Breaking

Wednesday, 6 November 2019

Remote Access Restrictions to Secure MongoDB


MongoDB - Remote Access Restrictions

       
In this tutorial, we will explain about how to restrict remote connections of MongoDB server for it's security aspects. By default, remote access is enabled according to the configuration of MongoDB and it can be controlled by the value “bind_ip” specified in the configuration file "/etc/mongod.conf" of MongoDB.

In MongoDB, the value “bind_ip” is not set. So any MongoDB client can connect and access to the MongoDB server by default.

It is highly recommended to restrict this connection due to security aspects.

How to Restrict:

We can restrict this remote connection of MongoDB according to our requirements. We have divided this configuration into two types.

Type1:-
If you want to restrict all remote connections for MongoDB then you may bind your MongoDB server with the local host.

# vi /etc/mongod.conf

# service mongod restart
 
# netstat -tulpn|grep "mongo"
As you can check in above screenshot that mongo is bound with localhost and it can only be accessible from localhost.

Type2:-
If you want to allow some particular ips for connection and restrict all other ips then you should go through following steps.

# vi /etc/mongod.conf
# service mongod restart
# netstat -tulpn|grep "mongo"
As you can check in above screenshot that mongo is allowed for all mongo clients.

MongoDB Firewall Rules:
 

Now we need to restrict all ips except required client ips and we can not proceed it with default features of MongoDB so here we will go with iptable rules.

1) Allow required ips for mongo connection:-
iptables -A INPUT -s  -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d  -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s X.X.X.X -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d X.X.X.X -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT

Note: Replace X.X.X.X with trusted hosts ips and replace port number "27017" if your mongo is not running on the default port.

2) Drop all other ips for mongo connection:-
iptables -A INPUT -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j DROP
iptables -A OUTPUT -p tcp --source-port 27017 -m state --state ESTABLISHED -j DROP
# service iptables save
# service iptables restart
Conclusion:

We can follow described operations for information security controls to protect our mongo databases against compromises of their confidentiality, integrity. It is highly recommended to restrict remote connectivity of MongoDB to avoid unwanted mongo connections.
I hope this post might be helpful to you. Will surely come up with some more related posts. 


No comments:

Post a Comment

Post Top Ad

Your Ad Spot