MongoDB Security Checklist

Transcription

1 MongoDB Security Checklist Tim Vaillancourt Sr Technical Operations Architect, Percona Speaker Name

2 `whoami` { name: tim, lastname: vaillancourt, employer: percona, techs: [ mongodb, mysql, cassandra, redis, rabbitmq, solr, mesos kafka, couch*, python, golang ] }

3 Agenda Authorization External Authentication SSL / TLS Encryption Filesystem Security SELinux Network Security

4 Security Security is becoming more pressing almost every day Example: 2017 MongoDB Ransom Attacks Publicly accessible hosts compromised remotely Database data uploaded off of the network

5 Security MongoDB Ransom Attacks Database data was then deleted A MongoDB document is left behind as a ransom note, demanding $$$ Your security approach had to be very weak

6 Security

7 Authorization: Role-based Security Always enable auth on Production Installs! Default enabled on 3.5 / 3.6+! Built-in Roles Database User: Read or Write data from collections All Databases or Single-database Database Admin Backup and Restore Cluster Admin Superuser/Root

8 Authorization: Role-based Security User-Defined Roles Exact Resource+Action specification Very fine-grained ACLs Action + DB + Collection specific Helper script for PSMDB(!): percona-server-mongodb-enable-auth.sh

9 Authorization: Client/Server Address Filters A new feature in MongoDB/PSMDB 3.6+ Client Source Filtering Allows filtering of client source address by IP or IP-range (CIDR) Server Address Filtering Allows filtering of client destination address by IP/IP-range

10 Internal Authentication File-based key used to authenticate inter-node connections File can contain any string/bytes File must be the same on all mongod instances mongod config servers mongos shard routers Enabled / Specified using security.keyfile: <file> in YAML-based config --keyfile <file> as a command-line flag

11 LDAP LDAP Authentication Supported in PSMDB and MongoDB Enterprise PSDMB implementation!= MongoDB Enterprise implementation The following components are necessary for external authentication to work LDAP Server SASL Daemon SASL Library More on this here:

12 LDAP LDAP Authentication Creating a User: db.getsiblingdb("$external").createuser( {user : christian, roles: [{role: "read", db: "test"} ]} ); Authenticating as a User: db.getsiblingdb("$external").auth({ mechanism:"plain", user:"christian", pwd:"secret", digestpassword:false}) Other auth methods possible with MongoDB Enterprise binaries

13 SSL / TLS Connections SSL / TLS Connections Supported since MongoDB 2.6x May need to compile-in yourself on older binaries Supported 100% in Percona Server for MongoDB Minimum of 128-bit key length for security Relaxed and strict (requiressl) modes System (default) or Custom Certificate Authorities are accepted

14 SSL / TLS Connections SSL Client Authentication (x509) MongoDB supports x.509 certificate authentication for use with a secure TLS/SSL connection as of 2.6.x. The x.509 client authentication allows clients to authenticate to servers with certificates rather than with a username and password. Enabled with security.clusterauthmode: x509 in config file

15 Filesystem Attack-Surface Use a service user+group ( mongod or mongodb on most systems) Ensure data path, log file and key file(s) are owned by this user+group Data Path Mode: 0750

16 Filesystem Attack-Surface Log File Mode: 0640 Contains real queries and their fields!!! See Log Redaction for PSMDB (or MongoDB Enterprise) to remove these fields Key File(s) Files Include: keyfile and SSL certificates or keys Mode: 0600

17 Encryption at Rest MongoDB Enterprise Encryption supported in Enterprise binaries ($$$) Percona Server for MongoDB Use CryptFS/LUKS block device for encryption of data volume Documentation published (or coming soon) Completely open-source / Free

18 Encryption at Rest Application-Level Selectively encrypt only required fields in application Benefits The data is only readable by the application (reduced touch points) The resource cost of encryption is lower when it s applied selectively Offloading of encryption overhead from database

19 System Access Recommended to restrict system access to Database Administrators A shell on a system can be enough to take the system over! Why is this risky? Shells can execute local attacks on software vulnerabilities Access to root or filesystem paths is not necessarily required

20 System Access Packages to Remove / Uninstall GCC (GNU C Compiler) This is often used to build local attacks Generic scripting languages (wherever possible) Python Perl Ruby Golang

21 Log File: PSMDB Log Redaction Percona Server for MongoDB feature Also available in MongoDB Enterprise binaries Allows the redaction of values in logging of server queries, commands, etc Useful for PCI compliance, etc Beware: debug log-level will still expose user data!

