How to Secure MongoDB

MongoDB is a NoSQL document-oriented database management system that stores data in JSON-like documents. It is also cross-platform and open source. Although the company that developed it, MongoDB Inc., supplies a free community version, they also provide an enterprise version with more features and paid for support.

MongoDB by default is not secure so you would be open to a litany of attacks from hackers who would try to steal your data and hold it for ransom. Securing MongoDB would help prevent these attacks and give you some peace of mind that your data is secure.

Below is a list of tips you could use to secure your MongoDB server after you have deployed it to production or staging or any other server that is publicly accessible.

This will force the client to provide user credentials to access the mongo server. A client without a username and password would not be able to log into the database with authentication enabled.

How to enable authentication

This will allow you to assign specific users to only have access to specific databases. This would ensure that users that do not have access to a database would not able to access the data in that database.

Creating users for specific databases

This would be binding mongo to a specific IP address instead of localhost. This would ensure that MongoDB is only accessed via that specific IP address.

MongoDB supports the use of TSL/SSL to ensure that all traffic going to and from your mongo server is encrypted.

How to configure SSL

Close traffic on all public ports besides 22 for SSH if you are running your application on the same server. You could change the SSH port and restrict SSH access to only one IP Address to make sure you can only access it from work.

Configure iptables firewall

MongoDB supports native encryption. This allows only clients with the decryption key to decode and access the data stored in the database.

How to encrypt data storage

If you are not using WiredTiger’s encryption method then you should encrypt the data on each host using the file system. You could also use a MongoDB-specific user to restrict access to other users on the system and encrypt the data folder using file system encryption.

This will allow you to track any changes made to the database configurations and data. This is an enterprise feature but you can find a similar feature from Percona, the drop-in replacement for MongoDB Community Edition with enterprise features.

How to set up Auditing

Disable the scripting engine for mongo if you aren’t going to use the server-side javascript operations.

The above list of tips is some things you can do to encrypt and secure your data and make sure that you know who and what is accessing your data. You can also follow the official security checklist to make sure you are doing everything you can to secure your and your users’ data.

Try out Skywalk

Would you like to explore monetizing data? Give Skywalk a chance. Book a no-obligation session with our team and explore more ideas around technology to grow your business.