Transcription
MongoDB Security ChecklistTim VaillancourtSr Technical Operations Architect, PerconaSpeaker Name
whoami {name: “tim”,lastname: “vaillancourt”,employer: “percona”,techs: ”,“couch*”,“python”,“golang”]}
Agenda AuthorizationExternal AuthenticationSSL / TLS EncryptionFilesystem SecuritySELinuxNetwork Security
Security Security is becoming morepressing almost every day Example: 2017 MongoDBRansom Attacks Publicly accessible hostscompromised remotely Database data uploaded offof the network
Security MongoDB Ransom Attacks Database data was thendeleted A MongoDB document isleft behind as a ransomnote, demanding Your security approach hadto be very weak
Security
Authorization: Role-based Security Always enable auth on Production Installs! Default enabled on 3.5 / 3.6 ! Built-in Roles Database User: Read or Write data from collections “All Databases” or Single-database Database AdminBackup and RestoreCluster AdminSuperuser/Root
Authorization: Role-based Security User-Defined Roles Exact Resource Action specification Very fine-grained ACLs Action DB Collection specific Helper script for PSMDB(!):percona-server-mongodb-enable-auth.sh
Authorization: Client/Server Address Filters A new feature in MongoDB/PSMDB3.6 Client Source Filtering Allows filtering of client source addressby IP or IP-range (CIDR) Server Address Filtering Allows filtering of client destinationaddress by IP/IP-range
Internal Authentication File-based key used to authenticate inter-nodeconnections File can contain any string/bytes File must be the same on all ‘mongod’ instances ‘mongod’ config servers ‘mongos’ shard routers Enabled / Specified using ‘security.keyFile: file ’ in YAML-based config ‘--keyFile file ’ as a command-line flag
LDAP LDAP Authentication Supported in PSMDB and MongoDB Enterprise PSDMB implementation ! MongoDB Enterprise implementation The following components are necessary for external authentication to work LDAP Server SASL Daemon SASL Library More on this db-security-using-ldap-authentication/
LDAP LDAP Authentication Creating a User:db.getSiblingDB(" external").createUser( {user : christian, roles: [{role: "read", db: "test"}]} ); Authenticating as a User:db.getSiblingDB(" external").auth({ mechanism:"PLAIN", user:"christian", pwd:"secret",digestPassword:false}) Other auth methods possible with MongoDB Enterprise binaries
SSL / TLS Connections SSL / TLS Connections Supported since MongoDB 2.6x May need to compile-in yourself on older binaries Supported 100% in Percona Server for MongoDB Minimum of 128-bit key length for security Relaxed and strict (requireSSL) modes System (default) or Custom Certificate Authorities areaccepted
SSL / TLS Connections SSL Client Authentication (x509) MongoDB supports x.509 certificate authentication for use witha secure TLS/SSL connection as of 2.6.x. The x.509 client authentication allows clients to authenticate toservers with certificates rather than with a username andpassword. Enabled with ‘security.clusterAuthMode: x509’ in config file
Filesystem Attack-Surface Use a service user group (‘mongod’ or ‘mongodb’ onmost systems) Ensure data path, log file and key file(s) are owned by thisuser group Data Path Mode: 0750
Filesystem Attack-Surface Log File Mode: 0640 Contains real queries and their fields!!! See Log Redaction for PSMDB (or MongoDB Enterprise) to remove thesefields Key File(s) Files Include: keyFile and SSL certificates or keys Mode: 0600
Encryption at Rest MongoDB Enterprise Encryption supported in Enterprise binaries ( ) Percona Server for MongoDB Use CryptFS/LUKS block device for encryption of datavolume Documentation published (or coming soon) Completely open-source / Free
Encryption at Rest Application-Level Selectively encrypt only required fields in application Benefits The data is only readable by the application (reduced touch points) The resource cost of encryption is lower when it’s appliedselectively Offloading of encryption overhead from database
System Access Recommended to restrict system access to DatabaseAdministrators A “shell” on a system can be enough to take the systemover! Why is this risky? Shells can execute local attacks on software vulnerabilities Access to root or filesystem paths is not necessarily required
System Access Packages to Remove / Uninstall GCC (GNU C Compiler) This is often used to build local attacks Generic scripting languages (wherever possible) PythonPerlRubyGolang
Log File: PSMDB Log Redaction Percona Server for MongoDB feature Also available in MongoDB Enterprisebinaries Allows the redaction of values inlogging of server queries,commands, etc Useful for PCI compliance, etc Beware: debug log-level will stillexpose user data!
