Here is a quick guide on setting up a MongoDB 3.4 server on Ubuntu 16.04, with practical advice on securing the installation.
Let’s spin up a node in your favorite cloud provider, with an Ubuntu 16.04 base image. Follow the steps below to install the v3.4.x community edition of MongoDB from MongoDB APT repository.
Ideally, the MongoDB node, as well as the other nodes that need to talk to the MongoDB nodes should be placed on a secure, internal network. All communication with MongoDB should take place over this network, and never over public internet. Additionally, even this communication over the private network should be encrypted.
For example, Google Cloud provides a private network for all the VMs in a project, and each VM can get a public IP as well as a private IP. DigitalOcean provides a “shared private” network, which really is not a “private” network. Any port you expose over a “private” IP on DigitalOcean is accessible to all the droplets in that datacenter.
In the configuration file
/etc/mongod.conf, update the address to which the
mongod process listens on to the private IP of the node:
If you don’t need the built-in HTTP interfaces of MongoDB, you should disable
them. (This is disabled by default in 3.4, but that was not the case earlier.)
If you’re going to interact with MongoDB only via client libraries or the
mongo shell, you don’t need the HTTP interface.
You should also consider placing a stricter upper bound on the maximum number of connections to the database. The default value of 65536 might be too high for most installations. Monitor the total open connections during peak traffic, and set a value higher than that.
Restricting Access at IP Level
Access to the MongoDB
mongod port 27017 should be permitted:
- only over the internal network, and
- only from permitted nodes.
If you’re using DigitalOcean or similar providers you should use iptables, ufw, firewalld etc. While these solutions are difficult to scale, it is essential that you use these for the sake of security. If your cloud provider does not provide a true private network, you must use this to restrict access to each node to your other nodes only.
Setup User Authentication
Let’s enable user authentication for this MongoDB server. With this,
you’ll be able to connect to MongoDB only with a valid username and password.
First, let’s start
mongod as is:
Next, we create a user with admin privileges:
Now you have a user called
wheel, who can create further users. However,
authentitcation is not yet enabled. For that, edit
/etc/mongod.conf yet again,
Now you should be able to connect to the mongodb by supplying the credentials:
You should create more users as needed, and with roles that are appropriate to
their need. The MongoDB docs
have more information. Also see the list of built-in roles
userAdminAnyDatabase role that we used above is one of them.
You should also ensure that you communicate with MongoDB over TLS. Ideally, you’ll configure your MongoDB so that it requires TLS for all connections.
These MongoDB docs explain how to configure your MongoDB server for TLS.
Once you’ve done that, you’ll also want to learn how clients can connect to such servers.
Every MongoDB in production needs to be monitored. Using OpsDash, you can quickly start monitoring your MongoDB instances without having to install plugins or agents. OpsDash provides a well-thought-out dashboard that displays metrics that are most relevant to the health and performance of the MongoDB instances being monitored.
You can find out more about monitoring MongoDB and MongoDB clusters here.
OpsDash is a server monitoring, service monitoring, and database monitoring solution for monitoring MySQL, PostgreSQL, MongoDB, memcache, Redis, Apache, Nginx, HTTP URLs, Elasticsearch and more. It provides intelligent, customizable dashboards and spam-free alerting via email, HipChat, Slack, PagerDuty and PushBullet.