📝 Note (Updated 2025)
This guide was written for MongoDB 6.0.5 (January 2023). The core security principles remain valid for current MongoDB versions. For the latest security features, consult the official MongoDB Security documentation.
Problem
Anyone can access MongoDB if the port is exposed.
Solution
- Add a user authentication.
Steps:
- Connect the mongo shell
~# mongosh
Current Mongosh Log ID: 64657d9a0cae00f542c4e761
Connecting to: mongodb://127.0.0.1:27017/?directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+1.8.2
Using MongoDB: 6.0.5
Using Mongosh: 1.8.2- Switch to admin
test> use admin
switched to db admin
admin>- Create new user: in this case username is
mongo, password ismy_super_secretive_password.
admin> db.createUser({user:"mongo", pwd:"my_super_secretive_password", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]})
{ ok: 1 }Then exit the mongo shell with exit command
- Enable authentication by editing mongod.conf
sudo nano /etc/mongod.conf- Uncomment the
securityblock
security:
authorization: enabled- Restart the service
sudo systemctl restart mongod- Now login to mongo shell with the new user name and password
root@acf2:~# mongosh -u mongo -p
Enter password: ************
Current Mongosh Log ID: 64657f7b98afe7736f95d84d
Connecting to: mongodb://<credentials>@127.0.0.1:27017/?directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+1.8.2
Using MongoDB: 6.0.5
Using Mongosh: 1.8.2
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
test> use admin
switched to db admin
admin> show dbs
admin 180.00 KiB
config 108.00 KiB
local 72.00 KiBOr you could log in with mongosh and auth later
root@acf2:~# mongosh
Current Mongosh Log ID: 6465823259eb6286af4e1afa
Connecting to: mongodb://127.0.0.1:27017/?directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+1.8.2
Using MongoDB: 6.0.5
Using Mongosh: 1.8.2
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
test> use admin
switched to db admin
admin> show dbs
MongoServerError: command listDatabases requires authentication
admin> db.auth('mongo', 'my_super_secretive_password')
{ ok: 1 }
admin> show dbs
admin 180.00 KiB
config 108.00 KiB
local 72.00 KiBUser Management
- To list the users
admin> db.getUsers()
{
users: [
{
_id: 'admin.admin',
userId: new UUID("5d370140-9b81-4831-971d-0c6bbeb73915"),
user: 'admin',
db: 'admin',
roles: [ { role: 'root', db: 'admin' } ],
mechanisms: [ 'SCRAM-SHA-1', 'SCRAM-SHA-256' ]
},
{
_id: 'admin.mongo',
userId: new UUID("06de247e-5195-4eac-92de-1cec3737a962"),
user: 'mongo',
db: 'admin',
roles: [ { role: 'userAdminAnyDatabase', db: 'admin' } ],
mechanisms: [ 'SCRAM-SHA-1', 'SCRAM-SHA-256' ]
}
],
ok: 1
}- Grant more roles
admin> db.grantRolesToUser("mongo", [{role: "readWrite", db: "products"} ])- Get/Add/Drop index to the documents for faster query
products> show collections
products_20210301
test1
products> db.products_20210301.find().count()
867024
products> db.products_20210301.findOne()
{
_id: ObjectId("645b3a381613d08f9fea7a52"),
namespace: 0,
title: '!',
text: '#redirect 느낌표\n',
contributors: [ 'r:hoon12560', 'namubot' ]
}
products> db.products_20210301.createIndex({title: 'text'})
products> db.products_20210301.dropIndex('title_text')
{ nIndexesWas: 2, ok: 1 }
products> db.products_20210301.getIndexes()
[ { v: 2, key: { _id: 1 }, name: '_id_' } ]
products> db.products_20210301.createIndex({"title":1}, {"unique":true})Related Database Security Guides
Strengthen your database security posture with these guides:
- Ansible Vault Tutorial: Production Environment Security - Secure infrastructure secrets and credentials (Korean)
- Redis in Kubernetes: Production Deployment Guide - Deploy Redis with proper security configurations
- PostgreSQL Performance Tips: 15 Essential Optimization Techniques - Includes security and access control best practices
🔒 Browse all security articles and database guides for more hardening strategies.
