MongoDB is a popular NoSQL database system commonly used as a backend for web applications.

Problem

Access to a MongoDB server should be restricted to trusted systems. If a MongoDB server is openly accessible from the Internet, an attacker can take advantage of this to access the server and modify or delete data, or even obtain sensitive information like customer data from an online shop.

Verification

In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 192.168.45.67 with the IP address of the host to check.

To check if a MongoDB server is openly accessible from the Internet, the MongoDB client tool 'mongo' can be used as follows:

$ mongo --host 192.168.45.67

If a connection to the MongoDB server was successfully established, the output looks like:

MongoDB shell version: 2.4.10

connecting to: 192.168.45.67:27017/test

>

Otherwise the connection will run into a timeout:

Fri Feb  5 10:25:42 Error: couldn't connect to server 192.168.45.67:27017 shell/mongo.js:86

exception: connect failed

Solution

• Do not expose your MongoDB server to the Internet!
• Restrict access to the MongoDB server to trusted systems (e. g., the web application server) in the server's configuration and/or by blocking incoming connections from the Internet to port 27017/tcp on the firewall.
• Check the security best practices provided by the MongoDB developers.
• Keep your MongoDB installation up-to-date. Install available security updates asap.

Further information

• SecurityWeek: Thousands of MongoDB Databases Found Exposed on the Internet
• BleepingComputer: MongoDB Databases Held for Ransom by Mysterious Attacker