Table of Contents
MongoDB Authentication is one of the security features that comes along with both Community and Enterprise edition. In this blog, we will see how to enable this feature on MongoDB Replication nodes and safeguard your data from BOT attacks.
Introduction
4000+ unsecured databases exposed on the public web recently are the target of an automated ‘meow’ attack that destroyed data with any explanation. More than 97% of them are Elastic and MongoDB databases.
One of the ways to secure your database is to ensure you have proper authentication mechanism in place.
By default, there is no authentication in MongoDB. It means that it comes with empty authentication. So, we should create users and roles manually.
2020-08-17T05:19:45.763+0000 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database.
2020-08-17T05:19:45.763+0000 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.
2020-08-17T05:19:45.763+0000 I CONTROL [initandlisten]
There are lots of ways to create MongoDB authentication. The most popular and easiest way is to enable authentication on mongodb config file and enable it.
But in this post, I will show you how you could enable authentication and create user account and authenticate that user to connect with Replication nodes.
Let us start…
Authentication enabling on MongoDB
Step: 1 – Create & copy keyfile:
First, we need to generate a key file for internal communication between the replication nodes. Replica sets and sharded clusters require internal authentication between members when access control is enabled.
2.
3. $mkdir /etc/mongodb/
4. cd /etc/mongodb/
5. $openssl rand -base64 756 > <path-to-keyfile>
6. $chmod 400 <path-to-keyfile>
7.
8. chown mongod:mongod <path-to-keyfile>
Copy this file to all the rest of the replica set members using ssh or scp to the same location. Ensure that the user running the ‘mongod’ instances is the owner of the file and can access the keyfile. Here I am suing ‘mongod’ as my owner.
Best practice is to avoid storing the keyfile on storage mediums that can be easily disconnected from the hardware hosting the mongod instances, such as a USB drive or a network attached storage device.
Step: 2 – Connect MongoDB and create admin user and authenticate
connect to mongodb instance locally if services are enabled, or connect with config file.
Create admin user with respective role. Here I am creating my user as “admin” and password as “password” with root role. The good practice is to generate user login with strong password combination of {character + numeric + special character}.
2. db.createUser(
3. {
4. user: “admin”,
5. pwd: “password”,
6. roles: [ { role: “root”, db: “admin” } ]
7. }
8. );
9. db.auth(“admin”, “password”)
Step 3 – Add keyfile, enable authorization, and restart each replication member
So, in the previous step we completed user and password creation and we have enabled authentication to the user account. Now we need to enable authorization in the config file.
Edit mongodb config file and enable security features with keyfile details which we created in Step 1.
2.
3. $sudo vi /etc/mongod.conf
4.
5. #Enable Security
6. .
7. .
8. .
9. security:
10. authorization: enabled
11. keyFile: /etc/mongodb/mongodb-keyfile
Save the config file and restart the mongodb Instance. Do this change in the rest of the secondary nodes as well. It will ensure internal communication between replica nodes enable authentication.
That’s it! Now authentication has been enabled successfully. Connect with your user credential to test it. Also, create additional user accounts as well.
Conclusion
I hope this guide was useful to you. In this article we have seen how to set up MongoDB Replication with basic security using keyfile method for internal authentication between instances. For production deployment, it is recommended to upgrade key to X.509 certificate authentication. Stay tuned for my next article for more details.