Another day, another breach. But this time an unsecured mongodb instance in the cloud.

What is Mongodb

MongoDB stores data in flexible, JSON-like documents, meaning fields can vary from document to document and data structure can be changed over time. Enabling users to perform ad-hoc queries, indexing and data aggregation in real-time.

Finding Mongo

By default Mongodb listens on TCP/27017, but it can depending on configuration also be found on 27018–27019.

In the fore mentioned breach Shodan was used to discover the vulnerable instance, and from our screenshot today there are approximately 59,503 accessible instances:

Security and Authentication Nightmare

By default mongodb has no authentication and all users have full read privileges.

If you create an admin user, this privileged account has full write access to all databases.

Also by default there is no encryption, and all communication is in clear-text.

Installing Mongo Client

On debian based systems this is as easy as:

sudo apt install mongodb-clients

You can then use mongo to connect to a mongodb service locally or across the internet.

List of Mongodb Operations

help                         ;show help
show dbs                     ;show database names
show collections             ;show collections in current database
show users                   ;show users in current database
show profile                 ;show most recent system.profile entries with time >= 1ms
use <db name>                ;set curent database to <db name>

db.addUser (username, password)

db.copyDatabase(fromdb, todb, fromhost)
db.createCollection(name, { size : ..., capped : ..., max : ... } )


db.currentOp() ;displays the current operation in the db

db.setProfilingLevel(level) ;0=off 1=slow 2=all


db.version() ;current version of the server

Adding Security

Authentication is stored in each database’s system.users collection. For example, on a database my_project, my_project.system.users will contain user information.

We should first configure an administrator user for the entire db server process. This user is stored under the special admin database.

If no users are configured in admin.system.users, one may access the database from the localhost interface without authenticating. Thus, from the server running the database (and thus on localhost), run the database shell and configure an administrative user:

$ ./mongo
> use admin
> db.addUser("theadmin", "4dm1np4ssw0rd")

We now have a user created for database admin. Note that if we have not previously authenticated, we now must if we wish to perform further operations, as there is a user in admin.system.users.

> db.auth("theadmin", "4dm1np4ssw0rd")

We can view existing users for the database with the command:

> db.system.users.find()

Now, let’s configure a “regular” user for another database.

> use my_project
> db.addUser("joe", "passwordForJoe")

Finally, let’s add a readonly user.

> use my_project
> db.addUser("guest", "passwordForGuest", true)

Adding Encryption through SSL

This has already been covered in Stampery’s blog post here, so we won’t repeat his work here:


Mongodb Audit

Stampery has created a useful program to audit your Mongodb’s for known vulnerabilities and mis-configurations:

  • or
    curl -s | bash


No company should want their Mongodb services accessible to the Internet. Obviously, there are more issues than Mongo’s default configuration of lack of security! Ideally Mongodb should not be publically accessible, but if necessary IP white-listing should be applied to firewall policies to only permit those hosts that require access to these potentially sensitive services.

Also visit Stampery’s blogs and Github repository for more information and support on hardening Mongodb.



Share on: