Stories
Slash Boxes
Comments

SoylentNews is people

How to Secure MongoDB

posted by cmn32480 on Friday January 13 2017, @10:41PM   Printer-friendly
from the mongo-like-candy dept.

Phoenix666 writes:

The rise in ransomware attacks on MongoDB installations prompted the database maker last week to issue advice on how to avoid being victimized.

As of Sunday, security researcher and Microsoft developer Niall Merrigan identified more than 27,000 MongoDB databases seized by ransomware. By Tuesday afternoon Pacific Time, an online spreadsheet maintained by Merrigan and fellow security researcher Victor Gevers listed 32,643 victims.

The attacks involve hackers who copy data from insecure databases, delete the original, and ask for a ransom of a few hundred dollars worth of Bitcoin to return the stolen data back to the owner.

MongoDB, like other NoSQL databases, has suffered from security shortcomings for years. Trustwave called out MongoDB in 2013. Security researcher John Matherly did so again in 2015.

Where MySQL, PostgreSQL, and other relational databases tend to default to local installation and some form of authorization, MongoDB databases are exposed to the internet by default, and don't require credentials immediately by default.

MongoDB's security checklist is here. The company has stated it is the user's responsibility to make these changes to the default configuration.

Original Submission

 
This discussion has been archived. No new comments can be posted.
How to Secure MongoDB | Log In/Create an Account | Top | 13 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Friday January 13 2017, @11:22PM

    by Anonymous Coward on Friday January 13 2017, @11:22PM (#453568)

    Exactly.

    If not a random password, then they should have restricted it to local logon only from a special account, and then an admin could log in through this and create/specify any credentials they want to use.

    Seriously. If I install MongoDB on Debian (which automatically enables and starts such services) then am I immediately hackable? This is completely ridiculous.

  • (Score: 2) by jimshatt on Saturday January 14 2017, @12:26AM

    by jimshatt (978) on Saturday January 14 2017, @12:26AM (#453621) Journal
    Well, yes and no. First of all, the machine you install MongoDB on must be internet-facing, which is unusual even in small companies. Home users are often behind some NAT which complicates things. 'Hackable' is a bit of an overstatement, too. The database contents can be read and modified, but there is no arbitrary code execution or anything.

    I agree that secure by default would be better.