22 Log File: PSMDB Log Redaction

23 Auditing: PSMDB AuditLog Free, open-source PSMDB feature MongoDB Enterprise feature ($$$) Provides Authentication and authorization Cluster operations Read and write operations

24 Auditing: PSMDB AuditLog Provides Schema operations Custom application messages (if configured) Writes to BSON files on disk Read data with bsondump --pretty Ensure directory NOT world-readable!

25 MongoDB Bind Address A configuration variable controlling the listen address of MongoDB net.bindip YAML-config field --bindip mongod command-line flag Defaults Before 3.5/3.6 MongoDB will listen on all interfaces by default 3.5+ default bindip is localhost Risks Addition of interfaces can add attack surface (VMs, etc)

26 Firewalls Firewall Solutions Software (IPTables) Drawback: software, can be compromised! Hardware (Routers/etc) Single TCP port MongoDB Client API MongoDB Replication API MongoDB Sharding API

27 Firewalls Sharding Considerations Only the mongos process needs access to shard mongod servers Client driver does not need to reach shards directly, only mongos Replica Set Considerations All nodes must be accessible to the driver Secure NTP Daemon Mitigate NTP reflection attacks Restrict access to NTP

28 SELinux That thing every Stackoverflow / Forum tells you to just disable Very effective at reducing attack surface on host ACL-based policies control what is allowed on a system Modes Enforcing: Don t allow policy violations Permissive: Allow policy violations and log them Disabled: You really don t like security

29 SELinux Relatively simple to deploy on Linux Database servers Database hosts are usually single-purpose Databases need very little filesystem access (only data dir, log dir and config files) Percona Server for MongoDB support Built-in CentOS / RHEL 7+ RPMs support (others are planned) Works 100% with Enforcing Mode SELinux Default Mode on CentOS 7.x

30 SELinux Troubleshooting Logs SELinux logs useful data to /var/log/audit Logs contain both success and failed states Logs contain what process, path, etc was requested audit2allow tool can be used to convert failures to new policy files type=user_acct msg=audit( :2508): pid=24770 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=pam:accounting grantors=pam_succeed_if acct="root" exe="/usr/bin/su" hostname=centos7 addr=? terminal=pts/0 res=success' type=cred_acq msg=audit( :2509): pid=24770 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=pam:setcred grantors=pam_rootok acct="root" exe="/usr/bin/su" hostname=centos7 addr=? terminal=pts/0 res=success' type=user_start msg=audit( :2510): pid=24770 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=pam:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_xauth acct="root" exe="/usr/bin/su" hostname=centos7 addr=? terminal=pts/0 res=success'

31 Network Architecture Creating a dedicated network segment for Databases is recommended DO NOT allow MongoDB to talk to the internet at all costs!!! A compromised database is usually: Dumped in it s entirety Uploaded to an external system via Public Internet routes Ransom, public-exposure, etc

32 Network Architecture Denying Access to the Internet Ensure MongoDB network segment is routable Remove the default-gateway on database hosts UG route in routing table Only specify routes to database segment, eg: /16 Ensure hardware routers don t provide public-internet routes to databases Ensure important software repositories are available in-datacenter

33 Network Architecture VLANs Move replication to a dedicated VLAN Use replication-only DNS / IPs in Replica Set configuration Bind mongod to both the Replication and Client-facing networks Firewall what clients can access the Client-facing IP May reduce the need for SSL (can be expensive on CPU) Software Defined Networking A great method of reducing attack surface

34 Application Firewalls / Other Application Firewalling Web Application Firewalling (WAF) Nginx naxsi: Apache HTTPD mod_security: Akamai Prolexic ($$$)

35 Questions? DATABASE PERFORMANCE MATTERS