Its very important to understand MongoDB security setup to ensure that your data is protected. One of the fundamental security setup that your are required to perform AFTER installing MongoDB is enabling authentication. So, to be more clear by default MongoDB DOESN’T enable authentication !!!
To illustrate:
i am starting a mongod instance process using the command:
mongod –port 23516 –dbpath E:\mongo_data
Remark: I don’t like using default ports which is: 27017 for MongoDB , to prevent intruder who is performing port scan to detect the existence of MongoDB database.
in another new session, I have initiated a mongoshell and executed the command:
mongo –port 23516
So, i was able to access the database without authentication !!! and can perform any operations i want …….
Note the WARNING messages displayed:
** WARNING: Access control is not enabled for the database.
** Read and write access to data and configuration is unrestricted.
How to enable Authentication then ??
inside your mongoshell create a new account and grant it a role for illustration i have executed the below commands:
> use admin
switched to db admin
> db.createUser({user:’db_admin’,pwd:’clooney_880′,roles:[“root”]})
Successfully added user: { “user” : “db_admin”, “roles” : [ “root” ] }
> db.system.users.find()
{ “_id” : “admin.db_admin”, “user” : “db_admin”, “db” : “admin”, “credentials” : { “SCRAM-SHA-1” : { “iterationCount” : 10000, “salt” : “Cjgnv5aqM1Sc8Z/W0NsWPw==”, “storedKey” : “SmELqIx4GpULcalO1YO+uBOR6K4=”, “serverKey” : “rzhVDE388SHCGVkQ5UVnk+cjxy0=” } }, “roles” : [ { “role” : “root”, “db” : “admin” } ] }
restart your mongod instance and add the authentication parameter:
mongod –auth –port 23516 –dbpath E:\mongo_data
in another session if execute the command mongo only see the below message:
2017-07-08T20:00:15.713+0300 W NETWORK [thread1] Failed to connect to 127.0.0.1:27017 after 5000ms milliseconds, giving up.
2017-07-08T20:00:15.787+0300 E QUERY [thread1] Error: couldn’t connect to server 127.0.0.1:27017, connection attempt failed :
connect@src/mongo/shell/mongo.js:237:13
if I execute mongo –port 23516 , i can enter but can’t perform anything such as
“show dbs” command and error will occur that i am not authrized on admin to exeucte command.
The correct command is:
mongo –username db_admin –password clooney_880 –port 23516 –authenticationDatabase=admin
OR
mongo –port 23516
use admin
db.auth(‘db_admin’,’clooney_880′)
Final word, most MongoDB database breaches happened due to lack of best security practices implementation and specifically for not enabling Authentication.