MongoDB Security Checklist - percona.com · Golang. Log File: PSMDB Log Redaction Percona Server...
Transcript of MongoDB Security Checklist - percona.com · Golang. Log File: PSMDB Log Redaction Percona Server...
{name: “tim”,lastname: “vaillancourt”,employer: “percona”,techs: [
“mongodb”,“mysql”,“cassandra”,“redis”,“rabbitmq”,“solr”,“mesos”“kafka”,“couch*”,“python”,“golang”
]}
`whoami`
Agenda
● Authorization● External Authentication● SSL / TLS Encryption● Filesystem Security● SELinux● Network Security
Security
● Security is becoming more pressing almost every day
● Example: 2017 MongoDB Ransom Attacks○ Publicly accessible hosts
compromised remotely○ Database data uploaded off
of the network
Security
● MongoDB Ransom Attacks○ Database data was then
deleted○ A MongoDB document is
left behind as a ransom note, demanding $$$
○ Your security approach had to be very weak
Authorization: Role-based Security
● Always enable auth on Production Installs!○ Default enabled on 3.5 / 3.6+!
● Built-in Roles○ Database User: Read or Write data from collections
■ “All Databases” or Single-database○ Database Admin○ Backup and Restore○ Cluster Admin○ Superuser/Root
Authorization: Role-based Security
● User-Defined Roles○ Exact Resource+Action specification○ Very fine-grained ACLs
■ Action + DB + Collection specific● Helper script for PSMDB(!):
percona-server-mongodb-enable-auth.sh
Authorization: Client/Server Address Filters
● A new feature in MongoDB/PSMDB 3.6+
● Client Source Filtering○ Allows filtering of client source address
by IP or IP-range (CIDR)● Server Address Filtering
○ Allows filtering of client destination address by IP/IP-range
Internal Authentication
● File-based key used to authenticate inter-node connections○ File can contain any string/bytes
● File must be the same on all○ ‘mongod’ instances○ ‘mongod’ config servers○ ‘mongos’ shard routers
● Enabled / Specified using○ ‘security.keyFile: <file>’ in YAML-based config○ ‘--keyFile <file>’ as a command-line flag
LDAP
● LDAP Authentication○ Supported in PSMDB and MongoDB Enterprise
■ PSDMB implementation != MongoDB Enterprise implementation○ The following components are necessary for external authentication to work
■ LDAP Server■ SASL Daemon■ SASL Library
○ More on this here:https://www.percona.com/blog/2017/11/06/mongodb-security-using-ldap-authentication/
LDAP
● LDAP Authentication○ Creating a User:
db.getSiblingDB("$external").createUser( {user : christian, roles: [{role: "read", db: "test"} ]} );
○ Authenticating as a User:
db.getSiblingDB("$external").auth({ mechanism:"PLAIN", user:"christian", pwd:"secret", digestPassword:false})
○ Other auth methods possible with MongoDB Enterprise binaries
SSL / TLS Connections
● SSL / TLS Connections○ Supported since MongoDB 2.6x
■ May need to compile-in yourself on older binaries■ Supported 100% in Percona Server for MongoDB
○ Minimum of 128-bit key length for security○ Relaxed and strict (requireSSL) modes○ System (default) or Custom Certificate Authorities are
accepted
SSL / TLS Connections
● SSL Client Authentication (x509)○ MongoDB supports x.509 certificate authentication for use with
a secure TLS/SSL connection as of 2.6.x.○ The x.509 client authentication allows clients to authenticate to
servers with certificates rather than with a username and password.
○ Enabled with ‘security.clusterAuthMode: x509’ in config file
Filesystem Attack-Surface
● Use a service user+group (‘mongod’ or ‘mongodb’ on most systems)○ Ensure data path, log file and key file(s) are owned by this
user+group● Data Path
○ Mode: 0750
Filesystem Attack-Surface
● Log File○ Mode: 0640○ Contains real queries and their fields!!!
■ See Log Redaction for PSMDB (or MongoDB Enterprise) to remove these fields
● Key File(s)○ Files Include: keyFile and SSL certificates or keys○ Mode: 0600
Encryption at Rest
● MongoDB Enterprise○ Encryption supported in Enterprise binaries ($$$)
● Percona Server for MongoDB○ Use CryptFS/LUKS block device for encryption of data
volume○ Documentation published (or coming soon)○ Completely open-source / Free
Encryption at Rest
● Application-Level○ Selectively encrypt only required fields in application○ Benefits
■ The data is only readable by the application (reduced touch points)■ The resource cost of encryption is lower when it’s applied
selectively■ Offloading of encryption overhead from database
System Access
● Recommended to restrict system access to Database Administrators
● A “shell” on a system can be enough to take the system over!
