I am developing a Node.js app that will use MongoDB and I am trying to make it as secure as possible.
Authentication to the database
First, I wanted to restrict the access to the database, so I added an authentication. So now, in the terminal, I have to login like so :
~$ mongo -u <myusername> -p --authenticationDatabase admin
But then, in my javascript I had to add the password in plain text in the following line :
// Connect to the database
mongoose.connect('mongodb://localhost/<myDB>?authSource=admin', {user: <myusername>, pass: <mypassword>, useNewUrlParser: true, useUnifiedTopology: true});
This disturbs me. It brings me to my first question : How can I have a restricted access to my database without having plain text passwords in the code ?
Between Mongoose and MongoDB
I discovered that Mongoose communicates with MongoDB via TCP/IP. I ran a wireshark to see if I could detect data and in fact I could :
screen capture
The back-end and the MongoDB may likely be on 2 different machines. This brings me to my last question : I have seen on multiple posts here that, sometimes, a SSH connection was made, but is it the best way to secure the communication ?
MongoDB doesn’t enable access control by default. Running a MongoDB instance without access control means that anyone that can connect to the database can run commands and potentially see all data in the database.
After enabling access control to force all users to authenticate when connecting to the database, the next step is to configure role-based access control (RBAC).
Here's the checklist for MongoDB Security: https://docs.mongodb.com/manual/administration/security-checklist/
It's normal to supplied username and password even in other RDBMS
Please check the authentication part of MongoDB here: https://docs.mongodb.com/manual/core/authentication/
Also how you enable the authentication:
https://docs.mongodb.com/manual/tutorial/enable-authentication/
To answer you 2nd question regarding communications, you can check the link I sent https://docs.mongodb.com/manual/administration/security-checklist/ and goto Encrypt Communication, It uses TLS/SSL to encrypt communication between mongod and mongos.
Regards,
Related
I have created a database in Hostinger and make it remote. But, when I try to connect with my local using nodejs I am getting an error: "ER_ACCESS_DENIED_ERROR" even after using the right username and password.
This is my code below:
Have I done anything wrong? Please help me
This error usually occurs if the credentials are incorrect or the user can not access the database.
Also, In an express app, it is usually better to re-use the database connection instead of connecting to the database on every request.
From the terminal, the application launches and connects with MongoDB, but when I attempt to access it at the IP address of the droplet (with the correct port), I am getting an error:
MongoError: not authorized on cmf to execute command (cmf is the dbname).
I followed the install & setup instructions here, creating a user and afterward added the role of root described here. This was for the admin database.
When logged into the Mongo shell, I can access data thru db.status(), and when using admin db I can run show users and see the user.
I am confused whether I lack configuration for the cmf database. When using cmf db, when I run show users, nothing is returned.
For unknown reasons, the application cannot connect with mongodb. I am now thoroughly confused about where to go from here.
If anyone can point me in the right direction, I would appreciate it.
You need to create the database user with password (like in the tutorial included in your question), then upon connecting:
var dbHost = 'mongodb://username:password#localhost:port/cmf';
mongoose.connect(dbHost);
Where:
username is the username of created user,
password is the password,
port is the correct port of running mongodb (defaults to 27017).
I've connected to mLab using MongoClient.connect, but now I want to create a local database rather than use mLab. I've tried changing the URL to "mongodb://localhost:27017/mydb" to create a database locally as suggested, but I'm getting a failed to connect to server error. Is there anything I should install? Or am I just missing something?
First, install your mongoDB server:
https://docs.mongodb.com/manual/installation/
After that, you should be able to start your local mongodb server:
sudo service mongod start //in case of linux
Here the docs to start the mongodb server
Then, you will type mongo and the client command line will start.
And when typing use yourDatabase, mongo will create the database if
it does not exist.
Then, your server will be up, and the database created. Anyway, check the docs if you need the guides for windows or other systems.
