How to Secure MongoDB

MongoDB is one of the top open-source databases for enterprises attempting to build scalable applications. However, like all databases, it’s not without its vulnerabilities.

Recently, Comparitech found that hackers targeted an unsecured MongoDB database 20 times per day. The high volume of attacks is alarming because it only takes one breach for a cybercriminal to delete, encrypt, or steal your private data.

To help you protect your data from cybercriminals, we’re going to look at how to secure MongoDB, including best practices to follow and some key monitoring tools to deploy.

Here are the top three MongoDB monitoring tools:

  1. SolarWinds Database Performance Monitor (FREE TRIAL) SaaS-based database monitoring tool with automated profile analysis, recommendations alerts, and more.
  2. Datadog Cloud monitoring software with real-time MongoDB monitoring, graphs, charts, anomaly detection, alerts, and more.
  3. MongoDB Cloud Manager Hosted management platform with MongoDB monitoring, visualizations, TLS encryption, alerts, and more.

How do MongoDB Hacks Happen? 

hacker on laptop in darkened room

Hacking into an unconfigured MongoDB database is very easy. A cybercriminal can use online search engines to discover databases without user authentication and then break into those databases to steal the data. An example of this occurred earlier this year when a single hacker breached over 23,000 MongoDB unsecured databases by using an automated script to crawl the web for misconfigured MongoDB databases.

The cybercriminal broke into the victim’s systems, deleted the stored data, and left a ransom note demanding a bitcoin payment to restore access. The attack could have been avoided if the victims had configured user authentication.

MongoDB Security Best Practices 

Making sure that MongoDB is configured properly and implementing a handful of key security best practices goes a long way toward preventing data breaches from taking place. In this section, we’re going to look at some best practices you can use to stop hackers in their tracks:

1. Encrypt your data at rest 

MongoDB Enterprise 3.2 includes a native encryption feature called WiredTiger. WiredTiger is a storage engine that provides native encryption at rest so that your data can’t be read by an individual unless they have a decryption key to translate the protected data into something readable. In other words, encryption stops your data from being read by unauthorized individuals.

As an additional precaution, it’s a good idea to periodically rotate the decryption key between key users in your company once a year. It’s also important to note that MongoDB only supports AES-256 GCM encryption on Linux (as of version 4.0 onward Windows doesn’t support this feature).

2. Enable access controls and Use Role-based access control (and the principle of least privilege)

Access controls are essential for controlling who has access to your database. Role-Based Access Control (RBAC) is included with MongoDB by default since version 2. With RBAC you can control what actions a user has permission to take and which resources they can access. There are five different database roles included by default:

  • read – Read-only access.
  • readWrite – Permission to read and edit data.
  • dbAdmin – Permission to perform administrative tasks like indexing.
  • db0wner – Permission to perform any administrative action on the databases (combines readWrite, dbAdmin, and userAdmin).
  • userAdmin – Permission to create and modify roles and users.

You also have the option to create custom roles and manage roles for clusters. You need to follow the principle of least privilege, and only assigning access rights/privileges to an employee when they are absolutely necessary to complete a task. This will ensure that your employees only have access to the data and functions they need to do their job.

3. Audit User Actions 

Auditing user actions taken within databases is critical for identifying malicious activity and troubleshooting. Audit logs provide you with a valuable resource you can use to dissect what happened during past cyber attacks. MongoDB comes with an auditing solution called auditDestination that you can use to configure auditing and choose where to output audit events for further analysis.

You can output audit events to the console, a JSON file, or a BSON file. It’s important to note that you need MongoDB Enterprise to monitor system events such as failed logins.

4. User Authentication 

User authentication is a must-have for restricting who can connect to the database and verifying the identity of a client. To authenticate users you can use the native MongoDB service or an external tool like Active Directory. To authenticate users with MongoDB you can provide a username, password, and authentication database to that user through the command line via the mongo shell.

The base version of MongoDB supports two authentication mechanisms:

  • Salted Challenge Response Authentication Mechanism (SCRAM) – Default authentication mechanism based on the IETF RFC 5802 standard where the system checks user credentials against the user’s username and password.
  • x.509 Certificate Authentication – Authentication mechanism that can authenticate clients to servers via a certificate instead of a password.

MongoDB Enterprise users also have access to two other authentication methods:

  • Lightweight Directory Access Protocol (LDAP) Proxy Authentication – Users log in with a password and the system, queries an LDAP server for groups an authenticated user is a member of, maps the Distinguished Names (DN) of the groups discovered and authorizes the users based on the roles and their privileges.
  • Kerberos authentication – Authentication with a Kerberos service where users can log in with an access ticket. (requires a Kerberos deployment).

5. Encrypt network traffic 

In addition to encrypting data at rest, you need to encrypt network traffic to stop man-in-the-middle attacks where hackers eavesdrop on traffic in transit. To protect your data, encrypt network traffic to and from the database by configuring Transport Layer Security (TLS) and Secure Sockets Layer (SSL). You can deploy TLS/SSL by setting net.ssl.mode to requireSSL, which will instruct the system to only permit TLS/SSL connections.

6. Backup your data 

Regularly backing up your data will ensure that you have access to your information even if a cyberattack or system failure occurs. For example, if someone encrypts your data and demands a ransom or a natural disaster destroys your office, you will still have access to your latest backup, so you can restore the system to its pre-attack status.

