MongoDB server can still be accessed without credentials

Question

I have a fresh mongodb server (2.6.0) in my machine and I started the mongod instance with the following config file:

dbpath = c:\mongo\data\db
port = 27017
logpath = c:\mongo\data\logs\mongo.log
auth = true

Later, I connected to this mongod instance through mongo shell and created an admin user:

use admin
db.createUser(
  {
    user: "tugberk",
    pwd: "12345678",
    roles:
    [
      {
        role: "userAdminAnyDatabase",
        db: "admin"
      }
    ]
  }
)

Then, I logged out from the shell and reconnect with the following command:

mongo --host localhost --port 27017 -u tugberk -p 12345678 --authenticationDatabase admin

Then, I created a user with root access:

use admin
db.createUser(
    {
      user: "tugberkRoot",
      pwd: "12345678",
      roles: [ "root" ]
    }
)

The last step is not necessary here but the anonymous access now should have been fully disabled. However, I can still connect to it anonymously through mongo shell (even if I don't have any access to do anything):

What should I do to prevent any anonymous connection?

Answer 1

Authentication prevents you from performing actions on the database (as your screenshot shows - you can't even list databases), it doesn't prevent connections - after all, you have to be able to connect to be able to authenticate.

There is a feature request to add timeouts, but for now this is essentially how the server is meant to behave.

It's worth noting that up until you try to do something, this is really no different than just connecting to the port with telnet - the text displayed at the start "connecting to:" etc. is from the client, not the server. As soon as it tries to do anything unauthenticated, even list the server warnings, an error is thrown because it does not have sufficient permissions.

If you want to lock down things from a connection perspective, the only option from a MongoDB perspective is to restrict the IP addresses it listens on (default is all) using the bindIp option. Using 127.0.0.1 would lock it down to local usage for example (but you would then be unable to connect from a remote host), which makes replication an issue so be careful when choosing your bound address.

Outside MongoDB, you should look at locking things down from a firewall perspective. On Linux this would be IPTables, ufw, hosts.allow/deny or similar. Windows firewall is not my area of expertise, but I would imagine you can do similar there also.

Answer 2

Although you can protect your databases by enabling authentication in security section of the mongo.conf file like this:

security:
  authorization: enabled