Secure MongoDB on Ubuntu 16.04

In this article, we will learn how to secure Mongo DB on Ubuntu 16.04. In previous versions the Mongo DB is vulnerable to automated exploits because, by default, there is no authentication which was allowed to interact with the database, any user can create, read, modify and destroy the database and the contents, this is because of the Mongo DB daemon which can listen to all interfaces as default settings.

Enabling Authentication and Adding Admin User

This issue has been mitigated in the latest versions of Mongo DB after version 3.x releases, however, the authentication is still disabled as default settings, so any user can have the complete access to the database. To secure this we will create an administrative user and enable authentication and test the authentication with Admin user.

Adding an Admin User

To add an Admin user we will first connect to the Mongo shell.

$ mongo

When we open the Mongo DB shell it shows many warnings that access control is not enabled for the database and read or write access to the database and configuration is unrestricted.

Output:
MongoDB shell version v3.4.4
connecting to: MongoDB://127.0.0.1:27017
MongoDB server version: 3.4.4
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
http://docs.mongodb.org/
Questions? Try the support group
http://groups.google.com/group/mongodb-user
Server has startup warnings:
2017-05-16T12:33:46.819+0530 I STORAGE [initandlisten]
2017-05-16T12:33:46.819+0530 I STORAGE [initandlisten] ** WARNING: Using the XF                      S filesystem is strongly recommended with the WiredTiger storage engine2017-05-16T12:33:46.819+0530 I STORAGE [initandlisten] **       See http://d ochub.mongodb.org/core/prodnotes-filesystem
2017-05-16T12:33:46.850+0530 I CONTROL [initandlisten]
2017-05-16T12:33:46.850+0530 I CONTROL [initandlisten] ** WARNING: Access contr ol is not enabled for the database.
2017-05-16T12:33:46.850+0530 I CONTROL [initandlisten] ** Read and wri te access to data and configuration is unrestricted.
2017-05-16T12:33:46.850+0530 I CONTROL [initandlisten]
2017-05-16T12:33:46.850+0530 I CONTROL [initandlisten]
2017-05-16T12:33:46.850+0530 I CONTROL [initandlisten] ** WARNING: /sys/kernel/ mm/transparent_hugepage/enabled is 'always'.
2017-05-16T12:33:46.850+0530 I CONTROL [initandlisten] ** We suggest set ting it to 'never'
2017-05-16T12:33:46.850+0530 I CONTROL [initandlisten]
2017-05-16T12:33:46.850+0530 I CONTROL [initandlisten] ** WARNING: /sys/kernel/ mm/transparent_hugepage/defrag is 'always'.
2017-05-16T12:33:46.850+0530 I CONTROL [initandlisten] ** We suggest set ting it to 'never'
2017-05-16T12:33:46.850+0530 I CONTROL [initandlisten]
>

As there is no restriction of choosing the username of the Admin account as the privilege level comes from the variable userAdminAnyDatabase. The database admin stores the credentials.

We will choose the user name of our choice and make sure to pick out secured password using the below commands.

> use admin.
switched to db admin

Once the database is switched we will create an Admin user.

> db.createUser(
... {
...    user: "DBAdmin",
...    pwd: "DBAdmin'sSecurePassword",
...    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
...    }
... )

Output:
Successfully added user: {
                           "user" : "DBAdmin",
                           "roles" : [
         {
            "role" : "userAdminAnyDatabase",
            "db" : "admin"
         }
]
}
>

Since we have created an Admin user called DBAdmin with a secured password.

We have just created an Admin user but it will not be required until and unless we enable authentication in Mongo DB configuration.

Enabling Authentication for MongoDB

We need to enable the authentication in the configuration file mongod.conf which is located in /etc and restart the Mongo DB daemon.

Now we will edit the mongod.conf file and make the modification in the $security section.

$ sudo vi /etc/mongod.conf

The configuration file looks like below

# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
# engine:
# mmapv1:
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# network interfaces
net:
port: 27017
bindIp: 127.0.0.1
#processManagement:
#security:
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options:

We needed to remove the comment before security (#) to enable the section and we needed to add the authorization settings below is the setting.

#processManagement − security −   authorization − “enabled” #operationProfiling − #replication − #sharding −

Note that the security line has no space and authorization line which must be started with two spaces. Once we have added the lines to the configuration file we needed to restart the mongod daemon.

Below is the command to restart the MongoDB services –

$ sudo systemctl restart mongod

Once, we restart the services we can check the status of the MongoDB services with the below command –

$ sudo systemctl status mongod
Output:
mongod.service - High-performance, schema-free document-oriented database
Loaded: loaded (/lib/systemd/system/mongod.service; disabled; vendor preset: enabled)
Active: active (running) since Tue 2017-05-16 12:52:09 IST; 48s ago
Docs: https://docs.mongodb.org/manual
Main PID: 3281 (mongod)
Tasks: 20
Memory: 33.3MCPU: 734ms
CGroup: /system.slice/mongod.service
??3281 /usr/bin/mongod --quiet --config /etc/mongod.conf
May 16 12:52:09 ubuntu-16 systemd[1]: Started High-performance, schema-free document-oriented database.

Verifying the Authentication on Mongo DB

First, let we connect to the MongoDB without any credentials.

$ mongo

Output:
MongoDB shell version v3.4.4
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.4.4
>

Now, we can see that all the warning messages which are displayed in the past that are resolved and now we will test the authentication by trying to connect to the test database.

> show dbs
2017-05-16T12:56:17.306+0530 E QUERY [thread1] Error: listDatabases failed:{
      "ok" : 0,
      "errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
      "code" : 13,
      "codeName" : "Unauthorized"
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1
shellHelper.show@src/mongo/shell/utils.js:769:19
shellHelper@src/mongo/shell/utils.js:659:15
@(shellhelp2):1:1

We can see that we are not able to create or use the database without authentication, now exit from the shell try with authentication.

Verifying the Admin User Access

Now, try to connect to the Admin database using the Admin user authentication. Below is the command to connect to the database using the user authentication –

$ mongo -u DBAdmin -p --authenticationDatabase admin
MongoDB shell version v3.4.4
Enter password:
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.4.4
>show dbs
admin 0.000GB
local 0.000GB
>

In this article, we have learned how to secure the Mongo DB by adding admin user and enabling authentication as default settings Mongo DB has not enabled the user authentication where any user can create,delete and modify the database.