- Learn how to install MongoDB on Ubuntu 22
- How To Secure MongoDB on Ubuntu 22.04
MongoDB is a document database that is often used in modern web applications. It is different from traditional relational databases because it does not use a table-based structure. Instead, it uses JSON-like documents with dynamic schemas.
By default, MongoDB does not have authentication enabled. This means that anyone with access to the server where the database is installed can add and delete data without restriction. This is a security vulnerability, so it is important to enable authentication.
This tutorial will show you how to secure your MongoDB database by creating an administrative user, enabling authentication, and testing that only the administrative user can access the database.
Prerequisites
To complete this tutorial, you will need the following:
- An Ubuntu 22.04 server with a root administrative user
- MongoDB version 7.0 installed. This tutorial can be adapted to older versions of MongoDB, but 7.0 is the recommended version. You can install MongoDB on your server by following our guide on How To Install MongoDB on Ubuntu 22.04.
Step 1: Create an Administrative User
To secure your MongoDB database, you need to create an administrative user. This user will have full access to the database, including the ability to create, modify, and delete data.
To create an administrative user, you need to connect to the MongoDB database using the mongo shell. You can do so with the mongo command, without any other options
mongo
When you first connect to the MongoDB database using the mongo shell, you will see a warning message that access control is not enabled. This means that anyone with access to the server can read and write to the database, including sensitive data.
The warnings will go away once you enable authentication, but for now, they mean that anyone who can access your server can also take control of your database.
To improve security, it is essential to create an administrative user. This starts by connecting to the admin database, which stores user data.
use admin
Then, use the db.createUser() method to define the administrative user’s attributes. This includes specifying a username, password, and assigned roles. An example follows:
db.createUser(
{
user: "AdminUser",
pwd: passwordPrompt(),
roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
}
)
Here, the passwordPrompt() method ensures that the password is entered securely. The user is granted the userAdminAnyDatabase role, which provides administrative capabilities, and the readWriteAnyDatabase role, which allows them to manipulate data across the cluster.
Successful execution of the following command will prompt you to enter a password and will then add the administrative user:
Enter password:
Successfully added user: {
"user" : "AdminUser",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
},
"readWriteAnyDatabase"
]
}
To conclude this step, exit the MongoDB client by typing the following command and pressing Enter:
exit
This will disconnect you from the database and return you to the command prompt.
Step 2: Enabling Authentication
To enable authentication for your MongoDB database, you need to edit the configuration file, mongod.conf. Once you enable authentication and restart the MongoDB service, users will still be able to connect to the database, but they won’t be able to read or modify any data until they provide a valid username and password.
Here’s how to do it:
Open the configuration file with your preferred text editor. I like to use nano, so I’d run the following command:
sudo nano /etc/mongod.conf
Scroll down to the security section and uncomment the following line:
security:
Then, add the authorization parameter and set it to enabled:
security: authorization: enabled
Once you have made the necessary changes to the configuration file, you need to save and close it. To do this, press Ctrl+X and then press Y to confirm.
Then restart the daemon to put these new changes into effect:
sudo systemctl restart mongod
Next, you can verify that the MongoDB service restarted correctly by running the following command:
sudo systemctl status mongod
This will display the status of the MongoDB service. If the service is running correctly, you will see a message that says “active (running).”
Now, when you try to connect to the MongoDB shell, you’ll be prompted for a username and password. Enter the credentials for your administrative user and you’ll be logged in.
Once you’re logged in, you can test the authentication settings by running the show dbs command. This command will list all of the databases on the server. If you’re not authenticated, you won’t be able to see the list of databases.
By following the steps in this blog post, you have enabled authentication for your MongoDB database. This will help to protect your data from unauthorized access.
Here are some additional tips for securing your MongoDB database:
- Use strong passwords for all users, including the administrative user.
- Keep your passwords confidential.
- Grant users only the permissions they need.
- Monitor your database logs for suspicious activity.
- Back up your database regularly.
By following these tips, you can help to keep your MongoDB database secure.