Upload
phamdat
View
247
Download
0
Embed Size (px)
Citation preview
MongoDB Security Checklist
Tim VaillancourtSr Technical Operations Architect, Percona
2
`whoami`
{name: “tim”,lastname: “vaillancourt”,employer: “percona”,techs: [
“mongodb”,“mysql”,“cassandra”,“redis”,“rabbitmq”,“solr”,“python”,“golang”
]}
3
Agenda
● Authorization● External Authentication● SSL / TLS Encryption● Filesystem Security● SELinux● Network Security
4
Security
● Security is becoming more pressing almost every day
● “MongoDB Ransomware”○ Publicly accessible hosts with/w.o. auth
■ Internal and External routes○ Database data uploaded off-network○ Database data deleted entirely!○ A single document left behind
asking for ransom payment tohacking group Bitcoin hash
○ Analogous to leaving your front door unlocked
5
Security
6
Authorization
● Always enable auth on Production Installs!○ Default enabled on 3.5 / 3.6+!
● Built-in Roles○ Database User: Read or Write data from collections
■ “All Databases” or Single-database○ Database Admin○ Backup and Restore○ Cluster Admin○ Superuser/Root
● User-Defined Roles○ Exact Resource+Action specification○ Very fine-grained ACLs
■ Action + DB + Collection specific
7
Internal Authentication
● File-based key used to authenticate inter-node connections○ File can contain any string/bytes
● File must be the same on all○ ‘mongod’ instances○ ‘mongod’ config servers○ ‘mongos’ shard routers
● Enabled / Specified using○ ‘security.keyFile: <file>’ in YAML-based config○ ‘--keyFile <file>’ as a command-line flag
8
LDAP
● LDAP Authentication○ Supported in PSMDB and MongoDB Enterprise○ The following components are necessary for external authentication to work
■ LDAP Server: Remotely stores all user credentials (i.e. user name and associated password).
■ SASL Daemon: Used as a MongoDB server-local proxy for the remote LDAP service.■ SASL Library: Used by the MongoDB client and server to create authentication
mechanism-specific data.○ Creating a User:
db.getSiblingDB("$external").createUser( {user : christian, roles: [{role: "read", db: "test"} ]} );
○ Authenticating as a User:db.getSiblingDB("$external").auth({ mechanism:"PLAIN", user:"christian", pwd:"secret", digestPassword:false})
○ Other auth methods possible with MongoDB Enterprise
9
SSL / TLS Connections
● SSL / TLS Connections○ Supported since MongoDB 2.6x
■ May need to complile-in yourself on older binaries■ Supported 100% in Percona Server for MongoDB
○ Minimum of 128-bit key length for security○ Relaxed and strict (requireSSL) modes○ System (default) or Custom Certificate Authorities are accepted
● SSL Client Authentication (x509)○ MongoDB supports x.509 certificate authentication for use with a secure
TLS/SSL connection as of 2.6.x.○ The x.509 client authentication allows clients to authenticate to servers with
certificates rather than with a username and password.○ Enabled with ‘security.clusterAuthMode: x509’ in config file
10
Filesystem Attack-Surface
● Use a service user+group (‘mongod’ or ‘mongodb’ on most systems)○ Ensure data path, log file and key file(s) are owned by this user+group
● Data Path○ Mode: 0750
● Log File○ Mode: 0640○ Contains real queries and their fields!!!
■ See Log Redaction for PSMDB (or MongoDB Enterprise) to remove these fields● Key File(s)
○ Files Include: keyFile and SSL certificates or keys○ Mode: 0600
11
Encryption at Rest
● MongoDB Enterprise○ Encryption supported in Enterprise binaries ($$$)
● Percona Server for MongoDB○ Use CryptFS/LUKS block device for encryption of data volume○ Documentation published (or coming soon)○ Completely open-source / Free
● Application-Level○ Selectively encrypt only required fields in application○ Benefits
■ The data is only readable by the application (reduced touch points)■ The resource cost of encryption is lower when it’s applied selectively■ Offloading of encryption overhead from database
12
System Access
● Recommended to restrict system access to Database Administrators● A “shell” on a system can be enough to take the system over!● Why is this risky?
