Some of you may already know *lots* of MongoDB servers are compromised as we speak. That’s sad. But in a way, it’s not. It’s just the very predictable consequence of sheer incompetence. Here’s a reminder on the very basics of database server security.
- Lock the admin account with a f*cking password you moron!
- Create another admin account under another name that one would hardly think is an admin account and then delete the original admin account. Hackers expect that most server are installed with the default features/accounts. They will look for admin, sysadmin, system, administrator, etc and the like. They will most likely not check for butterfly, user7342 or whateverElse.
- Be creative! Everyone knows MySQL is listening to port 3306, DB/2 to 50000 and PostgreSQL to 5432. Hackers know that too. Never install your server on the default port! Give ’em a hard time figuring out what database server is installed and where they can get in!
- Remove everything you do not need. That sample database, that test database and all that crap that is installed by default and that you don’t need is just another tool hackers can use, for SQL injection for instance. Don’t facilitate the hacker’s job!
- Don’t wait. Install security updates as soon as they are made available.
- Permissions are a must. Learn to use GRANT and REVOKE. And use them!
- Monitor your servers. It’s not because your instance has been up and running for 302 straight days that things are OK! Your server could have been compromised for 301 days and you still don’t know if you don’t monitor it!
- Stay informed. There are lots of mailing lists, discussion forums, IRC channels, free eBooks, YouTube videos of seminars and conferences, etc about database security. It’s free! You have no excuse!
- Remember advice #1 : lock the admin account with a f*cking password you moron! A very strong password!