Installing MongoDB in Ubuntu 12.04 and Securing

Installing MongoDB

What is MongoDB?

For the n00bs, you can get an introduction about MongoDB from this link.

Configure Package Management System (APT)

The Ubuntu package management tool (i.e. dpkg and apt) ensure package consistency and authenticity by requiring that distributors sign packages with GPG keys. Issue the following command to import the 10gen public GPG Key:

$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv 7F0CEB10

Create a /etc/apt/sources.list.d/10gen.list file

$ sudo touch /etc/apt/sources.list.d/10gen.list

and include the following line for the 10gen repository.

echo "deb http://downloads-distro.mongodb.org/repo/ubuntu-upstart dist 10gen" >> /etc/apt/sources.list.d/10gen.list

Now reload your repository:

$ sudo apt-get update

Install Packages

$ sudo apt-get install mongodb-10gen

Configure MongoDB

Few very initial things to remember are:

  • Remove IP Binding from all to just the IP (private or localhost), you expect to get Connection Request
    # Only accept local connections
    bind_ip = 127.0.0.1
  • Change the default Port Bindings
    # Connecting port of mongodb
    port = 7171
  • Authentication for all users
    Creating MongoDB Users
    To adding a new user is fairly straight forward …
    Read/Write User

    $ mongo
    > use admin
    > db.addUser("admin", "@mm@123@m@+@rAn!")

    This creates a read/write user for the database admin (you can choose any username you wish.)
    Restart the mongo with --auth enabled.

    sudo mongod --auth --dbpath /var/lib/mongodb/ 

    User Authentication in MongoDB

    $ mongo localhost:7171/admin --username "admin" -password "@mm@123@m@+@rAn!"
  • Give only required permissions (like no update/delete permissions to select query users)

    Read Only User

    > db.addUser("monkey", "tinkerbelle", true)

    The “true” parameter there makes the user read only (great for parts of the application code that you want to make sure never accidentally preform a write operation.)

  • Removing all the default databases
    > show dbs
    admin 0.203125GB
    local (empty)
    test (empty)

    Databases test and local are defualt one’s. So we can drop all default databases.

    > use test;
    switched to db test
    > db.dropDatabase();
    { "dropped" : "test", "ok" : 1 }
    > use local;
    switched to db local
    > db.dropDatabase()
    { "dropped" : "local", "ok" : 1 }
  • Setup ssh keys for required master-slave connection, removing involvement of passwords
    In-order to tunnel a connection to a mongodb over ssh like so.

    $ ssh -L LOCAL_PORT_NO_TO_LISTEN:host_with_mongo_connection:MONGODB_REMOTE_PORT_NO user@IP_ADDRESS_OF_THE_BOX_WITH_MONGODB

    Thus, if the mongod is running on the server you have ssh access to, then the command would look like this:

    $ ssh -L LOCAL_PORT_NO_TO_LISTEN :localhost:MONGODB_REMOTE_PORT_NO user@ssh_and_mongo_box

     

  • You can even setup an encrypted tunnel (vpn) for connection between your application and mongodb

    Traffic to and from mongod Instances

    This pattern is applicable to all mongod instances running as standalone instances or as part of a replica set.

    The goal of this pattern is to explicitly allow traffic to the mongod instance from the application server. In the following examples, replace <ip-address> with the IP address of the application server:

    $ iptables -A INPUT -s <ip-address> -p tcp --destination-port MONGODB_PORT_NO -m state --state NEW,ESTABLISHED -j ACCEPT
    $ iptables -A OUTPUT -d <ip-address> -p tcp --source-port MONGODB_PORT_NO -m state --state ESTABLISHED -j ACCEPT

    The first rule allows all incoming traffic from <ip-address> on port 27017, which allows the application server to connect to the mongod instance. The second rule, allows outgoing traffic from the mongod to reach the application server.

    Optional: If you have only one application server, you can replace <ip-address> with either the IP address itself, such as: 10.23.33.3. You can also express this using CIDR notation as 10.23.33.3/32. If you want to permit a larger block of possible IP addresses (i.e while playing attack/defense type CTF as a team in a VPN) you can allow traffic from a /24 using one of the following specifications for the <ip-address>, as follows:

    10.23.33.3/24
    10.23.33.3/255.255.255.0

Sample secure config file of mongodb (/etc/mongodb.conf)

# mongodb.conf
# Where to store the data.
# Note: if you run mongodb as a non-root user (recommended) you may
# need to create and set permissions for this directory manually,
# e.g., if the parent directory isn't mutable by the mongodb user.
dbpath=/var/lib/mongodb
# Only accept local connections
bind_ip = 127.0.0.1
#where to log
logpath=/var/log/mongodb/mongodb.log
logappend=true
# Connecting port of mongodb
port = 7171
# Disables write-ahead journaling
# nojournal = true
# Enables periodic logging of CPU utilization and I/O wait
#cpu = true
# Turn on/off security. Off is currently the default
#noauth = true
auth = true
# Verbose logging output.
#verbose = true
# Inspect all client data for validity on receipt (useful for
# developing drivers)
#objcheck = true
# Enable db quota management
#quota = true
# Set oplogging level where n is
# 0=off (default)
# 1=W
# 2=R
# 3=both
# 7=W+some reads
#diaglog = 0
# Ignore query hints
#nohints = true
# Disable the HTTP interface (Defaults to localhost:28017).
nohttpinterface = true
# Turns off server-side scripting. This will result in greatly limited
# functionality
noscripting = true
# Turns off table scans. Any query that would do a table scan fails.
#notablescan = true
# Disable data file preallocation.
#noprealloc = true
# Specify .ns file size for new databases.
# nssize = <size>
# Accout token for Mongo monitoring server.
#mms-token = <token>
# Server name for Mongo monitoring server.
#mms-name = <server-name>
# Ping interval for Mongo monitoring server.
#mms-interval = <seconds>
# Replication Options
# in master/slave replicated mongo databases, specify here whether
# this is a slave or master
#slave = true
#source = master.example.com
# Slave only: specify a single database to replicate
#only = master.example.com
# or
#master = true
#source = slave.example.com
# in replica set configuration, specify the name of the replica set
# replSet = setname
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s