How to Secure MongoDB on Ubuntu 16.04

In this article, we will learn how to secure MongoDB on Ubuntu 16.04. In previous versions, MongoDB was vulnerable to automated exploits because, by default, there was no authentication required to interact with the database. Any user could create, read, modify and destroy databases and their contents, as the MongoDB daemon listens on all interfaces by default.

Enabling Authentication and Adding Admin User

This issue has been mitigated in MongoDB versions 3.x and later, however, authentication is still disabled by default. To secure MongoDB, we will create an administrative user and enable authentication.

Step 1: Connect to MongoDB Shell

First, connect to the MongoDB shell ?

$ mongo

The MongoDB shell will display warnings about disabled access control ?

MongoDB shell version v3.4.4
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.4.4
Server has startup warnings:
2017-05-16T12:33:46.850+0530 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database.
2017-05-16T12:33:46.850+0530 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.
>

Step 2: Create Admin User

Switch to the admin database ?

use admin

switched to db admin

Create an administrative user with the userAdminAnyDatabase role ?

db.createUser({
    user: "DBAdmin",
    pwd: "DBAdmin'sSecurePassword",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
})

Successfully added user: {
    "user" : "DBAdmin",
    "roles" : [
        {
            "role" : "userAdminAnyDatabase",
            "db" : "admin"
        }
    ]
}

Step 3: Enable Authentication in Configuration

Edit the MongoDB configuration file /etc/mongod.conf ?

$ sudo vi /etc/mongod.conf

Uncomment and modify the security section ?

#processManagement:

security:
  authorization: "enabled"

#operationProfiling:

Note: Ensure proper YAML indentation - the authorization line must start with two spaces.

Step 4: Restart MongoDB Service

Restart the MongoDB daemon to apply changes ?

$ sudo systemctl restart mongod

Check the service status ?

$ sudo systemctl status mongod

mongod.service - High-performance, schema-free document-oriented database
   Loaded: loaded (/lib/systemd/system/mongod.service; disabled; vendor preset: enabled)
   Active: active (running) since Tue 2017-05-16 12:52:09 IST; 48s ago

Step 5: Verify Authentication

Test connection without credentials ?

$ mongo

Try to list databases without authentication ?

show dbs

Error: listDatabases failed:{
    "ok" : 0,
    "errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
    "code" : 13,
    "codeName" : "Unauthorized"
}

Step 6: Connect with Admin Credentials

Connect using the admin user credentials ?

$ mongo -u DBAdmin -p --authenticationDatabase admin

After entering the password, verify access ?

show dbs

admin   0.000GB
local   0.000GB

Conclusion

We have successfully secured MongoDB by creating an admin user and enabling authentication. MongoDB now requires proper credentials to access databases, preventing unauthorized access and protecting your data from potential security threats.