mongoaudit – a CLI tool for auditing MongoDB servers, detecting poor security settings and performing automated penetration testing.

Apr 12, 2021

mongoaudit is a CLI tool for auditing MongoDB servers, detecting poor security settings and performing automated penetration testing.

Installing

Clone this repository and run the setup:

> git clone https://github.com/stampery/mongoaudit.git
> cd mongoaudit
> python setup.py install
> mongoaudit

Introduction

It is widely known that there are quite a few holes in MongoDB's default configuration settings. This fact, combined with abundant lazy system administrators and developers, has led to what the press has called the MongoDB apocalypse.

mongoaudit not only detects misconfigurations, known vulnerabilities and bugs but also gives you advice on how to fix them, recommends best practices and teaches you how to DevOp like a pro!

This is how the actual app looks like:

Yep, that's material design on a console line interface. (Powered by urwid)

Supported tests

  • MongoDB listens on a port different to default one
  • Server only accepts connections from whitelisted hosts / networks
  • MongoDB HTTP status interface is not accessible on port 28017
  • MongoDB is not exposing its version number
  • MongoDB version is newer than 2.4
  • TLS/SSL encryption is enabled
  • Authentication is enabled

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
ana
ana
3 years ago

Oh, awesome stuff! This kind of things are necessary, as this suffered from a breach once right? So this is a necessary measure to take.
Hope this is really good!

Last edited 3 years ago by ana
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023