Securing Mongo DB

Problem

Anyone can access mongo db if the port is exposed.

Solution

• Add an user authentication.

Steps:

• Use this mongodb cheat sheet

1. Connect the mongo shell

~# mongosh
Current Mongosh Log ID:	64657d9a0cae00f542c4e761
Connecting to:		mongodb://127.0.0.1:27017/?directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+1.8.2
Using MongoDB:		6.0.5
Using Mongosh:		1.8.2

2. Switch to admin

test> use admin
switched to db admin
admin>

3. Create new user: in this case username is mongo, password is my_super_secretive_password.

admin> db.createUser({user:"mongo", pwd:"my_super_secretive_password",     roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]})
{ ok: 1 }

Then exit the mongo shell with exit command

4. Enable authentication by edititng mongod.conf

sudo nano /etc/mongod.conf

5. Uncomment the security block

security:
  authorization: enabled

6. Restart the service

sudo systemctl restart mongod

7. Now login to mongo shell with the new user name and password

root@acf2:~# mongosh -u mongo -p
Enter password: ************
Current Mongosh Log ID:	64657f7b98afe7736f95d84d
Connecting to:		mongodb://<credentials>@127.0.0.1:27017/?directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+1.8.2
Using MongoDB:		6.0.5
Using Mongosh:		1.8.2

For mongosh info see: https://docs.mongodb.com/mongodb-shell/
test> use admin
switched to db admin
admin> show dbs
admin     180.00 KiB
config    108.00 KiB
local      72.00 KiB

Or you could log in with mongosh and auth later

root@acf2:~# mongosh
Current Mongosh Log ID:	6465823259eb6286af4e1afa
Connecting to:		mongodb://127.0.0.1:27017/?directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+1.8.2
Using MongoDB:		6.0.5
Using Mongosh:		1.8.2

For mongosh info see: https://docs.mongodb.com/mongodb-shell/

test> use admin
switched to db admin
admin> show dbs
MongoServerError: command listDatabases requires authentication
admin> db.auth('mongo', 'my_super_secretive_password')
{ ok: 1 }
admin> show dbs
admin     180.00 KiB
config    108.00 KiB
local      72.00 KiB

User Management

1. To list the users

admin> db.getUsers()
{
  users: [
    {
      _id: 'admin.admin',
      userId: new UUID("5d370140-9b81-4831-971d-0c6bbeb73915"),
      user: 'admin',
      db: 'admin',
      roles: [ { role: 'root', db: 'admin' } ],
      mechanisms: [ 'SCRAM-SHA-1', 'SCRAM-SHA-256' ]
    },
    {
      _id: 'admin.mongo',
      userId: new UUID("06de247e-5195-4eac-92de-1cec3737a962"),
      user: 'mongo',
      db: 'admin',
      roles: [ { role: 'userAdminAnyDatabase', db: 'admin' } ],
      mechanisms: [ 'SCRAM-SHA-1', 'SCRAM-SHA-256' ]
    }
  ],
  ok: 1
}

2. Grant more roles

admin> db.grantRolesToUser("mongo", [{role: "readWrite", db: "products"} ])

3. Get/Add/Drop index to the documents for faster query

products> show collections
products_20210301
test1
products> db.products_20210301.find().count()
867024
products> db.products_20210301.findOne()
{
  _id: ObjectId("645b3a381613d08f9fea7a52"),
  namespace: 0,
  title: '!',
  text: '#redirect 느낌표\n',
  contributors: [ 'r:hoon12560', 'namubot' ]
}
products> db.products_20210301.createIndex({title: 'text'})
products> db.products_20210301.dropIndex('title_text')
{ nIndexesWas: 2, ok: 1 }
products> db.products_20210301.getIndexes()
[ { v: 2, key: { _id: 1 }, name: '_id_' } ]
products> db.products_20210301.createIndex({"title":1}, {"unique":true})