Enable & Force Authentication on MongoDB

Create an overall mongo root mongo and backup users

Check that –auth & localhostException are NOT enabled yet,

ps aux | grep mongo
grep enableLocalhostAuthBypass /etc/mongod.conf

Create a mongo root user and a backup user,

db.createUser(
  {
    user: "root",
    pwd: "MONGO-ROOT-PASSWD",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)

db.createUser(
  {
    user: "backupuser",
    pwd: "YETANOTHERPASSWD",
    roles: [ { role: "backup", db: "admin" } ]
  }
)

Without even restarting the mongo daemon, check that you can connect with those credentials,

mongo -u "root" -p "MONGO-ROOT-PASSWD" --authenticationDatabase "admin"

Create an application user

With access to DBNAME db only,

use DBNAME

var user = {
  "user" : "DBNAMEuser",
  "pwd" : "MONGO-USER-PASSWD",
  roles : [
      {
          "role" : "readWrite",
          "db" : "DBNAME"
      }
  ]
}

db.createUser(user);

Without even restarting the mongo daemon, check that you can connect with those credentials,

mongo -u "DBNAMEuser" -p "MONGO-USER-PASSWD" --authenticationDatabase "DBNAME" DBNAME

Force Authentication

Tune the config,

vi /etc/mongodb.conf

setParameter:
   enableLocalhostAuthBypass: false

Also into the init script,

cp -p /etc/init.d/mongod /etc/init.d/mongod.`date +%s`
vi /etc/init.d/mongod

OPTIONS=" -f $CONFIGFILE --auth"

Enable SSL

Further tune the arguments when running the daemon,

vi /etc/init.d/mongod

OPTIONS=" -f $CONFIGFILE --auth --sslMode preferSSL --sslPEMKeyFile /etc/mongodb/private_and_cert.pem --sslPEMKeyPassword PASSPHRASE_HERE --sslCAFile /etc/mongodb/chain_and_root_concat.crt --sslAllowInvalidHostnames --sslAllowConnectionsWithoutCertificates"

systemctl daemon-reload

• Note. mongod user needs read access to those certificate files
• Note. you don’t have to write the passphrase into the init script with –sslPEMKeyPassword, you can also keep it out and mongod will as you interactively at its startup.
• Note. I don’t need the clients to provide a certificate, hence –sslAllowConnectionsWithoutCertificates.

In case you played around starting the damon as root (WRONG), fix the perms again,

chown -R mongod:mongod /data/logs/mongodb/ /data/databases/ /var/log/mongodb/ /var/lib/mongo/

and make sure the process & pidfie are gone,

ls -l /var/run/mongodb/mongod.pid
ps aux | grep mongo

Refs.

• Configure mongod and mongos for TLS/SSL - https://docs.mongodb.com/v3.2/tutorial/configure-ssl/

Ready to go

Point your app to the right URL, if SSL not enabled yet,

mongodb://[user]:[password]@[serveraddress]:[port]/[database]

with SSL enabled,

mongodb://[user]:[password]@[serveraddress]:[port]/[database]?ssl=true

then restart the daemon and watch the logs,

service mongod restart
tail -n 100 -F /data/logs/mongodb/mongod.log

check that –auth and –ssl* are now enabled and that the right cert is provided by the mongodb service,

ps aux | grep mongo
openssl s_client -connect localhost:27017

and finally restart the application and check that it is able to access the data tru the now better secured connection.

Refs.

• TLS/SSL Configuration for Clients - https://docs.mongodb.com/v3.2/tutorial/configure-ssl-clients/
• TLS/SSL - http://mongodb.github.io/node-mongodb-native/2.2/tutorials/connect/ssl/
• Connecting to MongoDB over SSL with Node.js - http://stackoverflow.com/questions/24381561/connecting-to-mongodb-over-ssl-with-node-js
• How do I connect to mongodb with node.js (and authenticate)? - http://stackoverflow.com/questions/4688693/how-do-i-connect-to-mongodb-with-node-js-and-authenticate

Update your backup scripts with mongo auth

Now that auth is enabled onto MongoDB, make sure your backup scripts are up-to-date e.g.,

umask 0077

date=`date +%Y-%m-%d-%s`
backupdir=/data/backup/mongodb
mkdir -p $backupdir/
days=5
host=`hostname --short`

    destdir=$backupdir/$date.$host.mongo
    echo -n dumping all mongo databases to $destdir/...
    time mongodump --quiet -u "backupuser" -p "YETANOTHERPASSWD" --authenticationDatabase "admin" -o $destdir && echo done
    unset destdir

    echo -n removing older mongo backups \(+$days days\) from $backupdir/...
    find $backupdir/ -maxdepth 1 -type d -mtime +$days -exec rm -rf {} \; && echo done

References

official tutos

• https://docs.mongodb.com/v3.2/tutorial/manage-users-and-roles/
• https://docs.mongodb.com/v3.2/tutorial/enable-authentication/

other tutos

• http://arecordon.blogspot.de/2014/01/if-you-have-just-intalled-mongodb-youll.html
• http://tgrall.github.io/blog/2015/02/04/introduction-to-mongodb-security/
• http://dataops.co/mongodb-security-and-user-access-control/
• https://www.quora.com/How-do-I-define-groups-and-privileges-in-a-database-in-MongoDB
• How to secure MongoDB with username and password - http://stackoverflow.com/questions/4881208/how-to-secure-mongodb-with-username-and-password

official docs

• https://docs.mongodb.com/v3.2/tutorial/enable-authentication/
• https://docs.mongodb.com/v3.0/core/security-users/#localhost-exception
• https://docs.mongodb.com/v3.2/reference/configuration-options/
• https://docs.mongodb.com/v3.2/reference/method/db.createRole/

Trash

this did not work – editing the init script instead – And also tune the arguments when running the daemon!

grep SYSCONFIG /etc/init.d/mongod
vi /etc/default/mongod

# custom sysconfig for mongod to enable --auth
CONFIGFILE="/etc/mongod.conf"
OPTIONS=" -f $CONFIGFILE --auth"