There are three main ways you can backup MongoDB:

  • mongodump – A utility included with MongoDB that can dump an entire database or query result, creating a snapshot of a database. Great for small deployments but struggles with larger databases.
  • filesystem snapshots – Use tools like LinuxLVM to take snapshots of the file system. A reliable way to create large backups.
  • MongoDB Management Service (MMS) – Managed online backup service that continuously streams MongoDB oplog data to MMS to create backups. Takes snapshots every 6 hours with 24 hours retention.

In short, Mongodump is ideal for small databases, filesystem snapshots are suitable for complete backups, and MMS is designed for continuous backups of mission-critical data.

7. Complete regular updates 

Downloading security updates regularly is essential for making sure your service is protected against known vulnerabilities. Updating your system will help to patch vulnerabilities and reduce the number of exploits a hacker can exploit to gain access to your information.

8. Monitor your Network 

Performance monitoring is an excellent way to identify when your resources aren’t performing as they should be and detecting the signs of a cyberattack. Database monitoring software can notify you when your database is experiencing poor performance and generate alerts to notify you so that you can take action.

The Best MongoDB Monitoring Tools 

Monitoring MongoDB is vital for detecting security events. Continuous monitoring will enable you to identify alarming activity such as a spike in login failures, that may indicate a cyber attack. In this section, we’re going to look at some of the best MongoDB monitoring tools on the market.

1. SolarWinds Database Performance Monitor (FREE TRIAL)

SolarWinds Database Performance Monitor

SolarWinds Database Performance Monitor is a SaaS-based database performance monitoring solution you can use to monitor MongoDB. SolarWinds Database Performance Monitor comes with automated profiling analysis you can use to monitor latency and throughput. Visualization options like graphs and charts grant you a complete overview of MongoDB’s performance from the dashboard.

Automatic recommendations provide you with guidance on best practices for MongoDB so you can continuously optimize performance and security. For example, the platform can tell you that a slow running query could be made faster with an additional index.

The software also monitors for misconfigurations. SolarWinds Database Performance Monitor can identify misconfigurations and vulnerabilities so that you can take action to fix them. There is also a threshold-based alerts system you can use to set trigger conditions for individual metrics to determine when you receive notifications.

SolarWinds Database Performance Monitor is a reliable database monitoring solution that’s ideal for MongoDB users that need to optimize performance. Prices start at $2,840 (£2,203). You can start the 14-day free trial.

Key Features:

  • Automated profiling analysis
  • Dashboard
  • Graphs and charts
  • Recommendations
  • Configuration checks
  • Alerts

SolarWinds Database Performance Monitor Start 14-day FREE Trial

2. Datadog

Datadog Database Performance Monitoring

Datadog is a cloud monitoring tool that you can use to monitor MongoDB and identify performance issues like bottlenecks, latency, and error rates in real-time. Visualize performance metrics in real-time with visualizations such as graphs and charts through a customizable, drag-and-drop dashboard. There are also dependency maps so you can monitor application interdependencies.

Anomaly detection alerts automatically identify performance anomalies and notify you so you can respond. Anomaly detection accounts for temporary fluctuations reducing false positives. You can also create custom alert thresholds according to your needs.

There is also a range of features that support teams. For example, you can take snapshots of performance issues and tag other members of your team to let them know there is an issue. You can also view who has responded to an alert, helping you avoid wasting time following up on an issue that’s been addressed.

Datadog is an exceptional solution for enterprises that would like to monitor MongoDB alongside other application monitoring. Prices start at $15 (£11.64) per host per month for the Infrastructure version. You can start the 14-day free trial from this link here.

Key Features:

  • Dependency mapping
  • Custom dashboard
  • Graphs and charts
  • Anomaly detection
  • Alerts

3. MongoDB Cloud Manager 

MongoDB cloud manager

MongoDB Cloud Manager is a hosted management platform designed for monitoring MongoDB. With MongoDB Cloud Manager you can monitor MongoDB database and hardware performance. The platform includes visualization options like graphs and charts so you can monitor performance metrics like query execution times at a glance.

Whenever a MongoDB agent connects to Cloud Manager, the platform uses TLS to encrypt communications. Once connected, you can use the Performance Advisor to identify slow running queries, helping you to know what you need to optimize to improve performance.

There is also an alerts system where you can configure trigger conditions to determine when you receive notifications via Slack, PagerDuty, or Datadog. For example, you can configure an alert to notify you if a Host is down or if the Number of Restarts in Last Hour crosses a certain threshold. All alerts can be viewed through the Alerts page.

MongoDB Cloud Manager is a great choice for enterprises that desire basic and convenient performance monitoring for MongoDB. There is a free version with 24 hours of data retention and five minutes of granularity. Paid versions start at $39 (£30.27) per server per month for Cloud Manager Standard with full historical data and two minutes granularity. You can start the 30-day free trial.

Key Features:

  • Graphs and charts
  • TLS encryption
  • Alerts

Avoid Default Settings

MongoDB has all the security settings you need to defend against attackers, you just need to configure them. Don’t make the mistake of using a database with the default settings, as you’re leaving your data at risk of a breach. By following some best practices and configuring MongoDB properly, you will be able to avoid a lot of problems.

Combining proper configurations with performance monitoring tools like SolarWinds Database Performance Monitor, Datadog, and MongoDB Cloud Manager will ensure you have the ability to optimize performance long term and stop malicious attackers.