Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

MongoDB server can still be accessed without credentials

Tags:

I have a fresh mongodb server (2.6.0) in my machine and I started the mongod instance with the following config file:

dbpath = c:\mongo\data\db
port = 27017
logpath = c:\mongo\data\logs\mongo.log
auth = true

Later, I connected to this mongod instance through mongo shell and created an admin user:

use admin
db.createUser(
  {
    user: "tugberk",
    pwd: "12345678",
    roles:
    [
      {
        role: "userAdminAnyDatabase",
        db: "admin"
      }
    ]
  }
)

Then, I logged out from the shell and reconnect with the following command:

mongo --host localhost --port 27017 -u tugberk -p 12345678 --authenticationDatabase admin

Then, I created a user with root access:

use admin
db.createUser(
    {
      user: "tugberkRoot",
      pwd: "12345678",
      roles: [ "root" ]
    }
)

The last step is not necessary here but the anonymous access now should have been fully disabled. However, I can still connect to it anonymously through mongo shell (even if I don't have any access to do anything):

enter image description here

What should I do to prevent any anonymous connection?

like image 997
tugberk Avatar asked Apr 30 '14 12:04

tugberk


People also ask

Does MongoDB have authentication?

MongoDB supports x. 509 certificate authentication for client authentication and internal authentication of the members of replica sets and sharded clusters.

Is MongoDB secure by default?

By default, with MongoDB, all data is encrypted in transit using TLS.

How do I restrict access to MongoDB?

To restrict MongoDB access by enabling authentication In the mongoconfiguration, set auth = true and restart the mongo service.


2 Answers

Authentication prevents you from performing actions on the database (as your screenshot shows - you can't even list databases), it doesn't prevent connections - after all, you have to be able to connect to be able to authenticate.

There is a feature request to add timeouts, but for now this is essentially how the server is meant to behave.

It's worth noting that up until you try to do something, this is really no different than just connecting to the port with telnet - the text displayed at the start "connecting to:" etc. is from the client, not the server. As soon as it tries to do anything unauthenticated, even list the server warnings, an error is thrown because it does not have sufficient permissions.

If you want to lock down things from a connection perspective, the only option from a MongoDB perspective is to restrict the IP addresses it listens on (default is all) using the bindIp option. Using 127.0.0.1 would lock it down to local usage for example (but you would then be unable to connect from a remote host), which makes replication an issue so be careful when choosing your bound address.

Outside MongoDB, you should look at locking things down from a firewall perspective. On Linux this would be IPTables, ufw, hosts.allow/deny or similar. Windows firewall is not my area of expertise, but I would imagine you can do similar there also.

like image 99
Adam Comerford Avatar answered Oct 30 '22 10:10

Adam Comerford


Although you can protect your databases by enabling authentication in security section of the mongo.conf file like this:

security:
  authorization: enabled
like image 35
viral gandhi Avatar answered Oct 30 '22 10:10

viral gandhi