Tips for Managing MongoDB Remotely

Agus Syafaat

Working remotely due to the Covid-19 pandemic means an increase in the importance of isolated infrastructures; more specifically ones that can only be accessed through an internal network, but in a way that authorized people from the outside world can access the system anytime or anywhere. 

In this article, we will share some basic steps that you must implement with MongoDB to ensure secure access while administering the database.

Securing MongoDB

Before accessing the MongoDB database remotely, you must perform a “hardening” of the environment. Set the following on the infrastructure side:

Enable MongoDB Authentication 

This feature is mandatory to enable, regardless if we want to access the MongoDB database from the internal network or from an external network. Before enabling the authorization, you must first create an admin user in MongoDB. You can run below command to create admin user in your one of mongoDB server:

$ mongo

> use admin

> db.createUser(

      {

          user: "admin",

          pwd: "youdontknowmyp4ssw0rd",

          roles: [ "root" ]

      }

  );

Above command will create a new user called admin with root privileges. You can enabled the MongoDB Auth feature by opening the /etc/mongod.conf file and then adding the following line:

  security:

   authorization: 'enabled'

Do not forget to restart your mongoDB service to apply the changes. Above command will restrict access to the database, only the one who has access credentials who are eligible to log in.

Setup Roles and Privileges

To prevent the misuse of access to MongoDB, we can implement role-based access by creating several roles and its privileges.

Make sure you have a list of users who need to access the database and understand each individual’s needs and responsibilities. Create roles and assign the privileges to these created roles. After that, you can assign your user to a role based on the responsibilities.

This approach helps us to minimize the abuse of authority and identify the role and user immediately when something unwanted happened.

Configure an SSL / TLS Connection

MongoDB supports SSL / TLS connections for securing data in transit. To implement this, you have to generate your own SSL Key, you can generate it using openssl. To enable SSL / TLS support, you can edit the /etc/mongod.conf file and add the following parameter:

  net:

      tls:

         mode: requireTLS

         certificateKeyFile: /etc/mongo/ssl/mongodb.pem

After adding these parameters, you need to restart the MongoDB service.  If you have MongoDB replicaset architecture, you need to apply them on each node. SSL is also needed when the client will access  MongoDB, whether it is from the application side or from the client directly.

For production use, you should use valid certificates generated and signed by a single certificate authority. You or your organization can generate and maintain certificates as an independent certificate authority, or use certificates generated by third-party TLS/SSL vendors. Prevent using a self signed certificate, unless it is a trusted network.

Restrict the Database Port

You have to make sure that only the MongoDB port is opened on the firewall server or firewall appliance, make sure no other ports are open.

Securing the MongoDB Connection

Remote connection via public internet presents the risk of data being transmitted from local users to the database server and vice versa. Attackers can interrupt the interconnection, which in this case is known as MITM (Min-in-The-Middle) attack. Securing connection is very necessary when we manage / administer the database remotely, some things we can apply to protect our access to the database are as follows:

Private Network Access

VPN (Virtual Private Network) is one of the fundamental things when we want to access our infrastructure from outside securely. VPN is a private network that uses public networks to access the remote sites. VPN setup requires hardware that must be prepared on the private network side, beside that the client also needs VPN software that supports access to the private network.

Besides using VPN, another way to access MongoDB server is by port forwarding database port via SSH, or better known as SSH Tunneling. 

Use SSL / TLS from the Client to the Database Server

In addition to implementing secure access using VPN or SSH Tunneling, we can use SSL / TLS which was previously configured on the MongoDB side. You just need the SSL key that you have and try connecting to the database using the SSL Key.

Enable Database Monitoring

It is essential to enable the monitoring service to understand the current state of the databases. The monitoring server can be installed under the public domain that has SSL / TLS enabled, so automatically access to the browser can use HTTPs.

Conclusion

It is really fun to work from home, you can interact with your kids and at the same time monitor your database. You must follow the above guidelines to make sure you do not get attacked or have data stolen when accessing your database remotely.

ClusterControl
The only management system you’ll ever need to take control of your open source database infrastructure.