Secure mongodb setup using Docker

In recent times, there has been a lot of ransom hacks on unsecured mongodb servers. Many have been victims of this hack due to unsecure setup of mongodb or ignoring few details while setup.

Even after setting up with secure authenticated settings on server, few of them have been hacked while upgrading or re-installation in a matter of seconds due to the automated scripts setup by hackers.

More on mongodb ransom hack — https://nakedsecurity.sophos.com/2017/01/11/thousands-of-mongodb-databases-compromised-and-held-to-ransom/


Let’s get secured

To solve these issues, me and my friend Prady has come up with a easy and scalable setup of mongodb using Docker. We have done this setup on a Virtual Private Server(VPS) running Ubuntu 14.04 on Digital Ocean.

To start with, we need to create a directory on our server, where our database actually resides. i.e. the physical location for our database

Let’s assume that our application name is “Sample” and name our containers, database and spaces appropriately.

mkdir ~/sample_db

Creating mongodb container at a port of ur choice.

As we all know, 27017 is the default port for mongodb. Let’s make it less obvious by creating our mongodb container on a custom port.

sudo docker run -d -p YOUR_PORT:27017 -v ~/sample_db:/data/db mongo

List all docker containers

sudo docker ps

You can name your docker container to easily remember based on application_name or something of ur choice. When we don’t do that — docker assigns something random like “thirsty_roentgen”

Rename the docker container

sudo docker rename thirsty_roentgen sampledb

We created a docker container, but no authentication on it. Without authentication, mongodb container created can be accessed only thru local i.e. when you tunnel into your server using ssh credentials

To expose this to outside world, you need to create mongodb container with authentication enabled

Since you are already running a container, simply adding — auth

docker run — name sampledb -d mongo — auth

will result in an error as follows

The container name “/sampledb” is already in use by container a2ddcec52f17d95ba067ab4e4e52621b74f762a3a2e2024e1a7852d592192b5c. You have to remove (or rename) that container to be able to reuse that name..

We need to stop the current mongodb instance and remove it and recreate with authentication enabled

docker stop sampledb
docker rm sampledb

Creating mongodb container with name sampledb and authentication enabled ( — auth)

sudo docker run -d — name sampledb -p 29019:27017 -v ~/sample_db:/data/db mongo — auth

List the containers

sudo docker ps

Run the mongodb instance with admin database

docker exec -it sampledb mongo admin

Enters mongodb shell — now create admin user

creating admin user for mongodb server

db.createUser({ user: ‘sample_admin’, pwd: ‘p@ssword’, roles: [ { role: “userAdminAnyDatabase”, db: “admin” } ] });

Running mongodb with specified user and password

docker exec -it sampledb mongo -u sample_admin -p p@ssword — authenticationDatabase admin

enters mongodb shell

creating required database

use mydatabase

creating admin APP user for db security

db.createUser({ user: ‘mydb_admin’, pwd: ‘myp@ss’, roles: [“readWrite”, “dbAdmin”] });

and then create your required collections

In the next series, we’ll let you know how to connect to this secured setting of mongodb using robomongo.