MongoDB is a modern, lightweight, scalable NoSQL Database. MongoDB stores data as JSON-like documents and data structure can be changed over time. These are few points which makes MongoDB great choice for wider usage in data sciences to mobile application. Server with 512 MB RAM server is enough for basic testing purpose. Here is step by step guide on how to install, configure, secure MongoDB from SSH. For this guide, we are using Ubuntu 16.04 LTS as server operating system.
How to Install, Configure, Secure MongoDB
SSH to the intended server and become root. In case it is public server for long term use, definitely you should follow some steps like we described before in this article to secure the server.
First update, upgrade the instance :
---
1 2 | apt update apt upgrade |
We have to add the key as next step :
1 | sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 0C49F3730359A14518585931BC711F9BA15703C6 |
You’ll get this kind of correct response :
1 2 3 4 5 6 7 8 | Executing: /tmp/tmp.B8ey1ENeI1/gpg.1.sh --keyserver hkp://keyserver.ubuntu.com:80 --recv 0C49F3730359A14518585931BC711F9BA15703C6 gpg: requesting key A15703C6 from hkp server keyserver.ubuntu.com gpg: key A15703C6: public key "MongoDB 3.4 Release Signing Key <packaging@mongodb.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) |
Next, we will add the repository at /etc/apt/sources.list.d/ with one line command :
1 | echo "deb [ arch=amd64,arm64 ] http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.4.list |
Run update :
1 | apt update |
Install MongoDB :
1 | apt install mongodb-org |
We are installing community edition of MongoDB. MongoDB repository contains the following packages:
mongodb-orgIs a metapackage that will automatically install the four component packages listed below.
mongodb-org-serverContains the mongod daemon and associated configuration and init scripts.
mongodb-org-mongosContains the mongos daemon.
mongodb-org-shellContains the mongo shell.
mongodb-org-toolsContains the following MongoDB tools: mongoimport bsondump, mongodump, mongoexport, mongofiles, mongooplog, mongoperf, mongorestore, mongostat, and mongotop.
Run these two commands to check MongoDB started, running and enable on reboot :
1 2 3 4 | sudo systemctl start mongod sudo systemctl status mongod # press q to quit sudo systemctl enable mongod |
If we run the command :
1 | mongo |
It starts MongoDB shell. If we run :
1 | use admin |
on that interface, we will become admin with this output :
1 | switched to db admin |
To create the user admin with password admin123 as admin run this :
1 | db.createUser({user:"admin", pwd:"admin123", roles:[{role:"root", db:"admin"}]}) |
Run :
1 | exit |
to exit. Now open /lib/systemd/system/mongod.service file :
1 | nano /lib/systemd/system/mongod.service |
Find the keyword ExecStart=. You’ll get the default line as :
1 | ExecStart=/usr/bin/mongod --config /etc/mongod.conf |
Change it to :
1 | ExecStart=/usr/bin/mongod --quiet --auth --config /etc/mongod.conf |
Save the file. Now, open this file :
1 | nano /etc/mongod.conf |
Find the keyword #security. Add this line at that place :
1 2 | security: authorization: "enabled" |
Run :
1 2 3 | systemctl daemon-reload # sudo service mongod restart sudo systemctl restart mongod |
Now, if we run the command :
1 | mongo |
It will not refuse. But, if you run command like show dbs, it will refuse with this kind of error :
1 2 3 4 5 6 | 2017-11-24T07:39:13.890+0000 E QUERY [thread1] Error: listDatabases failed:{ "ok" : 0, "errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }", "code" : 13, "codeName" : "Unauthorized" } : |
To correctly login, we have to use this kind of command :
1 | mongo -u admin -p admin123 --authenticationDatabase admin |
Now if you run show dbs, you’ll get some valid response like :
1 2 | admin 0.000GB local 0.000GB |
Run a cat on the settings file :
1 | cat /etc/mongod.conf |
You’ll notice lines like :
1 2 3 4 5 6 7 8 9 10 | # where to write logging data. systemLog: destination: file logAppend: true path: /var/log/mongodb/mongod.log # network interfaces net: port: 27017 bindIp: 127.0.0.1 |
You can add IP of the current server beside 127.0.0.1 against bindIp separated with a comma. As my test server’s IP is 96.126.101.36, the config will be :
1 2 3 4 | # network interfaces net: port: 27017 bindIp: 127.0.0.1, 96.126.101.36 |
Run :
1 2 | # sudo service mongod restart sudo systemctl restart mongod |
now, we can login with this kind of command :
1 2 | mongo -u admin -p admin123 --authenticationDatabase admin --host 127.0.0.1 # mongo -u admin -p admin123 --authenticationDatabase admin --host 96.126.101.36 |
MongoDB supports TLS/SSL to encrypt all of MongoDB’s network traffic ensuring that MongoDB network traffic is only readable by the intended client. Normally we do not use TLS/SSL to avoid complexity.
To configure TLS/SSL go to :
1 | cd /etc/ssl/ |
Generate a self-signed certificate with 365 days validity :
1 | openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key |
Above operation generates a new, self-signed certificate with no passphrase. Once you have the certificate, concatenate the certificate and private key to a .pem file:
1 | cat mongodb-cert.key mongodb-cert.crt > mongodb.pem |
Again, open this file we opened before :
1 | nano /etc/mongod.conf |
We only had :
1 2 3 4 | # network interfaces net: port: 27017 bindIp: 127.0.0.1, 96.126.101.36 |
We can add more settings :
1 2 3 4 5 6 | net: port: 27017 bindIp: 127.0.0.1, 96.126.101.36 ssl: mode: requireSSL PEMKeyFile: /etc/ssl/mongodb.pem |
Save the file. Run :
1 2 | # sudo service mongod restart sudo systemctl restart mongod |
You’ll get detailed information on SSL/TLS configuration and also commands to login :
1 | https://docs.mongodb.com/manual/tutorial/configure-ssl-clients/ |
