Securing MongoDB

Given the recent ransomware attacks on MongoDB, here is a short guide on how to secure access to MongoDB.

MongoDB has a very good and detailed documentation on how to secure the database, which you should check out.

Security Checklist - MongoDB Manual 3.4

Security Tutorials - MongoDB Manual 3.0

Here I cover how to setup password authentication and how to setup firewall rules. For more details please check the official documentation.

Enable Access Control and Enforce Authentication

Step 1. Start MongoDB with no access control.

$ mongod --port 27017

Step 2. Connect to MongoDB server through shell.

$ mongo --port 27017

Step 3. Create the admin

use admin
db.createUser(
  {
    user: "myUserAdmin",
    pwd: "USE-SOME-SECURE-PASSWORD",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)

Step 4. Restart MongoDB, this time with access control.

$ mongod --auth --port 27017

Step 5. Now connect through shell with admin user

$ mongo --port 27017 -u "myUserAdmin" -p "USE-SOME-SECURE-PASSWORD" --authenticationDatabase "admin"

or alternatively, you can connect through shell with no authentication and then authenticate.

$ mongo --port 27017
use admin
db.auth("myUserAdmin", "USE-SOME-SECURE-PASSWORD" )

You’re all set. Now let’s configure firewall to only allow access from certain IP address, i.e., our application servers that access the database. In case you are running the DB and application on the same server, you should only allow local access to the DB.

Setup Firewall

Here I only cover the iptables for Linux platforms, but the concept is the same with other firewalls (e.g., netsh in Windows).

By default the firewall implicitly allows access to any port from any IP. We want to change that to explicitly allow access to certain port from certain IP addresses, and drop (deny) any other access.

Step 1. Explicitly allow access from outside to mongod and allow access from mongod to outside.

You need to change the <ip-address> to the IP address/addresses of your application server. Also, you need to change the <port> to the port number that your MongoDB is listening on (default 27017). It might be a good idea to change the default port numbers to something else.

$ iptables -A INPUT -s <ip-address> -p tcp --destination-port <port> -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -d <ip-address> -p tcp --source-port <port> -m state --state ESTABLISHED -j ACCEPT

Well, now you have explicitly allowed access to and from <ip-address> on <port>. We want to deny (drop) any other traffic.

Step 2. Explicitly drop any other traffic

$ iptables -P INPUT DROP

$ iptables -P OUTPUT DROP

Step 3. Save your new rules and load them in the future

Next, you want to save your new rules, based on your distribution you need to run iptables-save > OUTPUT_FILE or service iptables save. You can check your distribution’s documentation or iptables’ documentation.

$ service iptables save
or
$ iptables-save > OUTPUT_FILE

to restore the rules that you just defined:

$ iptables-restore < OUTPUT_FILE

Hope, this would help. Please check the MongoDB official documentation, where you can find more details on MongoDB security. This was just a short and quick guide based on the documentation to help you get started.