Home

Remote Access Restrictions to Secure MongoDB

MongoDB - Remote Access Restrictions

         
In this tutorial, we will explain about how to restrict remote connections of MongoDB server for it's security aspects. By default, remote access is enabled according to the configuration of MongoDB and it can be controlled by the value “bind_ip” specified in the configuration file "/etc/mongod.conf" of MongoDB.

In MongoDB, the value “bind_ip” is not set. So any MongoDB client can connect and access to the MongoDB server by default. 
 
It is highly recommended to restrict this connection due to security aspects.

How to Restrict:
 
We can restrict this remote connection of MongoDB according to our requirements. We have divided this configuration into two types.
 
Type1:-
If you want to restrict all remote connections for MongoDB then you may bind your MongoDB server with the local host.
 
# vi /etc/mongod.conf
 
# service mongod restart
 
# netstat -tulpn|grep "mongo"
As you can check in above screenshot that mongo is bound with localhost and it can only be accessible from localhost.
 
Type2:-
If you want to allow some particular ips for connection and restrict all other ips then you should go through following steps.
 
# vi /etc/mongod.conf
# service mongod restart
# netstat -tulpn|grep "mongo"
As you can check in above screenshot that mongo is allowed for all mongo clients.

MongoDB Firewall Rules:
 

Now we need to restrict all ips except required client ips and we can not proceed it with default features of MongoDB so here we will go with iptable rules. 
 
1) Allow required ips for mongo connection:-
iptables -A INPUT -s  -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d  -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s X.X.X.X -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d X.X.X.X -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT

Note: Replace X.X.X.X with trusted hosts ips and replace port number "27017" if your mongo is not running on the default port.
 
2) Drop all other ips for mongo connection:-
iptables -A INPUT -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j DROP
iptables -A OUTPUT -p tcp --source-port 27017 -m state --state ESTABLISHED -j DROP
# service iptables save
# service iptables restart

Conclusion:

We can follow described operations for information security controls to protect our mongo databases against compromises of their confidentiality, integrity. It is highly recommended to restrict remote connectivity of MongoDB to avoid unwanted mongo connections.

I hope this post might be helpful to you. Will surely come up with some more related posts. 

Related Posts
How to Install mongoDB 3.0...

Wondering how to install mongoDB 3.0 on CentOS release 6.5? Here's the step by step guide. Read Now!

Piyush Sharma18 May, 2017
0
Mailbox Migration Through...

How to Migrate Emails from one Server to another Server through Virtualmin. Here's a step by step guide for...

Piyush Sharma12 May, 2017
0
NFS Client-Server...

This post will highlight the information related to network file system and its application through 3 different steps.

Piyush Sharma31 Mar, 2017
0

Want Actionable Email Marketing Tips That Actually Work?

Sign up below to get access to email marketing best tips and insights
we only share with our subscribers.

We guarantee 100% privacy. Your information will not be shared.