Log File: PSMDB Log Redaction
Auditing: PSMDB AuditLog Free, open-source PSMDB feature MongoDB Enterprise feature ( ) Provides Authentication and authorization Cluster operations Read and write operations
Auditing: PSMDB AuditLog Provides Schema operations Custom application messages (if configured) Writes to BSON files on disk Read data with ‘bsondump --pretty’ Ensure directory NOT world-readable!
MongoDB Bind Address A configuration variable controlling the listenaddress of MongoDB ‘net.bindIp’ YAML-config field --bindIp mongod command-line flag Defaults Before 3.5/3.6 MongoDB will listen on allinterfaces by default 3.5 default bindIp is ‘localhost’ Risks Addition of interfaces can add attack surface (VMs, etc)
Firewalls Firewall Solutions Software (IPTables) Drawback: software, can be compromised! Hardware (Routers/etc) Single TCP port MongoDB Client API MongoDB Replication API MongoDB Sharding API
Firewalls Sharding Considerations Only the ‘mongos’ process needs access toshard ‘mongod’ servers Client driver does not need to reach shardsdirectly, only ‘mongos’ Replica Set Considerations All nodes must be accessible to the driver Secure NTP Daemon Mitigate NTP reflection attacks Restrict access to NTP
SELinux That thing every Stackoverflow / Forum tells you to just disableVery effective at reducing attack surface on hostACL-based “policies” control what is allowed on a systemModes Enforcing: Don’t allow policy violations Permissive: Allow policy violations and log them Disabled: You really don’t like security
SELinux Relatively simple to deploy on Linux Database servers Database hosts are usually single-purpose Databases need very little filesystem access (only data dir, log dir andconfig files) Percona Server for MongoDB support Built-in CentOS / RHEL 7 RPMs support (others are planned) Works 100% with ‘Enforcing’ Mode SELinux Default Mode on CentOS 7.x
SELinux Troubleshooting Logs SELinux logs useful data to /var/log/auditLogs contain both “success” and “failed” statesLogs contain what process, path, etc was requested‘audit2allow’ tool can be used to convert failures to new policy filestype USER ACCT msg audit(1505846486.456:2508): pid 24770 uid 0 auid 1000 ses 1 subj unconfined u:unconfined r:unconfined t:s0-s0:c0.c1023msg 'op PAM:accounting grantors pam succeed if acct "root" exe "/usr/bin/su" hostname centos7 addr ? terminal pts/0 res success'type CRED ACQ msg audit(1505846486.456:2509): pid 24770 uid 0 auid 1000 ses 1 subj unconfined u:unconfined r:unconfined t:s0-s0:c0.c1023msg 'op PAM:setcred grantors pam rootok acct "root" exe "/usr/bin/su" hostname centos7 addr ? terminal pts/0 res success'type USER START msg audit(1505846486.465:2510): pid 24770 uid 0 auid 1000 ses 1subj unconfined u:unconfined r:unconfined t:s0-s0:c0.c1023 msg 'op PAM:session opengrantors pam keyinit,pam limits,pam systemd,pam unix,pam xauth acct "root" exe "/usr/bin/su" hostname centos7 addr ? terminal pts/0res success'
Network Architecture Creating a dedicated network segment for Databases is recommended DO NOT allow MongoDB to talk to the internet at all costs!!! A compromised database is usually: Dumped in it’s entirety Uploaded to an external system via Public Internet routes Ransom, public-exposure, etc
Network Architecture Denying Access to the Internet Ensure MongoDB network segment is routable Remove the default-gateway on database hosts ‘UG’ route in routing table Only specify routes to database segment, eg: 10.10.0.0/16 Ensure hardware routers don’t provide public-internet routes to databases Ensure important software repositories are available in-datacenter
Network Architecture VLANs Move replication to a dedicated VLAN Use replication-only DNS / IPs in Replica Setconfiguration Bind ‘mongod’ to both the Replication and Client-facingnetworks Firewall what clients can access the Client-facing IP May reduce the need for SSL (can be expensive on CPU) Software Defined Networking A great method of reducing attack surface
Application Firewalls / Other Application Firewalling Web Application Firewalling (WAF) Nginx naxsi:https://github.com/nbs-system/naxsi Apache HTTPD mod security:https://www.modsecurity.org/ Akamai Prolexic ( )
Questions?DATABASE PERFORMANCEMATTERS
MongoDB Security Checklist Tim Vaillancourt Sr Technical Operations Architect, Percona {name: "tim", . SELinux logs useful data to /var/log/audit Logs contain both "success" and "failed" states Logs contain what process, path, etc was requested . Firewall what clients can access the Client-facing IP May reduce the need for SSL .