○ Shells can execute local attacks on software vulnerabilities○ Access to root or filesystem paths is not necessarily required
● Packages to Remove / Uninstall○ GCC (GNU C Compiler)
■ This is often used to build local attacks■ Generic scripting languages (wherever possible)
● Python● Perl● Ruby
13
SELinux
● That thing every Stackoverflow / Forum tells you to just disable● Very effective at reducing attack surface on host● ACL-based “policies” control what is allowed on a system● Modes
○ Enforcing: Don’t allow policy violations○ Permissive: Allow policy violations and log them○ Disabled: You really don’t like security
● Relatively simple to deploy on Linux Database servers○ Database hosts are usually single-purpose○ Databases need very little filesystem access (only data dir, log dir and config files)
● Percona Server for MongoDB support○ Built-in CentOS / RHEL 7+ RPMs support (others are planned)
14
SELinux
● Percona Server for MongoDB support○ Works 100% with ‘Enforcing’ Mode SELinux (default Mode on CentOS 7.x)
● Troubleshooting Logs○ SELinux logs useful data to /var/log/audit○ Logs contain both “success” and “failed” states○ Logs contain what process, path, etc was requested○ ‘audit2allow’ tool can be used to convert failures to new policy files
type=USER_ACCT msg=audit(1505846486.456:2508): pid=24770 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_succeed_if acct="root" exe="/usr/bin/su" hostname=centos7 addr=? terminal=pts/0 res=success'type=CRED_ACQ msg=audit(1505846486.456:2509): pid=24770 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_rootok acct="root" exe="/usr/bin/su" hostname=centos7 addr=? terminal=pts/0 res=success'type=USER_START msg=audit(1505846486.465:2510): pid=24770 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_xauth acct="root" exe="/usr/bin/su" hostname=centos7 addr=? terminal=pts/0 res=success'
15
MongoDB Bind Address
● A configuration variable controlling the listen address of MongoDB○ ‘net.bindIp’ YAML-config field○ --bindIp mongod command-line flag
● Defaults○ Before 3.5/3.6 MongoDB will listen on all interfaces by
default○ 3.5+ default bindIp is ‘localhost’○ Risks
■ Addition of interfaces can add attack surface (VMs, etc)
16
Firewalls
● Firewall Solutions○ Software (IPTables)
■ Drawback: software, can be compromised!○ Hardware (Routers/etc)
● Single TCP port○ MongoDB Client API○ MongoDB Replication API○ MongoDB Sharding API
● Sharding Considerations○ Only the ‘mongos’ process needs access to shard ‘mongod’ servers○ Client driver does not need to reach shards directly, only ‘mongos’
● Replica Set Considerations○ All nodes must be accessible to the driver
17
Firewalls
● Replica Set Considerations○ All nodes must be accessible to the driver
● Secure NTP Daemon○ Mitigate NTP reflection attacks
■ Firewall NTP server by source IP / host
18
Network Architecture
● Creating a dedicated network segment for Databases is recommended● DO NOT allow MongoDB to talk to the internet at all costs!!!
○ A compromised database is usually:■ Dumped in it’s entirety■ Uploaded to an external system via Public Internet routes■ Ransom, public-exposure, etc
● Denying Access to the Internet○ Ensure MongoDB network segment is routable○ Remove the default-gateway on database hosts
■ ‘UG’ route in routing table■ Only specify routes to database segment, eg: 10.10.0.0/16
○ Ensure important repos are available in-datacenter○ Physical Segmentation (VLANs, etc)
19
Network Architecture
● VLANs○ Move replication to a dedicated VLAN
■ Use replication-only DNS / IPs in rs.conf() / Replica Set configuration■ Bind ‘mongod’ to both the Replication and Client-facing network interface
● Firewall what clients can access the Client-facing IP■ May reduce the need for SSL (can be expensive on CPU)
20
Other
● Intrusion Detection (IDS)○ Open Source solutions
■ Snort: https://www.snort.org/● Utilizes Packet-sniffing to detect attacks / threats
■ Suricata: https://suricata-ids.org/
21
Thank You Sponsors!
22
SAVE THE DATE!
CALL FOR PAPERS OPENING SOON!www.perconalive.com
April 23-25, 2018Santa Clara Convention Center
23
Questions?