TR-32 - key-value store and NoSQL security recommendations

Overview

Key-value stores, caches or NoSQL databases became an important piece of software in today’s internet and web services. In contrast to conventional DB sytems, the security model of NoSQL data stores is often very limited due to their inherent nature to be used within internal trusted networks. Strong attention should be given to the configuration of key-value stores especially regarding their access from the Internet.

General recommendations

  • Avoid listening and binding on all available network interfaces. If your key-value store is used on a single system, it is recommended to bind on localhost network interface.
  • If your key-value store is exposed to the Internet, TCP ports used by the key-value store need to be firewalled or packet-filtered.
  • If your key-value store supports authentication, access-control or encryption features, it is recommended to enable those.
  • If your key-value store supports disactivation of commands, limit the available set of commands to those which are required (e.g. if your application only needs read-only cache access, limit to read-only commands).
  • Don’t forget that key-value stores can be vulnerable to injection, too (just like SQL).
  • Logs access requests including failed authentications or authorizations to your key-value store.

Specific key-value store recommendations

Redis

Redis Security provides a good start to secure your Redis servers.

Memcached

Memcached is by default binding and listening on all the available interface. The binding can be changed with the ‘-l’ option to limit to a specific interface like ‘127.0.0.1’.

MongoDB

MongoDB Security Guide provides a good start to secure your MongoDB servers.

elasticsearch

Securing Your Elasticsearch Cluster provides good recommendation on how to secure your elasticsearch cluster.

Default TCP Ports used by Key-Value store

  • Redis protocol TCP/6379
  • memcached TCP/11211 or UDP/11211
  • MongoDB default ports are TCP/27017, TCP/27018, TCP/27019 and TCP/28017
  • elasticsearch default ports are TCP/9300 and TCP/9200

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.1 - TLP:WHITE - 2014-02-11 - elasticsearch added
  • Version 1.0 - TLP:WHITE - First version