In recent times, there has been a lot of ransom hacks on unsecured mongodb servers. Many have been victims of this hack due to unsecure setup of mongodb or ignoring few details while setup.
Even after setting up with secure authenticated settings on server, few of them have been hacked while upgrading or re-installation in a matter of seconds due to the automated scripts setup by hackers.
More on mongodb ransom hack — https://nakedsecurity.sophos.com/2017/01/11/thousands-of-mongodb-databases-compromised-and-held-to-ransom/
Let’s get secured
To solve these issues, me and my friend Prady has come up with a easy and scalable setup of mongodb using Docker. We have done this setup on a Virtual Private Server(VPS) running Ubuntu 14.04 on Digital Ocean.
To start with, we need to create a directory on our server, where our database actually resides. i.e. the physical location for our database
Let’s assume that our application name is “Sample” and name our containers, database and spaces appropriately.
mkdir ~/sample_db
Creating mongodb container at a port of ur choice.
As we all know, 27017 is the default port for mongodb. Let’s make it less obvious by creating our mongodb container on a custom port.
sudo docker run -d -p YOUR_PORT:27017 -v ~/sample_db:/data/db mongo
List all docker containers
sudo docker ps
You can name your docker container to easily remember based on application_name or something of ur choice. When we don’t do that — docker assigns something random like “thirsty_roentgen”
Rename the docker container
sudo docker rename thirsty_roentgen sampledb
We created a docker container, but no authentication on it. Without authentication, mongodb container created can be accessed only thru local i.e. when you tunnel into your server using ssh credentials
To expose this to outside world, you need to create mongodb container with authentication enabled
Since you are already running a container, simply adding — auth
docker run — name sampledb -d mongo — auth
will result in an error as follows
The container name “/sampledb” is already in use by container a2ddcec52f17d95ba067ab4e4e52621b74f762a3a2e2024e1a7852d592192b5c. You have to remove (or rename) that container to be able to reuse that name..
We need to stop the current mongodb instance and remove it and recreate with authentication enabled
docker stop sampledbdocker rm sampledb
Creating mongodb container with name sampledb and authentication enabled ( — auth)
sudo docker run -d — name sampledb -p 29019:27017 -v ~/sample_db:/data/db mongo — auth
List the containers
sudo docker ps
Run the mongodb instance with admin database
docker exec -it sampledb mongo admin
Enters mongodb shell — now create admin user
creating admin user for mongodb server
db.createUser({ user: ‘sample_admin’, pwd: ‘p@ssword’, roles: [ { role: “userAdminAnyDatabase”, db: “admin” } ] });
Running mongodb with specified user and password
docker exec -it sampledb mongo -u sample_admin -p p@ssword — authenticationDatabase admin
enters mongodb shell
creating required database
use mydatabase
creating admin APP user for db security
db.createUser({ user: ‘mydb_admin’, pwd: ‘myp@ss’, roles: [“readWrite”, “dbAdmin”] });
and then create your required collections
In the next series, we’ll let you know how to connect to this secured setting of mongodb using robomongo.