Skip to content
Studio 3T - The professional GUI, IDE and client for MongoDB
  • Tools
    • Aggregation Editor
    • IntelliShell
    • Visual Query Builder
    • Export Wizard
    • Import Wizard
    • Query Code
    • SQL Query
    • Connect
    • Schema Explorer
    • Compare
    • SQL ⇔ MongoDB Migration
    • Data Masking
    • Task Scheduler
    • Reschema
    • More Tools and Features
  • Solutions
  • Resources
    • Knowledge Base
    • MongoDB Tutorials & Courses
    • Tool/Feature Documentation
    • Blog
    • Community
    • Testimonials
    • Whitepapers
    • Reports
  • Contact us
    • Contact
    • Sales Support
    • Feedback and Support
    • Careers
    • About Us
  • Store
    • Buy Now
    • Preferred Resellers
    • Team Pricing
  • Download
  • My 3T
search

Studio 3T® Knowledge Base

  • Documentation
  • Tutorials
  • Workshops
Take the fastest route to learning MongoDB. Cover the basics in two hours with MongoDB 101, no registration required.
Start the free course

5 MongoDB Security Tips to Help Keep the Cats Away

Posted on: 29/07/2020 (last updated: 26/08/2021) by Kathryn Vargas
MongoDB security tips to help prevent a Meow attack
Photo by Tatyana Eremina on Unsplash

The recent Meow attacks on unsecured MongoDB and Elasticsearch instances are yet another reminder that we need to properly secure our databases.

The Meow hackers don’t leave any ransom requests or notes, unlike those in previous MongoDB attacks. Their script simply deletes all data, first by dropping all collections, then creating new ones with the telltale meow string.

The telltalle meow string in the recent hacking attacks
Source: @MayhemDayOne

1,779 Elasticsearch and 701 MongoDB instances had been already meowed by July 24, according to Bob Diachenko. By July 25, the number had risen to almost 4,000 databases, which by then also included Redis, Cassandra, CouchDB, Redis, Hadoop, Jenkins, and open-file system instances.

The hacking attacks have claimed Zimbabwe’s leading online payments platform and a prominent open-source VPN as victims and appear likely to continue.

MongoDB security must be proactive, not reactive

At Studio 3T, we’ve received the occasional support ticket from customers whose databases were hacked, asking if we’ve maybe stored a backup of their data (we never do – we’re a MongoDB GUI). We know that MongoDB security is a top of mind concern that somehow falls through the cracks, so we’ve written a MongoDB security checklist to keep users on track.

There are two levels of MongoDB security: there’s the database, which you can secure by enforcing user and role access control, using the right authentication, limiting network exposure – the usual suspects.

But there’s also the client side, the handling of actual data which you could secure by enabling read-only mode on a connection or collection-level, using your own cryptographic key store to encrypt passwords, among other things.

No one wants to be hacked, but prevention requires action. Meow-proof your MongoDB (or MongoDB Atlas) instance today by taking these five easy steps on both the database and client side.

Database security best practices

1. Stop whitelisting 0.0.0.0 and limit network exposure to trusted IP addresses.

This is particularly relevant for MongoDB Atlas clusters, which require you to whitelist your IP address during setup.

Most users likely whitelist their current IP address at first – but IP addresses usually change over time. At some point, you’ll likely come across this error:

Could not connect to any servers in your MongoDB Atlas cluster. Make sure your current IP address is on your Atlas cluster's IP whitelist.

MongoDB Atlas has a default “Allow access from anywhere” option, which whitelists all IP addresses (0.0.0.0), an insecure option that grants access to everyone on the web. Do not use this.

Don't allow access from anywhere when setting up MongoDB Atlas

A more secure alternative would be to whitelist a range of IP addresses, whitelist multiple IP addresses (like your work and home IPs), or whitelist your current IP address regularly.

2. Enable access control and grant users only the roles they need.

If you aren’t self-hosting your MongoDB server, then your MongoDB instance is already using SCRAM as a default authentication mechanism. With it in place, users are required to provide a login and password first to read or modify data – but what good is a mechanism with no one to authenticate?

If you’re the user administrator, put this preemptive security measure to use by creating additional users on your database and only granting the roles they need, a more secure alternative to passing connection strings around.

3. Enforce authentication – and remember you have options.

If you are self-hosting your MongoDB server, then you must enable authentication first. Otherwise, MongoDB will set bindIp to localhost by default – a feature introduced in MongoDB 3.6 to enforce security – which means only you have access to your data. And as we’ve learned in #1, don’t fall for the easy workaround of setting bindIp to 0.0.0.0.

For users who need a more robust authentication mechanism than SCRAM, MongoDB also supports x.509, LDAP, and Kerberos.

The first three points should already be sufficient Meow-proofing, but here are two additional security measures you can also take on the client side.

