Securing MongoDB

Given the huge number of mongo databases that have been hijacked, it would be wise for Mongo DB administrators to secure their databases. These notes apply to mongo 3 and above, and cover the most basic form of authentication.

The full MongoDB security check-list contains further details on running a security audit on your Mongo instance.

Create admin user

The first step to securing your mongo instance, is to create the database admin user. Be careful, as making a mistake can potentially lead to an inability to access your data.

SSH into your server, and enter mongo cli:

$ ssh myserver.com
$ mongo

Next create your admin user, make sure you change the password to something more secure than “password”:

use admin
db.createUser(
  {
    user: "admin",
    pwd: "password",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)

Granting root role to admin user

Now that you’ve created your admin user, make sure to grant it all the db rights:

db.grantRolesToUser(
  "admin",
  [
    { role: "root", db: "admin" }
  ]
)

The admin db can now act as the authentication database for your mongo instance. The admin user now has the role of root in the admin database.

Authenticating

Now that an admin user as explicitely been added to the admin database, a user trying to access data on the admin database can no longer do so without first authenticating with it.

use admin
db.auth("admin", "password")

Create regular users

It is now time to create regular users on your databases, please note you can create as many of them as you like. This is particularly useful as you can share these credentials with others, and revoke them if necessary.

use foo
db.createUser({
    user: "newUser",
    pwd: "password",
    roles: ["readWrite", "dbAdmin"]
})

Make sure you do this with all your databases on the instance.

Enable access control

The final step to secure your instance is to enable authorisation by add the following line to /etc/mongod.conf.

security.authorization: enabled

Restart mongo, e.g with sudo service mongod restart.

The credientials can now be added to your mongo database URL, e.g

mongodb://<username>:<password>@<FQDN>:27017

Your Mongo installation is now secure. Ample information can be found in the mongo documentation.