In this blog post, we’ll look at some of the concerns recently seen around MongoDB ransomware and security issues.
Security blogs and magazines have recently been aflutter with the news that a hacker is stealing data from MongoDB instantiations and demanding bitcoins to get the data back. This sounds pretty bad at first glance, but let’s examine the facts.
The hacker needs a few things to pull this off:
- MongoDB is running on default ports
- MongoDB is not using authentication
- MongoDB is accessible on the Internet with no security groups or firewalls
If this sounds familiar, you might remember a similar flurry occurred last year when people counted the number of open MongoDB installs on the web. That required these same conditions to all be true. This also means the solution is the same: you simply need to make sure you follow the normal security practices of locking down ports and using authentication. Not so scary after all, right?
What does this hack look like?
Finding out if this happened is simple: your data is removed and gone! In its place, you will find a “WARNING” database, which holds a “WARNING” collection. This collection has a document that looks like:
|
1 2 3 4 5 |
{ "_id" : ObjectId("5859a0370b8e49f123fcc7da"), "note" : "SEND 0.2 BTC TO THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !" } |
To fix this, hopefully, you have backups. If you don’t, you might want to look at https://www.percona.com/blog/
So, backup!
But this brings us to the real question: can you be hijacked? It’s pretty easy to check:
- Do you have authentication on? Try running this command:
|
1 2 |
rs1:PRIMARY> if (db.adminCommand('getCmdLineOpts').parsed.security === undefined || db.adminCommand('getCmdLineOpts').parsed.security.authorization === undefined || db.adminCommand('getCmdLineOpts').parsed.security.authorization == "disabled"){ print("Auth not enabled!")}else{print("Your safe!")} Auth not enabled! |
- Are you running on a non-default port? Simply run this command (if you’re using 27017 or 29017, you’re using a default port):
|
1 2 |
rs1:PRIMARY> db.adminCommand('getCmdLineOpts').parsed.net.port 27001 |
The last part is a bit harder if the other two are both false. You will need to spin up a server outside of your environment and test the connection. I suggest an Amazon EC2 Micro instance (it’s very inexpensive – free if you use a new account). It’s simple to install a MongoDB client on. Check your setup:
- Login to Amazon and launch an EC2 node.
- Open a shell to this node (this can be done via their website).
- Get MongoDB’s binaries:
|
1 2 3 |
wget -q --show-progress https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-amazon-3.4.1.tgz gzip -d mongodb-linux-x86_64-amazon-3.4.1.tgz tar xf mongodb-linux-x86_64-amazon-3.4.1.tar -C 3.4 --strip-components=1 |
- Try and connect to your MongoDB Server
|
1 |
./3.4/bin/mongo --host <your_host_name> --port <your_mongod_port> |
If this connects, and you can run “db.serverStatus()”, you are at risk and should enable authentication ASAP!
We will have a blog out shortly on the particulars of creating a user. To enable authentication, you simply need to add “–auth” to your startup, or the following to your YAML config file:
|
1 2 |
security: authorization:1 |
This should get you started on correctly protecting yourself against MongoDB ransomware (and other security threats). If you want to have someone review your security, or even help you use LDAP to tie into your main authentication systems, please contact us.
About the Author
David MurphyDavid is the Practice Manager for MongoDB @ Percona. He joined Percona in Oct 2015, before that he has been deep in both the MySQL and MongoDB database communities for some time. Other passions include DevOps , tool building, and security.
It seems that the command to check if authentication is “on” doesn’t take into account if you use internal authentication with –keyFile option which enables client authentication by default (at least from what I see).
Your right it could have been better to have used getParamter to check if the running config had changed this due to the key file. However it is still best practice to set both in the config file and the goal was to make the simple and quick for a general check. If someone used a key file they would know they had done this and it implied auth:true.