Enable MongoDB IP Security on Ubuntu

Enable MongoDB IP Security on Ubuntu

By default, MongoDB3.6 rejects unauthorized links from accessing the public network to protect data from external threats. MongoDB only listens to local links, unless you add rules to allow listening to other addresses.

This tutorial will show you how to allow external IP addresses to connect to the MongoDB node and ensure that the Connected Server can connect to your database. Through this tutorial, you will find that it is easy to configure the specific network port for MongoDB listening.

Before reading this tutorial, You need:

• Install MongoDB3.6
• There are multiple network interfaces on the server (this session uses AWS EC2 instances)
• Understand the basic knowledge of IP networks and configure private IP addresses.

I started an AWS EC2 instance installed with Ubuntu 16.04 LTS and installed MongoDB3.6

I want to allow some of my VPC IP addresses to connect to our MongoDB database. In this way, we can ensure that only the specified IP address and the local machine can be connected to the database, and other unfamiliar addresses cannot access the database.

Start the Ubuntu instance in the public subnet of the VPC.

Install mongodb3.6 on the MongoDB official website. Run the following command to check the network port occupied by the process:

Ubuntu @ ip-172-16-0-211 :~ $ Sudo netstat-plant | egrep created d

Tcp 0 0 127.0.0.1: 27017 0.0.0.0: * LISTEN 2549/mongod

The command output shows that the user can only access the database through port 27017 of the Local Machine. If you want other systems to access the database, you need to bind the IP address. Run the ifconfig command

Ubuntu @ ip-172-16-0-211 :~ $ Ifconfig
Eth0 Link encap: Ethernet HWaddr 0e: 5e: 76: 83: 49: 3e
Inet addr: 172.16.0.211 Bcast: 172.16.0.255 Mask: 255.255.255.0
Inet6 addr: fe80: c5e: 76ff: fe83: 493e/64 Scope: Link
Up broadcast running multicast mtu: 9001 Metric: 1
RX packets: 65521 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 7358 errors: 0 dropped: 0 overruns: 0 carrier: 0
Collisions: 0 FIG: 1000
RX bytes: 94354063 (94.3 MB) TX bytes: 611646 (611.6 KB)

Now that we know the network address we want to listen to, open the/etc/mongodb. conf file and edit it. The file is modified as follows:

# Network interfaces
Net:
Port: 27017
BindIp: 127.0.0.1, 172.16.0.211

Now a IP address 172.16.0.211 is added to the file, and the mongod service is restarted.

Ubuntu @ ip-172-16-0-211 :~ $ Sudo service producer D stop
Ubuntu @ ip-172-16-0-211 :~ $ Sudo service producer D start
Ubuntu @ ip-172-16-0-211 :~ $ Sudo netstat-plnt | egrep created d
Tcp 0 0 172.16.0.211: 27017 0.0.0.0: * LISTEN 2892/mongod
Tcp 0 0 127.0.0.1: 27017 0.0.0.0: * LISTEN 2892/mongod

In addition to the local machine, the database can accept requests from the specified IP address.

Local Connection:

Ubuntu @ ip-172-16-0-211 :~ $ Mongo localhost
MongoDB shell version v3.6.0-rc2
Connecting to: mongodb: // 127.0.0.1: 27017/localhost

Connect through a specified IP Address

Ubuntu @ ip-172-16-0-211 :~ $ Mongo 172.16.0.211
MongoDB shell version v3.6.0-rc2
Connecting to: mongodb: // 172.16.0.211: 27017/test

The default local configuration has many advantages, but now you need to specify the networks that can connect to the database to prevent untrusted networks from connecting to the system. It is very important to ensure that the MongoDB system is not remotely attacked. Ensure that only the IP addresses on the security list can be connected to the system.

Now you know how to configure other IP addresses for the system to access the database. Now you can configure your replica set. Do not forget to perform backup and monitoring. If you don't want to spend too much energy on these jobs, you can take a look at our database as a service: MongoDB Atlas.

This article permanently updates link: https://www.bkjia.com/Linux/2018-02/151072.htm