Checklist MongoDB Security - Percona · 3 Agenda Authorization External Authentication SSL / TLS Encryption Filesystem Security SELinux Network Security

MongoDB Security Checklist

Tim VaillancourtSr Technical Operations Architect, Percona

2

`whoami`

{name: “tim”,lastname: “vaillancourt”,employer: “percona”,techs: [

“mongodb”,“mysql”,“cassandra”,“redis”,“rabbitmq”,“solr”,“python”,“golang”

]}

3

Agenda

● Authorization● External Authentication● SSL / TLS Encryption● Filesystem Security● SELinux● Network Security

4

Security

● Security is becoming more pressing almost every day

● “MongoDB Ransomware”○ Publicly accessible hosts with/w.o. auth

■ Internal and External routes○ Database data uploaded off-network○ Database data deleted entirely!○ A single document left behind

asking for ransom payment tohacking group Bitcoin hash

○ Analogous to leaving your front door unlocked

5

Security

6

Authorization

● Always enable auth on Production Installs!○ Default enabled on 3.5 / 3.6+!

● Built-in Roles○ Database User: Read or Write data from collections

■ “All Databases” or Single-database○ Database Admin○ Backup and Restore○ Cluster Admin○ Superuser/Root

● User-Defined Roles○ Exact Resource+Action specification○ Very fine-grained ACLs

■ Action + DB + Collection specific

7

Internal Authentication

● File-based key used to authenticate inter-node connections○ File can contain any string/bytes

● File must be the same on all○ ‘mongod’ instances○ ‘mongod’ config servers○ ‘mongos’ shard routers

● Enabled / Specified using○ ‘security.keyFile: <file>’ in YAML-based config○ ‘--keyFile <file>’ as a command-line flag

8

LDAP

● LDAP Authentication○ Supported in PSMDB and MongoDB Enterprise○ The following components are necessary for external authentication to work

■ LDAP Server: Remotely stores all user credentials (i.e. user name and associated password).

■ SASL Daemon: Used as a MongoDB server-local proxy for the remote LDAP service.■ SASL Library: Used by the MongoDB client and server to create authentication

mechanism-specific data.○ Creating a User:

db.getSiblingDB("$external").createUser( {user : christian, roles: [{role: "read", db: "test"} ]} );

○ Authenticating as a User:db.getSiblingDB("$external").auth({ mechanism:"PLAIN", user:"christian", pwd:"secret", digestPassword:false})

○ Other auth methods possible with MongoDB Enterprise

9

SSL / TLS Connections

● SSL / TLS Connections○ Supported since MongoDB 2.6x

■ May need to complile-in yourself on older binaries■ Supported 100% in Percona Server for MongoDB

○ Minimum of 128-bit key length for security○ Relaxed and strict (requireSSL) modes○ System (default) or Custom Certificate Authorities are accepted

● SSL Client Authentication (x509)○ MongoDB supports x.509 certificate authentication for use with a secure

TLS/SSL connection as of 2.6.x.○ The x.509 client authentication allows clients to authenticate to servers with

certificates rather than with a username and password.○ Enabled with ‘security.clusterAuthMode: x509’ in config file

10

Filesystem Attack-Surface

● Use a service user+group (‘mongod’ or ‘mongodb’ on most systems)○ Ensure data path, log file and key file(s) are owned by this user+group

● Data Path○ Mode: 0750

● Log File○ Mode: 0640○ Contains real queries and their fields!!!

■ See Log Redaction for PSMDB (or MongoDB Enterprise) to remove these fields● Key File(s)

○ Files Include: keyFile and SSL certificates or keys○ Mode: 0600

11

Encryption at Rest

● MongoDB Enterprise○ Encryption supported in Enterprise binaries ($$$)

● Percona Server for MongoDB○ Use CryptFS/LUKS block device for encryption of data volume○ Documentation published (or coming soon)○ Completely open-source / Free

● Application-Level○ Selectively encrypt only required fields in application○ Benefits

■ The data is only readable by the application (reduced touch points)■ The resource cost of encryption is lower when it’s applied selectively■ Offloading of encryption overhead from database

12

System Access

● Recommended to restrict system access to Database Administrators● A “shell” on a system can be enough to take the system over!● Why is this risky?

