Wondering on how to enable authentication for MongoDB on Ubuntu?
MongoDB does not have authentication enabled by default. Any user with access to the MongoDB server can add and delete data without any restriction.
As a part of our Server Management Services, we help our Customers perform server hardening tasks regularly.
Let us today discuss the possible steps to enable authentication in MongoDB.
Why do we need to enable authentication for MongoDB on Ubuntu?
Any users that have access to the MongoDB server will have complete access to the databases as authentication is disabled by default.
For instance, if we connect to the Mongo shell prompt, it itself displays a security warning as shown below:
MongoDB shell version v4.4.0
. . .
2020-06-09T13:26:51.391+0000 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database.
2020-06-09T13:26:51.391+0000 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.
. . .
As users connected to the system can read and edit the data in all the databases, if we have any databases holding sensitive data on the system attackers can easily manipulate the data once they gain access. Thus, it is important to secure MongoDB by enabling authentication.
Adding an Administrative User for MongoDB in Ubuntu
Firstly, to secure this vulnerability, we will create an administrative user. Later, we will enable authentication and connect as this administrative user to access the database.
To add an administrative user, we must first connect to the Mongo Shell with the command below:
$ mongo
Now that we are in the Mongo shell, let us connect to the admin database. This is where information about users, like their usernames, passwords, and roles, are stored:
> use admin
MongoDB comes with a number of JavaScript-based shell methods that we can use to manage the database. One of these, the db.createUser method, helps to create new users on the database.
db.createUser(
{
user: "Admintest",
pwd: "Password",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
Here, to make it a bit more secure we can replace the password in clear text format with the passwordPrompt() method. Thus, it will ask to enter the password when we execute the db.createUser method. Make sure to enter a strong password here.
Finally, we will receive an output that it has successfully added a user. Now we can exit the MongoDB client with the exit command or CTRL+C option.
Enabling Authentication
To enable authentication, we must edit the MongoDB’s configuration file mongod.conf. Now, open the configuration file with a preferred text editor and scroll down to find the commented-out security section:
. . .
#security:
#operationProfiling:
. . .
Then, uncomment this line by removing the pound sign (#). Add the authorization parameter and set it to “enabled”.
. . .
security:
authorization: "enabled"
#operationProfiling:
. . .
Now, close the text editor and restart the daemon to put these new changes into effect:
$ sudo systemctl restart mongod
$ sudo systemctl status mongod
Here, the status command should now confirm that the daemon is back up and running. Now if we connect to the MongoDB client, it won’t show any warnings on authentication.
After enabling authentication, users will not be able to read or modify any data until they provide a correct username and password.
Finally, the Administrative user will be able to authenticate properly by running the following mongo command:
$ mongo -u Admintest -p --authenticationDatabase admin
[Need any further assistance secure MongoDB on Ubuntu? – We’re available 24*7]
Conclusion
In short, we can enable authentication for MongoDB with a few adjustments in its configuration file. Today, we saw how our Support Engineers secure MongoDB on Ubuntu
0 Comments