Stampery Inc.
Jan 31, 2017 · 2 min read

Never run a production server without authentication on.

Really, never do so. No authentication means inviting everyone out there to enter your databases, seize everything and potentially ransom you for your data.

Running a testing server? Enable authentication either way, just in case you move it into production one day and you forget to enable it then!

Enabling authentication on MongoDB

Disclaimer: this how-to guide only applies to self-managed MongoDB servers. All “MongoDB as a Service” providers already enable authentication preemptively.

1. Start MongoDB without authentication

That’s easy, as this is the default behavior.

2. Connect to the server using the mongo shell

$ mongo mongodb://<host>:<port>

The port numberwill likely be 27017, but for additional security, you can always change it to a different one.

3. Create the user administrator

Change to the admin database:

> use admin

You need to create a user with the userAdminAnyDatabase role, which grants the privilege to create other users on any existing database. The following example will create the useradmin user with password “thepianohasbeendrinking”:

> db.createUser(
{
user: "useradmin",
pwd: "thepianohasbeendrinking",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)

Then disconnect from the mongo shell (Ctrl+D).

4. Enable authentication in mongod configuration file

Open /etc/mongod.conf with your favorite code editor and search for the following lines:

security:
authorization: "disabled"

If you can’t find mongod.conf or it is named mongodb.conf instead, it means that you are using a really old and broken version of MongoDB. Please read this guide on how to upgrade to a more recent version.)

Change "disable" for "enabled", save the file and restart mongod :

$ sudo service mongodb restart

From now on, all clients connecting to this server must authenticate themselves as a valid users, and they will be only able to perform actions as determined by their assigned roles.

5. Connect and authenticate as the user administrator

$ mongo mongodb://<host>:<port>> db.auth("superadmin", "thepianohasbeendrinking")
1

You can also connect and authenticate in one single step with mongo mongodb://superadmin:thepianohasbeendrinking@<host>:<port> , but this option isn’t advised because it will leave your credentials visible in your terminal history, which any program on your computer can actually read.

6. Finally, create additional users as needed

The following operation adds a user myTester to the test database who has readWrite role in the test database:

> use test
> db.createUser(
{
user: "myTester",
pwd: "xyz123",
roles: [ { role: "readWrite", db: "test" } ]
}
)

When creating new users and assigning them roles, you should always take into account the MongoDB user credentials best practices.

Mongoaudit — the mongoaudit guides

MongoDB security guides and best practices

 by the author.

Stampery Inc.

Written by

Leaders in blockchain-based timestamping and security solutions.

Mongoaudit — the mongoaudit guides

MongoDB security guides and best practices

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade