MongoDB server can still be accessed without credentials - mongodb

I have a fresh mongodb server (2.6.0) in my machine and I started the mongod instance with the following config file:
dbpath = c:\mongo\data\db
port = 27017
logpath = c:\mongo\data\logs\mongo.log
auth = true
Later, I connected to this mongod instance through mongo shell and created an admin user:
use admin
db.createUser(
{
user: "tugberk",
pwd: "12345678",
roles:
[
{
role: "userAdminAnyDatabase",
db: "admin"
}
]
}
)
Then, I logged out from the shell and reconnect with the following command:
mongo --host localhost --port 27017 -u tugberk -p 12345678 --authenticationDatabase admin
Then, I created a user with root access:
use admin
db.createUser(
{
user: "tugberkRoot",
pwd: "12345678",
roles: [ "root" ]
}
)
The last step is not necessary here but the anonymous access now should have been fully disabled. However, I can still connect to it anonymously through mongo shell (even if I don't have any access to do anything):
What should I do to prevent any anonymous connection?

Authentication prevents you from performing actions on the database (as your screenshot shows - you can't even list databases), it doesn't prevent connections - after all, you have to be able to connect to be able to authenticate.
There is a feature request to add timeouts, but for now this is essentially how the server is meant to behave.
It's worth noting that up until you try to do something, this is really no different than just connecting to the port with telnet - the text displayed at the start "connecting to:" etc. is from the client, not the server. As soon as it tries to do anything unauthenticated, even list the server warnings, an error is thrown because it does not have sufficient permissions.
If you want to lock down things from a connection perspective, the only option from a MongoDB perspective is to restrict the IP addresses it listens on (default is all) using the bindIp option. Using 127.0.0.1 would lock it down to local usage for example (but you would then be unable to connect from a remote host), which makes replication an issue so be careful when choosing your bound address.
Outside MongoDB, you should look at locking things down from a firewall perspective. On Linux this would be IPTables, ufw, hosts.allow/deny or similar. Windows firewall is not my area of expertise, but I would imagine you can do similar there also.

Although you can protect your databases by enabling authentication in security section of the mongo.conf file like this:
security:
authorization: enabled

Related

Reset mongodb root password

I have forgot my mongodb root user password for the shared cluster of 3 nodes. I have gone through stack overflow for the same issue but was unable to replicate due to different configuration. Below is my configuration
mongodb version 4.4.
replication on 3 servers(nodes) using keyfile authentication.
all nodes are running in docker containers.
In case useful, I have other credentials that were created through root user for backup and read write permission but they dont have access to admin database.
Please guide me if you have any solution. thanks
unable to find anything to try
The official way of doing this is:
Restart the MongoDB without authorization, i.e. mongod --noauth ... or via configuration file
security:
authorization: disabled
Then you can logon without password and change credentials of the root user.
Attention: while the MongoDB is running without authorization, every user connects with root privileges, so you better restart the MongoDB in maintenance mode, i.e.
net:
bindIp: localhost
port: 55555
#replication:
# replSetName: shardA
#sharding:
# clusterRole: shardsvr
setParameter:
skipShardingConfigurationChecks: true
disableLogicalSessionCacheRefresh: true
Then you can connect only from localhost using port 55555 (which is not configured by other cluster members nor known by other users)
You need to do this only on the configuration server, because user accounts are stored there, not on the shards or mongos members.
However, there is a much simpler way to achieve the same, use the keyfile for authentication:
mongosh --authenticationDatabase local -u __system -p "$(tr -d '\011-\015\040' < /path/to/keyfile)"

How to enable password authentication for remote connection and disable it for local for MongoDB?

How do I enable user:password authentication for remote connections and disable it for everything that comes from localhost? I have prod running locally and I really don't want to enable any user or password authentication but I want to be able to connect to my DB remotely to manage data on prod.
How do I enable user:password authentication for remote connections and disable it for everything that comes from localhost?
MongoDB does not support such an arrangement.
If you enable authentication in your deployment, all connections must authenticate.
You have two things to do
1- Allow remote connection to you server by setting a firewall rule.
For instance, if you are using Linux, this could be done with
sudo ufw allow from REMOTE_MACHINE_IP_HERE to any port 27017
Don't forget to reload firewall after that
2- Edit mongod.conf to set the IP of the interface you want to allow connection on.
This would mean you should not allow localhot or 127.0.0.1 on this configuration
Inside mongo.conf, do this
# network interfaces
net:
port: 27017
bindIp: mongodb_server_ip_here
Restart mongodb server and you're good to go
In version >= 3.6 you can add additional restrictions from inside the mongodb instance per user as follow:
use admin
db.createUser(
{
user: "restricted",
pwd: "password",
roles: [ { role: "readWrite", db: "reporting" } ],
authenticationRestrictions: [ {
clientSource: ["40.0.0.0","12.0.0.0"],
serverAddress: ["120.0.0.0"]
} ]
}
)
Additionally it is highly recommended beside the authentication , authorisation and layer 3 firewall restrictions to enable transport encryption to prevent possible attempts of traffic sniffing ...
But from what I see in your question , if you want to access remotely without user/passwords you may just create ssh tunnel and reditect the local server mongo port to be accessed remotely in the client machine and also define firewall rule so the local server port to not be accessed from the server. This link here seems to answer in details on how you can create ssh tunel to access your mongodb remote server:
Sync MongoDB Via ssh
You can create the tunnel simply with the command:
ssh -L27018:CLIENT1:27017 SERVER1
And access to the mongodb server locally from the CLIENT as follow:
mongo --port 27018

How to configure MongoDB to be able to connect using username and password?

