
Show HN: Mongoaudit – CLI tool for auditing and pentesting MongoDB servers - adansdpc
https://github.com/stampery/mongoaudit
======
adansdpc
Stampery's CTO and Mongoaudit project lead here! Our reasons to launch this
product:

Companies of all sizes use MongoDB, Stampery included. Why? It’s schema-less,
fast, scalable. We all love its deep query-ability.

But it’s no secret that MongoDB pays more attention to scalability,
performance and ease of use than to security. There are quite a few holes in
its default configuration settings.

This, combined with lazy admins and devs led to what the press has dubbed the
MongoDB apocalypse. More than 25,000 MongoDB instances were targeted by
hackers. Information was encrypted and money was asked for the decryption
keys. In some cases information was wiped with no way to recover it.

Mongoaudit tackles this problem and more. It not only detects
misconfigurations, known vulnerabilities and bugs. It also gives advice on how
to fix problems and recommends best security practices.

Among other tests, it checks if: \+ MongoDB listens on a port different to
default one \+ MongoDB HTTP status interface is disabled \+ TLS/SSL encryption
is enabled \+ Authentication is enabled \+ SCRAM-SHA-1 authentication method
is enabled \+ Server-side Javascript is forbidden \+ Roles granted to the user
only permit CRUD operations \+ The user has permissions over a single database
\+ The server is vulnerable to a dozen of different known security bugs

Once the tests are run Mongoaudit can either display a basic report on screen
or send a detailed one via email. This personalized report links to a series
of guides on how to fix every specific issue and how to harden the targeted
MongoDB deployment.

We have also published the Mongoaudit guides in our Medium publications— be
sure to check them:
[https://medium.com/mongoaudit](https://medium.com/mongoaudit)

Feedback is more than welcome!!!

------
luisivan
I love the tool! Didn't know my MongoDB server had 3 vulnerabilities. PS: I
love that they implemented Material Design on command line LOL

