Estimate Project

Gera-IT Blog

Our blog bout Tech, Startups, Digital Innovations and all that stuff

How to protect your MongoDB from hacks?

by | January 16th, 2017

Recently thousands system administators faced massive cyber-attacks on MongoDB. Hackers receive the access to the system, delete important data and ask for significant redemption.

Let us share with you some very valuable advices on how to avoid such unpleasant experience. During recent server setup on one of ours cloud-services our team found:

skitch-02

Surprisingly, but attempt to get remote access by simply connect within a console was successful!

$ mongo --host 212.72<FILTERED>
MongoDB shell version v3.4.0
connecting to: mongodb://212.72<FILTERED>:27017/
MongoDB server version: 2.4.5
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
<a style="color: #666699;" href="http://docs.mongodb.org/" data-mce-href="http://docs.mongodb.org/" data-mce-style="color: #666699;">http://docs.mongodb.org/</a>
Questions? Try the support group
<a style="color: #666699;" href="http://groups.google.com/group/mongodb-user" data-mce-href="http://groups.google.com/group/mongodb-user" data-mce-style="color: #666699;">http://groups.google.com/group/mongodb-user</a>
> show dbs
…

What does it mean? Anybody from outside world have a free access to your database and can do anything, whether drop an entire database or fetch an important records with an information about the users, customers, their e-mails, phone numbers, addresses etc.

Digging into mongodb’s config (/etc/mongodb.conf), we couldn’t find any word about remote access. After some time spent on googling we found that there is an ability at least to bind the database server to the local host, by adding a line:

bind_ip = 127.0.0.1

After the server restart – an access from outside was closed!

It appears that some of version of mongodb installed through the packages have remote access enabled by default.

MongoDB-Gera

It was curious, and without hesitation, we have dropped a few lines on beloved ruby:

$ cat port_scanner.rb
require 'socket'
require 'mongo'

Mongo::Logger.logger.level = ::Logger::FATAL
 
TIMEOUT = 0.2
 
def scan_port(port, host = 'localhost')
  socket  	= Socket.new(:INET, :STREAM)
  remote_addr = Socket.sockaddr_in(port, host)
 
  begin
	socket.connect_nonblock(remote_addr)
  rescue Errno::EINPROGRESS, SocketError, Errno::EACCES
  end
 
  _, sockets, _ = IO.select(nil, [socket], nil, TIMEOUT)
 
  if sockets
	p "Port #{port} is open!!!"
  else
	#p "Port #{port} is closed"
  end

  if sockets
	begin
      

   	client = Mongo::Client.new([ "#{host}:#{port}" ],
       	:server_selection_timeout => 3,
       	:user => 'admin', :password => 'admin'
   	)
       	#:database => 'test')
   	db = client.database
   	p "Found collections:" if db.collections.count
      
   	db.collections.each { |coll| p coll.name }
   	client.close

	rescue Mongo::Error::NoServerAvailable => e
  	p "Cannot connect to the server"
  	p e
	end
  end
end
 
PORT_LIST = [27017] #,21,22,23,25,53,80,443,3306,8080]
host  	= '127.0.0.1'

ip_network = '176.58.**' # '*.*.*'

(0..255).each { |i|
  host = "#{ip_network}.#{i}"
  p "Scanning HOST #{host} ..."

  threads   = []
  PORT_LIST.each { |i| threads << Thread.new { scan_port(i, host) } }
  threads.each(&:join)

  i += 1
}

Here you may find a very decent list of open MongoDB databases, some of them are on the authorization, some just for backup, but still open. Being advanced hacker, you can use something like that:

$ sudo zmap -p 27017 -N 10000 -o ips.txt

And get list of opened 27017 (the default MongoDb’s port) ports around you:

166.23.**.**
70.202.**.**
124.173.**.**
163.191.**.**
49.139.**.**
147.196.**.**
159.121.**.**
23.226.**.**
180.43.**.**
143.114.**.**

Then feed them to the mmap utility so you can get an info faster. Check this:

$ nmap -iL ips.txt -p27017 -sV -Pn -n -v
Starting Nmap 7.40 ( https://nmap.org ) at 2017-01-08 16:31 EET
NSE: Loaded 40 scripts for scanning.
Initiating Connect Scan at 16:31
Scanning 10 hosts [1 port/host]
Discovered open port 27017/tcp on 49.139.**.**
Discovered open port 27017/tcp on 159.121.**.**
Discovered open port 27017/tcp on 143.114.**.**
Completed Connect Scan at 16:31, 1.45s elapsed (10 total ports)
Initiating Service scan at 16:31
Scanning 3 services on 10 hosts
Completed Service scan at 16:32, 17.21s elapsed (3 services on 10 hosts)
NSE: Script scanning 10 hosts.
Initiating NSE at 16:32
Completed NSE at 16:32, 3.49s elapsed
Initiating NSE at 16:32
Completed NSE at 16:32, 2.09s elapsed

Nmap scan report for 166.23.**.**
Host is up.
PORT  	STATE	SERVICE VERSION
27017/tcp filtered mongod

Nmap scan report for 70.202.**.**
Host is up.
PORT  	STATE	SERVICE VERSION
27017/tcp filtered mongod

Nmap scan report for 124.173.**.**
Host is up.
PORT  	STATE	SERVICE VERSION
27017/tcp filtered mongod

Nmap scan report for 163.191.**.**
Host is up.
PORT  	STATE	SERVICE VERSION
27017/tcp filtered mongod

Nmap scan report for 49.139.**.**
Host is up (0.18s latency).
PORT  	STATE SERVICE VERSION
27017/tcp open  mongod?

Nmap scan report for 147.196.**.**
Host is up.
PORT  	STATE	SERVICE VERSION
27017/tcp filtered mongod

Nmap scan report for 159.121.**.**
Host is up (0.25s latency).
PORT  	STATE SERVICE	VERSION
27017/tcp open  tcpwrapped

Nmap scan report for 23.226.**.**
Host is up.
PORT  	STATE	SERVICE VERSION
27017/tcp filtered mongod

Nmap scan report for 180.43.**.**
Host is up.
PORT  	STATE	SERVICE VERSION
27017/tcp filtered mongod

Nmap scan report for 143.114.**.**
Host is up (0.26s latency).
PORT  	STATE SERVICE	VERSION
27017/tcp open  tcpwrapped

The hackers

Our simple investigation lead as to tons of articles of hacking mongodb databases all over the world!

We’ve found number of databases already hacked:

skitch-01

An attackers is now hijacking and wiping out unsecured MongoDB databases, but keeping a copy of those databases. They ask administrators for a ransom of up to 0,5 Bitcoins (which is around $530) to return the lost data. So, admins without backups are left in a bind.

security-Gera

How to protect your mongoDB

  • Be sure NEVER EVER to leave you database open! At least remember en experience of related databases, like MySQL, where from the first launch you have to set a password for you root user and THEN do what you want, open remote access, create other users and grant them some permissions, etc.
  • Enable authentication that provides you ‘Defense in depth’ if your network is compromised. Edit your MongoDB configuration file — auth = true.
  • Use firewalls — and again Disable remote access to the MongoDB, if possible. Admins are advised to use firewalls to protect the MongoDB installations by blocking access to port no. 27017.
  • Configure Bind_ip — Limit access to the server by binding local IP addresses.
  • Upgrade — Administrators are strongly recommended to upgrade their software to the latest releases (which is more secure at the moment, and should have restricted access enabled by default)
  • Follow the security checklist:

Be Gera-responsible.

RB_4

Tags: , ,