{"id":947,"date":"2018-12-27T23:55:05","date_gmt":"2018-12-27T23:55:05","guid":{"rendered":"https:\/\/www.appservgrid.com\/paw93\/?p=947"},"modified":"2018-12-28T19:47:25","modified_gmt":"2018-12-28T19:47:25","slug":"securing-a-containerized-instance-of-mongodb","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw93\/index.php\/2018\/12\/27\/securing-a-containerized-instance-of-mongodb\/","title":{"rendered":"Securing a Containerized Instance of MongoDB"},"content":{"rendered":"

\"Securing\nMongoDB\"MongoDB, the popular
\nopen source NoSQL database, has been in the news a lot recently\u2014and
\nnot for reasons that are good for MongoDB admins. Early this year,
\nreports began
\nappearing<\/a>
\nof MongoDB databases being \u201ctaken hostage\u201d by attackers who delete all
\nof the data stored inside the databases, then demand ransoms to restore
\nit. Security is always important, no matter which type of database
\nyou\u2019re using. But the recent spate of MongoDB attacks makes it
\nespecially crucial to secure any MongoDB databases that you may use as
\npart of your container stack. This article explains what you need to
\nknow to keep MongoDB secure when it is running as a container. We\u2019ll go
\nover how to close the vulnerability behind the recent ransomware attacks
\nusing a MongoDB container while the container is running\u2014as well as
\nhow to modify a MongoDB Dockerfile to change the default behavior
\npermanently.<\/p>\n

Why the Ransomware Happened: MongoDB\u2019s Default Security Configuration<\/h3>\n

\"\"<\/a>
\nRegister now for free online training on deploying containers with
\nRancher The ransomware attacks against MongoDB weren\u2019t
\nenabled by a flaw inherent in MongoDB itself, per se, but rather by some
\nweaknesses that result from default configuration parameters in an
\nout-of-the-box installation of MongoDB. By default, MongoDB databases,
\nunlike most other popular database platforms, don\u2019t require login
\ncredentials. That means anyone can log into the database and start
\nmodifying or removing data. Securing a MongoDB Container In order to
\nmitigate that vulnerability and run a secure containerized instance of
\nMongoDB, follow the steps below. Start a MongoDB instance First of
\nall, start a MongoDB instance in Docker using the most up-to-date image
\navailable. Since Docker uses the most recent image by default, a simple
\ncommand like this will start a MongoDB instance based on an up-to-date
\nimage:<\/p>\n

docker run –name mongo-database -d mongo<\/p>\n

Create a secure MongoDB account Before disabling password-less
\nauthentication to MongoDB, we need to create an account that we can use
\nto log in after we change the default settings. To do this, first log
\ninto the MongoDB container with:<\/p>\n

docker exec -it mongo-database bash<\/p>\n

Then, from inside the container, log into the MongoDB admin interface:<\/p>\n

Now, enter this stanza of code and press Enter:<\/p>\n

use admin
\ndb.createUser(
\n{
\nuser: “db_user”,
\npwd: “your_super_secure_password”,
\nroles: [ { role: “userAdminAnyDatabase”, db: “admin” } ]
\n}
\n)<\/p>\n

This creates a MongoDB user with username db_user and password
\nyour_super_secure_password (Feel free to change this, of course, to
\nsomething more secure!) The user has admin privileges. Changing
\ndefault behavior in Dockerfile If you want to make the MongoDB process
\nstart with authentication required by default all of the time, you can
\ndo so by editing the Dockerfile used to build the container. To do this
\nlocally, we\u2019ll first pull the MongoDB Dockerfile from GitHub with:<\/p>\n

git clone https:\/\/github.com\/dockerfile\/mongodb<\/p>\n

Now, cd into the mongodb directory that Git just created and open the
\nDockerfile inside using your favorite text editor. Look for the
\nfollowing section of the Dockerfile:<\/p>\n

# Define default command.
\nCMD [“mongod”]<\/p>\n

Change this to:<\/p>\n

# Define default command.
\nCMD [“mongod –auth”]<\/p>\n

This way, when mongodb is called when the container starts, it will run
\nwith the –auth flag by default.<\/p>\n

Conclusion<\/h3>\n

If you follow the steps above, you\u2019ll be able to run MongoDB as a Docker
\ncontainer without becoming one of the tens of thousands of admins whose
\nMongoDB databases were wiped out and held for ransom by attackers. And
\nthere really is not much to it, other than being aware of the
\nvulnerabilities inherent in a default MongoDB installation and the steps
\nfor resolving them. Chris Riley (@HoardingInfo) is a technologist who
\nhas spent 12 years helping organizations transition from traditional
\ndevelopment practices to a modern set of culture, processes and tooling.
\nIn addition to being a research analyst, he is an O\u2019Reilly author,
\nregular speaker, and subject matter expert in the areas of DevOps
\nstrategy and culture. Chris believes the biggest challenges faced in the
\ntech market are not tools, but rather people and planning.<\/em><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

MongoDB, the popular open source NoSQL database, has been in the news a lot recently\u2014and not for reasons that are good for MongoDB admins. Early this year, reports began appearing of MongoDB databases being \u201ctaken hostage\u201d by attackers who delete all of the data stored inside the databases, then demand ransoms to restore it. Security … <\/p>\n

Continue reading “Securing a Containerized Instance of MongoDB”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-947","post","type-post","status-publish","format-standard","hentry","category-kubernetes"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw93\/index.php\/wp-json\/wp\/v2\/posts\/947","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw93\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw93\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw93\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw93\/index.php\/wp-json\/wp\/v2\/comments?post=947"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw93\/index.php\/wp-json\/wp\/v2\/posts\/947\/revisions"}],"predecessor-version":[{"id":986,"href":"https:\/\/www.appservgrid.com\/paw93\/index.php\/wp-json\/wp\/v2\/posts\/947\/revisions\/986"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw93\/index.php\/wp-json\/wp\/v2\/media?parent=947"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw93\/index.php\/wp-json\/wp\/v2\/categories?post=947"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw93\/index.php\/wp-json\/wp\/v2\/tags?post=947"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}