○ Shells can execute local attacks on software vulnerabilities○ Access to root or filesystem paths is not necessarily required

● Packages to Remove / Uninstall○ GCC (GNU C Compiler)

■ This is often used to build local attacks■ Generic scripting languages (wherever possible)

● Python● Perl● Ruby

13

SELinux

● That thing every Stackoverflow / Forum tells you to just disable● Very effective at reducing attack surface on host● ACL-based “policies” control what is allowed on a system● Modes

○ Enforcing: Don’t allow policy violations○ Permissive: Allow policy violations and log them○ Disabled: You really don’t like security

● Relatively simple to deploy on Linux Database servers○ Database hosts are usually single-purpose○ Databases need very little filesystem access (only data dir, log dir and config files)

● Percona Server for MongoDB support○ Built-in CentOS / RHEL 7+ RPMs support (others are planned)

14

SELinux

● Percona Server for MongoDB support○ Works 100% with ‘Enforcing’ Mode SELinux (default Mode on CentOS 7.x)

● Troubleshooting Logs○ SELinux logs useful data to /var/log/audit○ Logs contain both “success” and “failed” states○ Logs contain what process, path, etc was requested○ ‘audit2allow’ tool can be used to convert failures to new policy files

type=USER_ACCT msg=audit(1505846486.456:2508): pid=24770 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_succeed_if acct="root" exe="/usr/bin/su" hostname=centos7 addr=? terminal=pts/0 res=success'type=CRED_ACQ msg=audit(1505846486.456:2509): pid=24770 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_rootok acct="root" exe="/usr/bin/su" hostname=centos7 addr=? terminal=pts/0 res=success'type=USER_START msg=audit(1505846486.465:2510): pid=24770 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_xauth acct="root" exe="/usr/bin/su" hostname=centos7 addr=? terminal=pts/0 res=success'

15

MongoDB Bind Address

● A configuration variable controlling the listen address of MongoDB○ ‘net.bindIp’ YAML-config field○ --bindIp mongod command-line flag

● Defaults○ Before 3.5/3.6 MongoDB will listen on all interfaces by

default○ 3.5+ default bindIp is ‘localhost’○ Risks

■ Addition of interfaces can add attack surface (VMs, etc)

16

Firewalls

● Firewall Solutions○ Software (IPTables)

■ Drawback: software, can be compromised!○ Hardware (Routers/etc)

● Single TCP port○ MongoDB Client API○ MongoDB Replication API○ MongoDB Sharding API

● Sharding Considerations○ Only the ‘mongos’ process needs access to shard ‘mongod’ servers○ Client driver does not need to reach shards directly, only ‘mongos’

● Replica Set Considerations○ All nodes must be accessible to the driver

17

Firewalls

● Replica Set Considerations○ All nodes must be accessible to the driver

● Secure NTP Daemon○ Mitigate NTP reflection attacks

■ Firewall NTP server by source IP / host

18

Network Architecture

● Creating a dedicated network segment for Databases is recommended● DO NOT allow MongoDB to talk to the internet at all costs!!!

○ A compromised database is usually:■ Dumped in it’s entirety■ Uploaded to an external system via Public Internet routes■ Ransom, public-exposure, etc

● Denying Access to the Internet○ Ensure MongoDB network segment is routable○ Remove the default-gateway on database hosts

■ ‘UG’ route in routing table■ Only specify routes to database segment, eg: 10.10.0.0/16

○ Ensure important repos are available in-datacenter○ Physical Segmentation (VLANs, etc)

19

Network Architecture

● VLANs○ Move replication to a dedicated VLAN

■ Use replication-only DNS / IPs in rs.conf() / Replica Set configuration■ Bind ‘mongod’ to both the Replication and Client-facing network interface

● Firewall what clients can access the Client-facing IP■ May reduce the need for SSL (can be expensive on CPU)

20

Other

● Intrusion Detection (IDS)○ Open Source solutions

■ Snort: https://www.snort.org/● Utilizes Packet-sniffing to detect attacks / threats

■ Suricata: https://suricata-ids.org/

21

Thank You Sponsors!

22

SAVE THE DATE!

CALL FOR PAPERS OPENING SOON!www.perconalive.com

April 23-25, 2018Santa Clara Convention Center

23

Questions?