I have mongo db install on ec2 server and auth= true is turned on /etc/mongodb.conf but still any one can connect from remote using
mongo ipaddress. So how to revoke this access and permit user via authentication only.
You have to configure users specifically to handle authentication. There is no authentication as such like mysql. Access mongo console and configure users, add those credentials to your application which should connect to mongodb server. Follow the below steps in mongo console.
use admin
db.addUser("username", "Password")
use another_database_name
db.addUser("project1", "Password")
Restart mongodb instance with authentication enabled.
mongod --auth --config /etc/mongodb/mongodb.conf
Related
After initially installing mongodb and running mongod with security.authorization: enabled option, how do I authenticate myself?
I need to access Mongo Shell to create root account, but it requires authentication...
According to this guide you should
first create an admin account
enable authorization and restart mongo instance
When you run mongod with authorization: enabled it will ask for a password, unless you're connecting from the localhost, in which case you'll be able to connect and create users.
This is known as the localhost exception, and it's the way they allow you to create a root or better off a userAdmin on the database. It won't ask you for a pwd.
You can of course, launch mongod without autorization: enabled, create the user, and re-launch. I find the previous approach far more practical than this.
You can simply run the mongo shell and it will run on localhost port 27017 by default.
Connection URL: mongodb://localhost:27017/your-project
That will allow you to create root account without any password.
You can take help of this article,
and also the official MongoDB security options configuration.
I already setup mongod with authentication but forget to expose port 27017 to public but I don't understand why attacker can drop my database?
*** Updated, issued has been resolved, I forgot to re-enable auth after change something on config files and attacker random scripting execute drop database command on server which not enable auth.
Server Information:
MongoDB Server 4.0.3 on Ubuntu 16.04.5
You need to disable the remote access to your MongoDB.
In mongo conf file, setting bind_ip you can restrict.
Refer this link : http://wptrafficanalyzer.in/blog/enabling-and-disabling-remote-access-to-a-mongodb-server/
In your case, it might be accessible to remote users using mongoclient.
I'm looking for a way to configure MongoDB to use Linux PAM to manage user passwords. This way when a user changes their password, it doesn't have to be manually updated in Mongodb.
Searching for help for this online only returns one result which is a blog article that mentions this is possible but doesn't describe how this is done.
The official documentation skips over setting up PAM and talks about LDAP.
How can I configure Mongodb to authenticate db users via Linux PAM?
Unfortunately, MongoDB authentication using PAM Linux seems to be configurable only in MongoDB Enterprise Edition.
This is because PAM Authentication requires PLAIN Authentication Mechanism, available only in MongoDB Enterprise Edition as mentionned in the documentation:
PLAIN (LDAP SASL) External authentication using LDAP. You can also use PLAIN for authenticating in-database users. PLAIN transmits passwords in plain text. This mechanism is available only in MongoDB Enterprise.
BTW, in MongoDB Enterprise Edition, you can enable PAM Authentication using the following (tested on Debian Stretch):
Install saslauthd
apt-get install sasl2-bin
vi /etc/default/saslauthd
START=yes
/etc/init.d/saslauthd restart
At this step you may test your sasl configuration with ("myuser" is your unix user):
testsaslauthd -u <myuser> -p <SecretPassword>
This should output a success message:
0: OK "Success."
Create a MongoDB user "myuser"
Replace "myuser" with the user with whom you want to authenticate.
mongo admin
db.getSiblingDB("$external").createUser(
{
user : "myuser",
roles: [ { role: "read", db: "mydb" } ]
}
)
Configure MongoDB to enable PLAIN Authentication Mechanism
vi /etc/mongod.conf
security:
authorization: enabled
setParameter:
authenticationMechanisms: PLAIN,MONGODB-X509,SCRAM-SHA-1,SCRAM-SHA-256
You should add the (Linux) mongodb user to the sasl group (this makes sure that MongoDB has the permission to access saslauthd)
adduser mongodb sasl
Restart mongod
systemctl restart mongod.service
Connect to MongoDB
Now, on MongoDB Enterprise, you should be able to authenticate using your linux username/pwd:
mongo --authenticationMechanism=PLAIN --authenticationDatabase='$external' -u myuser mydb
MongoDB shell version v4.0.7
connecting to: mongodb://127.0.0.1:27017/mydb?authMechanism=PLAIN&authSource=%24external&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("********-****-****-****-************") }
MongoDB server version: 4.0.7
MongoDB Enterprise >
On MongoDB Community Edition, it sadly fails with an "Unsupported mechanism" error:
MongoDB shell version v4.0.7
connecting to: mongodb://127.0.0.1:27017/mydb?authMechanism=PLAIN&authSource=%24external&gssapiServiceName=mongodb
2019-03-25T18:26:51.307+0100 E QUERY [js] Error: Unsupported mechanism 'PLAIN' on authentication database '$external' :
connect#src/mongo/shell/mongo.js:343:13
#(connect):3:6
exception: connect failed
Just upgraded from Debian8 to Debian9. My MongoDB instance was upgraded as well (2.4 -> 3.2). Authentication is enabled.
In 2.4 when logging from localhost you could simply connect via mongo and was granted administrative privileges:
mongo
After doing some research it seems to me that in 3.2 you MUST login via some user/password combination even from localhost. But that seems awfully inconvenient.
mongo localhost/admin -u superAdminUser -p
So my question is whether that is really true and you do need to always use user/password combination? Or maybe I missed something and logging as superuser from localhost is still possible with no user/password?
if you start Mongodb by the following command , you will need to insert user name and password
mongod --dbpath /var/lib/mongo/ --auth &
also check /etc/mongod.conf file , you can enable/disable authentication .
security.authorization : enabled
As I know there is no way to disable authentication on local host only .
you can disable/enable authentication for all hosts which want to connect to Database
On the Server
I have the Mongod instance running on my server.
I created a User on admin, using which I created a user with readWrite role on the database that I wanted to access.
Updated the mongo /etc/mongod.conf file:
commented out the bind ip
uncommented auth=yes
Restarted Mongod using sudo service mongod restart
On the Client:
The db.auth(user,pass) command works fine on the remote server, but shows auth failure on the client (my home system).
I made sure that I was using the correct database with the use myDb command.
PS. I am able to connect to the mongo server using the mongo xx.xx.xx.xx:27017 command. But unable to Authenticate.
Please help. Mongo v3.0.3.