Securing MongoDB

Good afternoon,

I have an piece of software that is written in nodejs and is bundled with mongodb.

The database is currently wide open for anyone with an account on the server to read any and all data.

My question revolves around the securing of the instance of mongedb in this application.

  • this is a black box - one install with only webserver parameters available for configuration

  • configurations are minimal and documentation is sparse, and does not talk about securing the application

  • I am in the middle of the mongodb university security course, I understand there are many ways to secure mongodb

  • the question is how can I secure the “database instance” in this black box without breaking the application (not a generic mongdb instance)

Thanks for any insights

Paul

1 Like

i have exactly the same issue. my app is using :

  1. Enterprise edition
  2. Completely offline app and no cluster
    all i want is to secure the “mongod” command execution (that is when running a mongod instance from the terminal).

i know it is straight forward to enforce authentication from the terminal. but the docs does not mention how to secure the “mongod” command itself. i tried updating the default config file with
security:
authorization: enabled
and it does not work either !!!

any help here please!

1 Like

Hi @Paul_Jacobs and @code_gist,

If I understand correctly, the goal is to secure the instance so that it cannot be executed by unauthorized users having access to the server. Is this accurate?

Although there are multiple ways to secure a MongoDB instance from external parties using auth and/or TLS, there is no method I’m aware of (from MongoDB’s side) that can prevent anyone having access to the server itself to connect to the database if the database is not secured with authentication. I believe at this point, it becomes a server security issue instead of a database security issue.

Perhaps something like SELinux could be used in this use case?

Best regards,
Kevin

1 Like