Answer 1

What basically needs to be done is

Enable Authentication

Open mongoDB shell

use admin
db.addUser("admin","adminpassword")

( IMPORTANT: you will need an admin user before you enable authentication, or else you will loose access to data ).

Now edit the mongodb config file sudo vi /etc/mongodb.conf

and uncomment auth=true. Save it and restart mongo db sudo service mongodb restart

Bind mongoDB to trusted network or machine

Edit mongoDB config file and add bind_ip = 127.0.0.1 or a comma separated list of IPs that will be able to connect to mongoDB. Then restart.

For more information you can find a guide to do these on my website here

Answer 2

Security concerns are always specific to an application. Its really not possible to fully answer this question in a general way.

Often times applications that rely upon a NOSQL databases will be susceptible to OWASP A4 - Insecure Direct Object Reference. It should be noted that the _ID value isn't a cryptographic nonce, this value is heavily dependent on a timestamp and there for its pretty easy for an attacker to guess these values.

Another common problem is CWE-602 - client side enforcement of server side security. The client is never to be trusted and if they are interacting with the database directly then they own the database, period.