Network security and firewall configuration

Basic Concepts of Network Security

Network security is a critical measure to protect network systems from unauthorized access, damage, or disclosure. In a MongoDB environment, network security is particularly important because databases often store sensitive information. Common network threats include SQL injection, cross-site scripting (XSS), denial-of-service (DoS) attacks, and more. For example, attackers may manipulate database queries directly through unvalidated input:

// Insecure query example
const userInput = req.query.username;
db.collection('users').find({ username: userInput });

This code is vulnerable to injection attacks and should use parameterized queries instead:

// Secure parameterized query
const userInput = req.query.username;
db.collection('users').find({ username: { $eq: userInput } });

Default Security Configuration of MongoDB

The default configuration of MongoDB after installation is not secure. By default, MongoDB does not enable authentication and listens on all network interfaces (0.0.0.0). This may expose the database to public networks. To check the current binding IP configuration:

// View MongoDB network configuration
db.adminCommand({getCmdLineOpts: 1}).parsed.net

It is recommended to modify the configuration to listen only on internal network interfaces and enable authentication:

# Example mongod.conf
net:
  bindIp: 127.0.0.1,192.168.1.100
security:
  authorization: enabled

Firewall Policy Design

Effective firewall policies should follow the principle of least privilege. For MongoDB servers, typical firewall rules include:

1. Restricting source IP access
2. Opening only necessary ports (default 27017)
3. Setting connection rate limits to prevent brute-force attacks

Example using iptables on Linux:

# Allow only specific IPs to access MongoDB port
iptables -A INPUT -p tcp --dport 27017 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 27017 -j DROP

# Limit connection rate
iptables -A INPUT -p tcp --dport 27017 -m connlimit --connlimit-above 20 -j DROP

MongoDB Authentication Mechanisms

MongoDB supports various authentication mechanisms, including SCRAM, x.509 certificates, and LDAP integration. SCRAM is the default authentication method:

// Create an admin user
use admin
db.createUser({
  user: "admin",
  pwd: "complexPassword123!",
  roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
})

For production environments, x.509 certificate authentication is recommended:

# mongod.conf configuration
security:
  authorization: enabled
  clusterAuthMode: x509

Encrypted Network Transmission

Plaintext data transmission is vulnerable to man-in-the-middle attacks. MongoDB supports TLS/SSL encrypted communication:

1. Generate certificates:

openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key
cat mongodb-cert.key mongodb-cert.crt > mongodb.pem

2. Configure MongoDB to use TLS:

net:
  ssl:
    mode: requireSSL
    PEMKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/ca.pem

Auditing and Monitoring

Comprehensive audit logs can help identify potential security threats. Enable MongoDB auditing:

# mongod.conf configuration
auditLog:
  destination: file
  format: JSON
  path: /var/log/mongodb/audit.json

Monitor query performance and security events:

// Enable slow query logging
db.setProfilingLevel(1, { slowms: 100 })

// View current connections
db.currentOp()

// Check authentication attempts
db.getLog('auth')

Replica Set and Sharded Cluster Security

Distributed MongoDB deployments require additional security considerations:

1. Encrypt internal member communication
2. Secure configuration servers
3. Authentication between shards

Configure replica set internal authentication:

# mongod.conf for each node
security:
  keyFile: /path/to/keyfile
  clusterAuthMode: keyFile

Generate a keyfile:

openssl rand -base64 756 > /path/to/keyfile
chmod 400 /path/to/keyfile

Client Secure Connections

Applications connecting to MongoDB should also implement security measures:

Node.js example:

const { MongoClient } = require('mongodb');

const client = new MongoClient('mongodb://user:password@host:27017/dbname', {
  ssl: true,
  sslValidate: true,
  sslCA: fs.readFileSync('/path/to/ca.pem'),
  authSource: 'admin',
  connectTimeoutMS: 5000,
  socketTimeoutMS: 30000
});

Regular Security Assessments

Establish a regular security check mechanism:

1. User permission review

// List all users and their permissions
db.getUsers()

2. Database vulnerability scanning

mongodb-consistent-backup --check

3. Log analysis for abnormal patterns

grep "authentication failed" /var/log/mongodb/mongod.log

Backup and Disaster Recovery

Security configurations should include data backup strategies:

1. Encrypt backup files

mongodump --uri="mongodb://user:pwd@host:27017" --gzip --archive=backup.gz --ssl

2. Test recovery procedures

mongorestore --uri="mongodb://user:pwd@host:27017" --gzip --archive=backup.gz --ssl

3. Offline backup storage

openssl enc -aes-256-cbc -salt -in backup.gz -out backup.enc