mongoaudit: Security through obscurity and how to limit connections from a specific subnet?

Question

I run mongoaudit on a server. Those are the failed results:

I don't wish to hide my version number. In my opinion this is Security through obscurity

In security engineering, security through obscurity (or security by obscurity) is the reliance on the secrecy of the design or implementation as the main method of providing security for a system or component of a system. A system or component relying on obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that if the flaws are not known, that will be sufficient to prevent a successful attack. Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism.

what other MongoDB experts do?

Howto whitelist networks? I wish to do that, but only know about net.bindIp. This only say on which virtual NIC mongod listens. Are there options to restrict a subnet?

Answer 1

I don't wish to hide my version number. In my opinion this is Security through obscurity

Hiding version details is not security through obscurity unless that is the main security measure you rely on. Exposed version details can allow an attacker to easily identify known security issues rather than having to probe for them. Forcing an attacker to test for known exploits may be useful for an Intrusion Detection System to detect and handle obvious malicious attempt signatures.

I would consider this a low risk if you are following other best practices (eg. limiting network exposure, actively applying security updates, monitoring for intrusion attempts). Putting a reverse proxy in front of your MongoDB deployment may also add unwelcome operational complexity for server discovery and failover.

Howto whitelist networks? I wish to do that, but only know about net.bindIp. This only say on which virtual NIC mongod listens. Are there options to restrict a subnet?

As you've noted, MongoDB's bindIP configuration only determines which NIC IP addresses the server listens to (not the client IPs that are allowed to connect). To limit network exposure you need configure solutions at the operating system and/or network infrastructure level (eg. firewalls or VPNs).

The current version of mongoaudit includes a link to some suggested resources depending on where your MongoDB deployment is hosted: How to Configure Allowed Hosts, Firewall, Whitelisting and Blacklisting in MongoDB.

For more information, also see Hardening Network Infrastructure and the Security Checklist in the MongoDB documentation.