● Why is this risky?○ Shells can execute local attacks on software vulnerabilities○ Access to root or filesystem paths is not necessarily required
System Access
● Packages to Remove / Uninstall○ GCC (GNU C Compiler)
■ This is often used to build local attacks○ Generic scripting languages (wherever possible)
■ Python■ Perl■ Ruby■ Golang
Log File: PSMDB Log Redaction
● Percona Server for MongoDB feature○ Also available in MongoDB Enterprise
binaries● Allows the redaction of values in
logging of server queries, commands, etc
● Useful for PCI compliance, etc● Beware: debug log-level will still
expose user data!
Auditing: PSMDB AuditLog
● Free, open-source PSMDB feature○ MongoDB Enterprise feature ($$$)
● Provides○ Authentication and authorization○ Cluster operations○ Read and write operations
Auditing: PSMDB AuditLog
● Provides○ Schema operations○ Custom application messages (if configured)
● Writes to BSON files on disk○ Read data with ‘bsondump --pretty’○ Ensure directory NOT world-readable!
MongoDB Bind Address
● A configuration variable controlling the listen address of MongoDB○ ‘net.bindIp’ YAML-config field○ --bindIp mongod command-line flag
● Defaults○ Before 3.5/3.6 MongoDB will listen on all
interfaces by default○ 3.5+ default bindIp is ‘localhost’○ Risks
■ Addition of interfaces can add attack surface (VMs, etc)
Firewalls
● Firewall Solutions○ Software (IPTables)
■ Drawback: software, can be compromised!○ Hardware (Routers/etc)
● Single TCP port○ MongoDB Client API○ MongoDB Replication API○ MongoDB Sharding API
Firewalls
● Sharding Considerations○ Only the ‘mongos’ process needs access to
shard ‘mongod’ servers○ Client driver does not need to reach shards
directly, only ‘mongos’● Replica Set Considerations
○ All nodes must be accessible to the driver● Secure NTP Daemon
○ Mitigate NTP reflection attacks○ Restrict access to NTP
SELinux
● That thing every Stackoverflow / Forum tells you to just disable● Very effective at reducing attack surface on host● ACL-based “policies” control what is allowed on a system● Modes
○ Enforcing: Don’t allow policy violations○ Permissive: Allow policy violations and log them○ Disabled: You really don’t like security
SELinux
● Relatively simple to deploy on Linux Database servers○ Database hosts are usually single-purpose○ Databases need very little filesystem access (only data dir, log dir and
config files)● Percona Server for MongoDB support
○ Built-in CentOS / RHEL 7+ RPMs support (others are planned)○ Works 100% with ‘Enforcing’ Mode SELinux
■ Default Mode on CentOS 7.x
SELinux
● Troubleshooting Logs○ SELinux logs useful data to /var/log/audit○ Logs contain both “success” and “failed” states○ Logs contain what process, path, etc was requested○ ‘audit2allow’ tool can be used to convert failures to new policy files
type=USER_ACCT msg=audit(1505846486.456:2508): pid=24770 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_succeed_if acct="root" exe="/usr/bin/su" hostname=centos7 addr=? terminal=pts/0 res=success'type=CRED_ACQ msg=audit(1505846486.456:2509): pid=24770 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_rootok acct="root" exe="/usr/bin/su" hostname=centos7 addr=? terminal=pts/0 res=success'type=USER_START msg=audit(1505846486.465:2510): pid=24770 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_xauth acct="root" exe="/usr/bin/su" hostname=centos7 addr=? terminal=pts/0 res=success'
Network Architecture
● Creating a dedicated network segment for Databases is recommended● DO NOT allow MongoDB to talk to the internet at all costs!!!
○ A compromised database is usually:■ Dumped in it’s entirety■ Uploaded to an external system via Public Internet routes■ Ransom, public-exposure, etc
Network Architecture
● Denying Access to the Internet○ Ensure MongoDB network segment is routable○ Remove the default-gateway on database hosts
■ ‘UG’ route in routing table■ Only specify routes to database segment, eg: 10.10.0.0/16
○ Ensure hardware routers don’t provide public-internet routes to databases○ Ensure important software repositories are available in-datacenter
Network Architecture
● VLANs○ Move replication to a dedicated VLAN
■ Use replication-only DNS / IPs in Replica Set configuration
■ Bind ‘mongod’ to both the Replication and Client-facing networks● Firewall what clients can access the Client-facing IP
■ May reduce the need for SSL (can be expensive on CPU)● Software Defined Networking
○ A great method of reducing attack surface
Application Firewalls / Other
● Application Firewalling○ Web Application Firewalling (WAF)
■ Nginx● naxsi:
https://github.com/nbs-system/naxsi■ Apache HTTPD
● mod_security: https://www.modsecurity.org/
■ Akamai Prolexic ($$$)