Here is a quick guide on setting up a MongoDB 3.4 server on Ubuntu 16.04, with practical advice on securing the installation.
Installation
Let’s spin up a node in your favorite cloud provider, with an Ubuntu 16.04 base image. Follow the steps below to install the v3.4.x community edition of MongoDB from MongoDB APT repository.
Private Network
Ideally, the MongoDB node, as well as the other nodes that need to talk to the MongoDB nodes should be placed on a secure, internal network. All communication with MongoDB should take place over this network, and never over public internet. Additionally, even this communication over the private network should be encrypted.
For example, Google Cloud provides a private network for all the VMs in a project, and each VM can get a public IP as well as a private IP. DigitalOcean provides a “shared private” network, which really is not a “private” network. Any port you expose over a “private” IP on DigitalOcean is accessible to all the droplets in that datacenter.
If your cloud provider does not provide a true private network, you should consider building an overlay VPN, for example using OpenVPN, Tinc VPN, or even Weave.
Configuration File
In the configuration file /etc/mongod.conf
, update the address to which the
mongod
process listens on to the private IP of the node:
If you don’t need the built-in HTTP interfaces of MongoDB, you should disable
them. (This is disabled by default in 3.4, but that was not the case earlier.)
If you’re going to interact with MongoDB only via client libraries or the
mongo
shell, you don’t need the HTTP interface.
You should also consider placing a stricter upper bound on the maximum number of connections to the database. The default value of 65536 might be too high for most installations. Monitor the total open connections during peak traffic, and set a value higher than that.
Restricting Access at IP Level
Access to the MongoDB mongod
port 27017 should be permitted:
- only over the internal network, and
- only from permitted nodes.
You should use your cloud providers’ access control features, like AWS Security Groups or Google Cloud Firewall to enforce these two rules.
If you’re using DigitalOcean or similar providers you should use iptables, ufw, firewalld etc. While these solutions are difficult to scale, it is essential that you use these for the sake of security. If your cloud provider does not provide a true private network, you must use this to restrict access to each node to your other nodes only.
Setup User Authentication
Let’s enable user authentication for this MongoDB server. With this,
you’ll be able to connect to MongoDB only with a valid username and password.
First, let’s start mongod
as is:
Next, we create a user with admin privileges:
Now you have a user called wheel
, who can create further users. However,
authentitcation is not yet enabled. For that, edit /etc/mongod.conf
yet again,
and add:
And restart mongod
again:
Now you should be able to connect to the mongodb by supplying the credentials:
You should create more users as needed, and with roles that are appropriate to
their need. The MongoDB docs
have more information. Also see the list of built-in roles
– the userAdminAnyDatabase
role that we used above is one of them.
Encrypted Communication
You should also ensure that you communicate with MongoDB over TLS. Ideally, you’ll configure your MongoDB so that it requires TLS for all connections.
These MongoDB docs explain how to configure your MongoDB server for TLS.
Once you’ve done that, you’ll also want to learn how clients can connect to such servers.
Monitoring
Every MongoDB in production needs to be monitored. Using OpsDash, you can quickly start monitoring your MongoDB instances without having to install plugins or agents. OpsDash provides a well-thought-out dashboard that displays metrics that are most relevant to the health and performance of the MongoDB instances being monitored.
You can find out more about monitoring MongoDB and MongoDB clusters here.
Got MongoDB setup? Ready to start monitoring? Check out the OpsDash SaaS Beta! It’s free and you can be up and running with MongoDB monitoring in a matter of mintues. Sign Up today!
New Here?
OpsDash is a server monitoring, service monitoring, and database monitoring solution for monitoring MySQL, PostgreSQL, MongoDB, memcache, Redis, Apache, Nginx, HTTP URLs, Elasticsearch and more. It provides intelligent, customizable dashboards and spam-free alerting via email, HipChat, Slack, PagerDuty and PushBullet.