I've a VMWare VM with Ubuntu 16.04.5 and just installed MongoDb 3.6 (not the latest, but it matches production environment)
Inside remote shell, I can run mongo and so my mongod service is working.
This is parts of /etc/mongod.conf file about auth
# network interfaces
net:
port: 27017
bindIp: 127.0.0.1, 192.168.1.50
security:
suthorization: enabled
I created this user into the db admin
> use admin
switched to db admin
> show users
{
"_id" : "admin.realtebo",
"user" : "realtebo",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
Then I restarted mongod service.
The problem
I cannot no more access using mongo shell client, it refuses my connection
mongo -u realtebo -p passsword_i_setup_for_user_realtebo
MongoDB shell version v3.6.9
connecting to: mongodb://127.0.0.1:27017
2019-01-16T09:06:51.416+0100 W NETWORK [thread1]
Failed to connect to 127.0.0.1:27017,
in(checking socket for error after poll), reason: Connection refused
2019-01-16T09:06:51.416+0100 E QUERY [thread1]
Error: couldn't connect to server 127.0.0.1:27017,
connection attempt failed :
connect#src/mongo/shell/mongo.js:257:13
#(connect):1:6
exception: connect failed
Important notes
Sure, removing authorization: true and restarting, I can access again, so the daeom in running well, but I'd like to learn the right way: using user and password is the minimum
I verified that this exact user/password combo is working developing a little nodejs app that works using these credentials, and fails without using them, so password is right
I tried to remove auth and verified that "Studio 3T" (a mongodb client) on Windows host can succesfully access MongoDb on the guest, so there are no port/firewalls/other problems with the VM
Othe tries
Failed specifying the auth db, admin as you can see some lines above here.
mongo -u realtebo -p passsword_i_setup_for_user_realtebo --authenticationDatabase admin
Simple questions, I hope
What's the right way to create something like a superuser with user and password in mongodb? And then which 'method' must I use from win client and from linux shell client to access it?
I know that I then must create another user, a readWrite I suppose, for a single and specific db, but this is not the actual question. For now I need to be able to login as a super user to manage it
It's not an authentication problem, actually the server does not start at all ("Connection refused") because of an error in the /etc/mongod.conf file, should be:
security:
authorization: enabled
Also it's mandatory to add the option --authenticationDatabase admin when starting a client.
It was a so simple stupid error.
I fixed the following typo, note the s instead of a in suthorization
security:
suthorization: enabled
Restarted service
From linux shell I can succesfully connect using
mongo -u realtebo -p passsword_i_setup_for_user_realtebo --authenticationDatabase admin
From windows client I setup auth method on legacy and entered username and password
Now all works

How to login with a user with role userAdmin in mongodb

I have mongod server up and running as a service on ubuntu 14.04, i started mongo shell and created a user.
db.createUser( {
user: "testAdmin",
pwd: "12345678",
roles: [ { role: "userAdmin", db: "students" } ]
} )
after that I changed edit the mongod.conf and set auth=true and restarted the mongod server as a service.
After all this, when I want to start the mongo shell with user testAdmin .
mongo -u testAdmin -p 12345678 --authenticationDatabase students
But I am not able to login and it is giving me error.
MongoDB shell version: 3.2.10
connecting to: 127.0.0.1:25018/test
2016-10-13T05:56:27.500+0000 W NETWORK [thread1] Failed to connect to 127.0.0.1:25018, reason: errno:111 Connection refused
2016-10-13T05:56:27.500+0000 E QUERY [thread1] Error: couldn't connect to server 127.0.0.1:25018, connection attempt failed :
First when I am specifying database students why it is trying to connect to test? Second I know that userAdmin role in mongodb is not for read/write in database with userAdmin I can only manage user roles. But to manage other users i still need to login in mongo shell.
It is working when I turn off the auth in mongod.conf, so other things are fine, only authentication is not working.
First when I am specifying database students why it is trying to connect to test?
You are not specifying the database (students) you want to connect to here.
The --authenticationDatabase is used to specify the database where the user had been created and which is used for the authentication process.
You should also specify students as the db option you want to connect to. If you omit it, the shell automatically tries to connect to test database:
mongo students -u testAdmin -p 12345678 --authenticationDatabase students
Note the addition of students just after mongo.
This is assuming the user has been created in the students database (and not admin or other). Note that in that case the db declaration within role is redundant:
roles: [ { role: "userAdmin", db: "students" } ]
could have also been specified as:
roles: [ "userAdmin" ]

authentication with mongo shard

I am setting up a Mongo test shard and would like to use Mongo user authentication with it. I have added the user on the config server(s). I am not certain if I need to add the same user on all the shards as well. I am assuming I do not need to add the user on the query router (mongos). However, when I simply add the user on the config server (via the Mongo shell), I can authenticate if I stay in the shell. However, as soon as I log out of the shell and log back in, I am unable to log back in with the same credentials. The shard servers do have a data directory associated with them as does the config server. Any ideas on how to troubleshoot this further?
Creating user
db.createUser( { user: "test",
pwd: "testPassword",
roles: [ { role: "clusterAdmin", db: "admin" },
{ role: "readAnyDatabase", db: "admin" },
"readWrite"] },
{ w: "majority" , wtimeout: 5000 } )
authenticating
db.auth("test", "testPassword")
I did specify a data directory for the config server (running on port 27019, not 27017 & the data directory has the correct permissions for the mongo process).
mongod --configsvr --dbpath /var/lib/mongodb3 --port 27019
Once the mongo cluster is properly setup (query router connected to config server and shards with replica sets & config serers/shards writing to disk), I was able to simply add the user via the query router and get authentication working with a Mongo Java driver