MongoDB Authentication

/ arcsdegeo

Its very important to understand MongoDB security setup to ensure that your data is protected. One of the fundamental security setup that your are required to perform AFTER installing MongoDB is enabling authentication. So, to be more clear by default MongoDB DOESN’T enable authentication !!!

To illustrate:

i am starting a mongod instance process using the command:

mongod  –port 23516 –dbpath E:\mongo_data

Remark: I don’t like using default ports which is: 27017 for MongoDB , to prevent intruder who is performing port scan to detect the existence of MongoDB database.

in another new session, I have initiated a mongoshell and executed the command:

mongo –port 23516

mongoshell_without_auth

So, i was able to access the database without authentication !!! and can perform any operations i want …….

Note the WARNING messages displayed:

** WARNING: Access control is not enabled for the database.
** Read and write access to data and configuration is unrestricted.

How to enable Authentication then ??

inside your mongoshell create a new account and grant it a role for illustration i have executed the below commands:

> use admin
switched to db admin
> db.createUser({user:’db_admin’,pwd:’clooney_880′,roles:[“root”]})
Successfully added user: { “user” : “db_admin”, “roles” : [ “root” ] }
> db.system.users.find()
{ “_id” : “admin.db_admin”, “user” : “db_admin”, “db” : “admin”, “credentials” : { “SCRAM-SHA-1” : { “iterationCount” : 10000, “salt” : “Cjgnv5aqM1Sc8Z/W0NsWPw==”, “storedKey” : “SmELqIx4GpULcalO1YO+uBOR6K4=”, “serverKey” : “rzhVDE388SHCGVkQ5UVnk+cjxy0=” } }, “roles” : [ { “role” : “root”, “db” : “admin” } ] }

mongoshell_Create_User

restart your mongod instance and add the authentication parameter:

mongod –auth –port 23516 –dbpath E:\mongo_data

in another session if execute the command mongo only see the below message:

execute mongo

2017-07-08T20:00:15.713+0300 W NETWORK [thread1] Failed to connect to 127.0.0.1:27017 after 5000ms milliseconds, giving up.
2017-07-08T20:00:15.787+0300 E QUERY [thread1] Error: couldn’t connect to server 127.0.0.1:27017, connection attempt failed :
connect@src/mongo/shell/mongo.js:237:13

if I execute mongo –port 23516 , i can enter but can’t perform anything such as

“show dbs” command and error will occur that i am not authrized on admin to exeucte command.

mongo_access_withoutAuthrization

The correct command is:

mongo –username db_admin –password clooney_880 –port 23516 –authenticationDatabase=admin

mongoshell_success_connection

OR

mongo –port 23516

use admin

db.auth(‘db_admin’,’clooney_880′)

 

Final word,  most MongoDB database breaches happened due to lack  of best security practices implementation and specifically for not enabling Authentication.

 

Leave a comment