MongoDB is a form of database software using the open source NoSQL, MongoDB works based on the concepts of Collection and Document. It has high performance along with good availability and easy scalability. The default installation of MongoDB ‘s authorization configuration is set to disabled by default, which means that any user connected to MongoDB’s port 27017 has full access to the database.
To protect this vulnerability, we will need to create an admin user, then we will enable authentication and connect in as the admin user to access the database.
Step 1: Adding an Administrative User
1 2 3 4 5 6 7 8 9 10 11 | # mongo > show dbs READ__ME_TO_RECOVER_YOUR_DATA 0.000GB admin 0.007GB config 0.000GB > use admin switched to db admin > db.createUser({user: "AdminSammy",pwd: passwordPrompt(),roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]}) Enter password: > quit() |
Step 2: Enabling Authentication
1 2 3 4 5 6 7 | vim /etc/mongod.conf security: #authorization: disabled authorization: enabled systemctl restart mongodb |
Step 3: Testing Authentication Setting
Access mongo
1 2 3 4 5 6 7 | # mongo MongoDB shell version v4.4.6 connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb Implicit session: session { "id" : UUID("f446eda6-1a52-4cb0-94a2-0a5014e446df") } MongoDB server version: 4.4.6 > show dbs |
output: Do not display database information
Access mongo with the user just created step 1
1 2 3 4 5 6 7 8 9 10 11 12 | # mongo -u AdminSammy -p --authenticationDatabase admin MongoDB shell version v4.4.6 Enter password: connecting to: mongodb://127.0.0.1:27017/?authSource=admin&compressors=disabled&gssapiServiceName=mongodb Implicit session: session { "id" : UUID("7c1e7712-da03-4573-8edf-468592fd16e3") } MongoDB server version: 4.4.6 > show dbs; READ__ME_TO_RECOVER_YOUR_DATA 0.000GB admin 0.007GB config 0.000GB local 0.000GB |
output: Displays database information
So we have finished configuring the authentication feature on the MongoDB Database, you can use the administrative tools to connect. I am using NoSQLBooster tool to connect. You can create more databases, users, and permissions through the NoSQLBooster tool