Client security best practices

4. Enable read-only mode on either connection or collection level.

Read-only mode within a GUI or client does not replace properly implemented access control.

However, it’s still a handy option to enable if you don’t want to mess anything up, say production data you’ve rightfully been granted access to.

Studio 3T lets you enable read-only mode on MongoDB collections and connections, so you can query collections and explore results, with the peace of mind that nothing could be mistakenly edited.

5. Encrypt MongoDB passwords using your own cryptographic key store.

MongoDB offers encryption at rest, which allows the database to encrypt data files that can only be decoded and accessed by users with the right decryption key – but it’s only available in MongoDB Enterprise.

An alternative would be to use a third-party GUI that supports password encryption using your own cryptographic key store, a more secure way of handling password than the default mechanisms in place.

Learn how to secure your MongoDB database and download the whitepaper, MongoDB Security Checklist: Essential Tactics Against Data Breaches.


How helpful was this article?
This article was hideous
This article was bad
This article was ok
This article was good
This article was great
Thank you for your feedback!

About The Author

Kathryn Vargas

When she's not writing about working with MongoDB, Kathryn spends her free time exploring Berlin's food scene, playing the drums, learning languages (current mission: German), and hiking.

Article navigation

Related articles

  • MongoDB Atlas Pricing & Tips to Help Manage Costs
  • MongoDB Security Checklist: Essential Tactics Against Data Breaches
  • Help! How can I find my lost query! #Studio3T_AMA
  • MongoDB Tutorial: Learn MongoDB in 2 Hours
  • How MongoDB Indexes Work (With Examples)

Studio 3T

MongoDB Enterprise Certified Technology PartnerSince 2014, 3T has been helping thousands of MongoDB developers and administrators with their everyday jobs by providing the finest MongoDB tools on the market. We guarantee the best compatibility with current and legacy releases of MongoDB, continue to deliver new features with every new software release, and provide high quality support.

Find us on FacebookFind us on TwitterFind us on YouTubeFind us on LinkedIn

Education

  • Free MongoDB Tutorials
  • Connect to MongoDB
  • Connect to MongoDB Atlas
  • Import Data to MongoDB
  • Export MongoDB Data
  • Build Aggregation Queries
  • Query MongoDB with SQL
  • Migrate from SQL to MongoDB

Resources

  • Feedback and Support
  • Sales Support
  • Knowledge Base
  • FAQ
  • Reports
  • White Papers
  • Testimonials
  • Discounts

Company

  • About Us
  • Blog
  • Careers
  • Legal
  • Press
  • Privacy Policy
  • EULA

© 2023 3T Software Labs Ltd. All rights reserved.

  • Privacy Policy
  • Cookie settings
  • Impressum

We value your privacy

With your consent, we and third-party providers use cookies and similar technologies on our website to analyse your use of our site for market research or advertising purposes ("analytics and marketing") and to provide you with additional functions (“functional”). This may result in the creation of pseudonymous usage profiles and the transfer of personal data to third countries, including the USA, which may have no adequate level of protection for the processing of personal data.

By clicking “Accept all”, you consent to the storage of cookies and the processing of personal data for these purposes, including any transfers to third countries. By clicking on “Decline all”, you do not give your consent and we will only store cookies that are necessary for our website. You can customize the cookies we store on your device or change your selection at any time - thus also revoking your consent with effect for the future - under “Manage Cookies”, or “Cookie Settings” at the bottom of the page. You can find further information in our Privacy Policy.
Accept all
Decline all
Manage cookies
✕

Privacy Preference Center

With your consent, we and third-party providers use cookies and similar technologies on our website to analyse your use of our site for market research or advertising purposes ("analytics and marketing") and to provide you with additional functions (“functional”). This may result in the creation of pseudonymous usage profiles and the transfer of personal data to third countries, including the USA, which may have no adequate level of protection for the processing of personal data. Please choose for which purposes you wish to give us your consent and store your preferences by clicking on “Accept selected”. You can find further information in our Privacy Policy.

Accept all cookies

Manage consent preferences

Essential cookies are strictly necessary to provide an online service such as our website or a service on our website which you have requested. The website or service will not work without them.

Performance cookies allow us to collect information such as number of visits and sources of traffic. This information is used in aggregate form to help us understand how our websites are being used, allowing us to improve both our website’s performance and your experience.

Google Analytics

Google Ads

Bing Ads

Facebook

LinkedIn

Quora

Hotjar

Reddit

Functional cookies collect information about your preferences and choices and make using the website a lot easier and more relevant. Without these cookies, some of the site functionality may not work as intended.

HubSpot

Social media cookies are cookies used to share user behaviour information with a third-party social media platform. They may consequently effect how social media sites present you with information in the future.

Accept selected