First you need to understand how server works and mlab works. mLab is a company who provide database as a services. Means you no need to handle server hurdles, they take care server , backups , infrastructure etc. They provide mongodb server , You just need to create database on mongodb server's and use them.
Now comes to main points.
If you want use mongodb on your local system then you first need to install mongodb on your local system and then connect it.
With the recent attacks on Mongo databases, I've seen many guides on how to password-protect your database. I've gone through each guide and I've set up a 'superAdmin' with root role and another basicAdmin with read/write privileges. I reboot mongo using
mongo --auth
and authenticate using my superAdmin login, however this causes problems for my site which uses this db. When I boot my Node app, I can't access any pages as it cannot connect to the database because it has auth enabled. If in my config/database.js file I have:
module.exports = {
'database': 'mongodb://myWebsite.com/myDatabase'
};
How can I allow my site to access my MongoDB and read/write as users signup but also restrict any ransomware group from just walking in and dropping every collection over and over?
There are three main methods that you can use to protect your database.
Username and password
This is the simpler one. As you have mentioned that you have already secured the server using password, you can simply connect to database using mongoose as
mongoose.connect('mongodb://username:password#host:port/database');
I might recommend here that you change the default port of mongoDb to something else. Changing port can be found in file /etc/mongodb.conf.
Bind to private ip and use firewall
Again refering to file /etc/mongodb.conf change bind_ip to local ip of your network. Most of the services do provide that. Also better to setup firewall for the same. Simple firewall that you can use is UFW. Only allow traffic from servers that you are using. This method might not be effective if you are using shared vpn service.
SSH tunnel to access database
This is far most the most reliable method and i would recommend you to use this with the last method. Here is how this works. Set bind_ip to 127.0.0.1. Let us assume that you are running port on 5000. In order to set up a tunnel use
ssh \
-L 4000:localhost:5000 \
-i ~/.ssh/key \
<username>#mongo_db_ip
Remember to add your ssh key in instance running mongodb database. The above command should be issued on server that is running nodejs. 5000 as mentioned is the remove port and 4000 is the local port that you need to connect to on mongodb. So your command in mongoose to connect to database would be
mongoose.connect('mongodb://localhost:4000/<database>');
Summary
As you can see in almost all the steps i have focused on setting up a firewall which is very important.
Also username and passwords should be avoided and it is better to use ssh keys. From practical experience they also reduce a lot of burden while you are scaling up your service.
Hope this helps you out.
I have my premium openshift account
I have all types of access in openshift
I have ssh key & user's credentials
I have MongoVUE & Robomongo & others client tools to open mongodb database.
when I try to open any local mongodb database then its working fine
but I want to directly connect my mongodb database of openshift server to mongoVUE or any else
so I can see which data is in my server database.
I have tried so many times to connect locally but it can connect to openshift but can not connect with mongodb database so please provide some good & exact steps so I can connect it.
I use mongovue also. Just do a
'rhc port-forward '
Then run mongovue using the Mongodb credentials that OPENSHIFT gave you.
Steps.
rhc port-forward <app-name>
Wait a couple of seconds. You then should see something like this.
Then run Mongovue. Add a connection and enter in your Openshift Mongodb credentials like this:
Save, Select your connection, and press connect. It should work.
You should have been given you mongodb credentials when you added the mongodb cartridge. You can also ssh into your app and do a "env" and see your mongodb password and username.
Finally I got perfect tool for it to connect with mongodb with server database in which we can perform all kind of CRUD operations.
we can use Robomongo tool for it which doesn't require paid version to perform CRUD operation.
Robomongo is available here
http://robomongo.org/download.html
mongoVUE requires paid version.
I use Robomongo. Just do a 'rhc port-forward '
Then run Robomongo using the Mongodb credentials that OPENSHIFT gave you.
Steps.
rhc port-forward
Wait a couple of seconds. You then should see something like this.
port forward image
Then run Robomongo. Add a connection and enter in your Openshift Mongodb credentials: