In the beginning of the year, lots of MongoDB databases were hacked. This also included my database. Yesterday I noticed my brand new database with authorization enabled was hacked as well. The username and password is very secure (16+ characters password with random characters and symbols).
I've now decided to fully secure it, but I honestly don't know where to proceed. I already have:
security:
authorization: enabled
and that should be enough (after sudo service mongod restart). I only have 1 database and no admin user, but anonymous access from a remote connection is still allowed. I keep reading many places, that I should run mongod like mongod --auth, but that it's the same as enabling authorization as I've done above.
At this point I'm struggling to disable anonymous authentication on the server. What did I miss? Why can I authenticate without an account?
To enable security you'll want to follow the Security Checklist on the MongoDB Website.
Here you are provided with role based authorization and authentication instructions. It's also advised you disable listening to all ethernet interfaces and bind your MongoDB ports to the interfaces you'd like exposed.
For a guide to network hardening, you will want to review these instructions, but the most important aspect is to avoid unwanted network exposure. Consider using a firewall or security groups (if in cloud).
Related
After reviewing several MongoDB official documents (see list at the bottom) I understand that MongoDB security in communications (as in community version 4.2) works as follows:
For internal communication authentication (i.e. between the members of a replica set or between mongos and the replica sets which implement the different shards) there are two mechanisms available:
shared keyfile (--keyFile)
x.509 certificates
For internal communication encryption, SSL/TLS is the only possibility. In other words, shared keyfile (--keyFile) provides only authentication, but if you want encryption you need to use SSL/TLS alternative. Using SSL/TLS requires to use x.509 certificates also (so, we can say that encryption also provides authentication)
For client to MongoDB communications (either standalone, replica set or mongos in a shard cluster):
there isn't keyfile option
the only way to secure communication (which provides both authentication and encryption) is SSL/TLS with x.509 certificates
I'd like just to confirm my understanding, as the documentation I have browsed is a little "disperse" and I'm not sure if I have got the point. Any feedback, comment, extra info or documentation pointers is really welcome!
PD: the statement which I'm most unsure is this one: "shared keyfile (--keyFile) provides only authentication, but if you want encryption you need to use SSL/TLS alternative"
References checked:
https://docs.mongodb.com/manual/tutorial/configure-ssl
https://docs.mongodb.com/manual/tutorial/configure-ssl-clients/
https://docs.mongodb.com/manual/core/security-internal-authentication
For client to MongoDB communications (either standalone, replica set or mongos in a shard cluster) there are several authentication methods:
No authentication
Internal authentication with username/password
Kerberos Authentication
LDAP Proxy Authentication
LDAP Authentication
Note, you can always connect to MongoDB database, even without an account. However, you are not permitted to execute any command unless you are authenticated.
Here is my scenario - I have a webapp and mongodb running on same host. And I have not enabled authorization in mongod.conf. So, my webapp, connects to mongodb with out any authentication. Now I want to provide access to mongodb for certain group of people who will connect from outside. Since, connections will be made from outside, I need to enable authentication. But, if I enable authentication webapp will not be able to connect to mongodb(which assumes mongodb is running on localhost and it does not require authentication). I do not want to change webapp to connect to mongodb with authentication. So, I want to disable authentication only for connections from localhost. Is it possible?
No, it's not possible from Mongo 3.0 version
The only case where localhost authentication bypass occurs is when there are no configured users, with enableLocalhostAuthBypass parameter (Enabled by default).
Your scenario can only be solved by creating multiple roles / users with different privileges
I'm trying to apply security best practices to an AWS RDS postgresql instance, but Amazon seems to have gone out of its way to prevent some fairly common and routine features around authentication. I don't seem to be able to authenticate against any external source, which sucks, since now I have to maintain db users completely separately from normal user management. But it seems that, despite the fact that I can use SSL to connect, none of the functionality that might actually validate a client's cert against the server's CA is accessible in RDS. Is this true? It seems like the easiest thing in the world to have amazon sign certs with it CA and then validate those certs against that CA when connections are established, yet I cannot find any mention of how to do it in the documentation or out on the web. Am I really confined ONLY to password authentication of db-internal users? This is almost hard to believe, but after days of research, is the only conclusion I have been able to support.
We have a recently sharded mongodb cluster. Before sharding, for read-only access, all users used to connect to one of the secondaries. We need a similar read-only access now when users connect to 'mongos' (after sharding). One option is to enable authentication and add user user roles. But that will mean changing java code on some app module which connect to the mongos using the java connector.
Is there a way to obtain read-only access without enabling authentication ?
You can only create read-only roles by enabling authentication. If you do not want to enable authentication, your human users have to specify their read preference explicitly when connecting. As they may forget this, I would advise you enable authentication. It will allow you more granular access in the future and will allow users to continue the data when the secondary servers are down (e.g. maintenance).
I am looking for a single sign on approach for an ODBC connection to a Postgres database.
The plan is to login to a web application and then use a a single sign on scheme such as oauth or CAS to automatically login to a client application.
The client application does not verify the credentials itself, but uses them via ODBC to connect to the Postgres database server. Unlike web applications we cannot use a single databaes user here, but need individual database accounts for security reasons.
In theory Postgres does support PAM and PAM supports both CAS and oauth. But I was not able to find any documentation on that. Especially the part of how to specify the token in ODBC is unclear to me.
With PAM auth, keep in mind that this is a broad field and books could be written about it. I do something similar to what you do though and can answer the part about ODBC. The following provides a walkthrough for a related service you may find helpful:
http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-secure-postgresql-using-two-factor-authentication-from-wikid
The big thing to remember is that with PAM the password provided is passed on to the PAM module, so you have to pass in the username and password. This gets sent to PAM as if the user was logging on to the system. Beyond that it's up to you to configure PAM appropriately for your service.