Thousands of unsecured MongoDB servers found

In a news article CNET Germany writes about thousands of open and unsecured MongoDB databases being found on the internet, giving full access to personal data including payment data of online shops’ customers. To readers who either don’t read to the very end of that article or don’t fully understand the technical background, this might appear to be a vulnerability of MongoDB.

But it’s not.

MongoDB is in its basics just as secure or unsecure as any other network service, including MySQL. If you install any software that acts as a network service (usually via TCP) on a computer that is directly connected to the internet (a server) you must assume that it is open to the world and accessible to everybody.

This is a fact that every system administrator and even a internet hobbyist must know.

A difference between MySQL and MongoDB is that MySQL requires client authentication and authorisation by default. But this may provide a false sense of security, because by default MySQL’s port is just as open. This gives others the opportunity to gain access by trying a few default root passwords, brute force or intercepting a connection which is typically not encrypted.

MongoDB on the other hand ships with a default configuration that allows everybody in without authentication required, although MongoDB does provide several security features as well. In many cases a MongoDB instance is only used by one single application, which means in a secure environment authentication would only be overhead.

So both database systems, MySQL and MongoDB, provide security features, but it is all useless if not used correctly. The most basic and in my opinion also the most effective mechanism is to simply lock away services like databases, which don’t need to be accessed directly from the internet.

Typically you run a database server to give a web application access to it. You don’t want your customers connect to it directly. So don’t let them. This advice counts for all other services, too. First, lock everything away (everything, not just single ports). Put everything behind a firewall – or if you host on AWS inside a Virtual Private Cloud (VPC). And then think about, what really needs to be public and open only these ports, e.g. only port 80 for HTTPS, but not MongoDB’s port 27017.

This doesn’t mean I recommend to ignore other security measures. But blocking inbound connections of an internet server should be the very first step for all administrators, which apparently thousands haven’t done where incidentally MongoDB databases were installed.

MongoDB is a document-oriented NoSQL database system that gained vast popularity since its first release in 2009. Only in February 2015 MongoDB became the fourth most popular database engine. Cloud Under provides web development.