Securing A MongoDb Server

Hey Guys ! Hope you are doing well. The depressing news is floating around that more then 10,000 Mongodb Servers have ransacked. The hackers have wiped out database clean and are asking for ransom for there data. One of the main and major reasons behind hacking is because of lack of security on the mongodb server. MongoDb do not come with out of the box User and Password. That means if your Linux port is publicly accessible your database is publicly accessible without any user and password. However it do comes with Mongodb bind to  your localhost i.e 127.0.0.1 but with developers all across the world working remotely with dynamic ips creates a problem and ip-binding fails at this point.  So i have decided to write a blog about ways to secure your MongoDb server. I am using MongoDb 3.4 and Ubuntu 16.04 at the time of writing.

 Creating A User
     First of all we need to setup users and their password for our mongodb Server. We will be creating three users in this tutorial.

  1. Super Admin (One who is admin to Complete Mongodb. And all the database it contains)
  2. Database Admin (This will be the admin of a particular database.)
  3. Application Developer (This user will only have readwrite access on a particular database.)

Super Admin

The super Admin must be created in the admin database. It is a special system database. Go into mongo shell and write following command to use admin db

now create a user like this

Tip: Avoid Using “UserName” as Admin or root come up with something unique and different. Make sure your password is strong. At least 15 character long.

Ps : Avoid Using ‘@’ in a password as it doesn’t play well with the connection string.

Creating a user at minimum takes 3 key values.

User : The name of the User.
pwd : Password of the User.
roles : An Array containing the roles assigned to that particular user.

Note : Prior to Mongodb 3.4 role “root” did not include “backup roles”. For a complete List of build-in Roles please refer to official docs.


 

Once the User has been created. Now we need to enable “Authorization” in the config file. Mongod config file is located at /etc/mongod.conf.

Open the config file. and replace

with

Note : mongod.conf is written in yaml so it doesn’t support tab character. Use spaces instead.

now restart your mongodb service and log into mongo shell and  when  we try to see the list of dbs we get an error user unauthorized.

So now we need to log into mongo with correct username and password. type the following command in the shell

-u : username
-p : password
–authenticationDatabase :  The database where we created the user in. So in our case its Admin.

Now we have setup the Mongodb Admin or Super Admin. We will create Database Admin one who is responsible only for it’s own database.

Database Admin

Lets create a  database called  “AwesomeDb”  login into shell with your SuperAdmin. And Insert a document in  AwesomeDb to create it.

now lets create a database Admin of AwesomeDb. Make sure you are in AwesomeDb and run the following command.

Since this user is created in AwesomeDb so the role “dbOwner” reflects it being the owner of AwesomeDb.

Now when the user is created. we will log back into mongo with AwesomeDBAdmin user and check out its privileges. Make sure to set –authenticationDatabase AwesomeDb.

 

We logged into Mongo. Try to list databases we received unauthorized error. We used AwesomeDb to list its collections it successfully listed the collection. And then when we try to use admin and list its collections we received unauthorized error again. Hence user AwesomeDbAdmin have fully control of its own Database i.e AwesomeDb.

Application Developer

Now lets create a user for the application developer which will have only readWrite access to the AwesomeDb. it cannot drop the database, create backup or do any other admin task.

Make sure you are logged into mongo shell with either SuperAdmin or AwesomeDbAdmin. Now switch to AwesomeDb and create a user.

Notice we have only assigned readWrite access to this user. Once the user is created lets check its privileges.

We logged into mongo shell keeping –authenticationDatabase AwesomeDb because that’s where this user was created it. We inserted a document and fetched all the documents it work successfully. However when we try to drop the database it gave us an unauthorized Error.

Now that we have setup User and their roles on mongodb. Lets move on to one more way of securing mongodb

Default Port ?

Avoid Using Mongodb Default port i.e 27017. It harder for a hackers to guess or find an open port belonging to mongodb. To change your default port open your mongod.conf file. and replace the port with the port you want to set for mongodb.

And restart the mongod service. Now we can access our mongo shell by give a –port flag and the port you changed it with. In my case i replaced it with 27020.

Conclusion

These are the minimum steps required for securing a mongo database. More in-depth security options and recommendations are available here.  Please go though it to maximize your server’s security.

That’s it for this tutorial. Until Next Time !

Good Day 🙂

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.