This translation of the MongoDB website blog, the original address: Https://www.mongodb.com/blog/post/enabling-ip-security-for-mongodb-36-on-ubuntu
The default configuration of MongoDB3.6 denies access to the public network for unauthorized links, thereby protecting the data from external threats. MongoDB will only listen for local links unless the add rule allows listening to other addresses.
This tutorial provides a concise demonstration of how to allow external IP addresses to connect to MONGODB nodes and to ensure that networked servers can connect to your database. With this tutorial, you will find that configuring MongoDB to listen to specific network ports is a very easy thing to do.
Before looking at this tutorial, you need to:
L Mounting MongoDB3.6
l have multiple network interfaces on the server (this session uses AWS EC2 instances)
Understand the basics of IP networking and configure private IP
I launched an instance of an AWS EC2 with Ubuntu 16.04 LTS installed and installed the MongoDB3.6
I want to allow some of my VPC IP addresses to connect to our MongoDB database. In this way, it is guaranteed that only our designated IP and local computer can connect to the database, while other unfamiliar addresses prohibit access to the database.
Start the Ubuntu instance in the VPC public subnet first.
To install mongodb3.6 according to the MongoDB official website document, you can see that the process is consuming that network port by using the following command:
[email protected]:~$ sudo netstat-plant | Egrep Mongod
TCP 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 2549/mongod
The output of the command result shows that the user is allowed to access only 27017 ports on this computer, and IP binding is required if you want other systems to access the database. Run the ifconfig command
[Email protected]:~$ ifconfig
Eth0 Link encap:ethernet HWaddr 0e:5e:76:83:49:3e
inet addr:172.16.0.211 bcast:172.16.0.255 mask:255.255.255.0
Inet6 ADDR:FE80::C5E:76FF:FE83:493E/64 Scope:link
Up broadcast RUNNING multicast mtu:9001 metric:1
RX packets:65521 errors:0 dropped:0 overruns:0 frame:0
TX packets:7358 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:94354063 (94.3 MB) TX bytes:611646 (611.6 KB)
Now that we know the network address we want to listen to, open the/etc/mongodb.conf file, edit it, and modify it as follows:
# Network Interfaces
Net
port:27017
bindip:127.0.0.1,172.16.0.211
Now the file adds an IP address 172.16.0.211 and restarts the Mongod service.
[Email protected]:~$ sudo service mongod stop
[Email protected]:~$ sudo service mongod start
[email protected]:~$ sudo netstat-plnt | Egrep Mongod
TCP 0 0 172.16.0.211:27017 0.0.0.0:* LISTEN 2892/mongod
TCP 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 2892/mongod
You can see that now in addition to this machine, the database can also accept requests for the specified IP.
Via the native connection:
[Email protected]:~$ MONGO localhost
MongoDB Shell version V3.6.0-rc2
Connecting To:mongodb://127.0.0.1:27017/localhost
By specifying an IP connection
[Email protected]:~$ MONGO 172.16.0.211
MongoDB Shell version V3.6.0-rc2
Connecting To:mongodb://172.16.0.211:27017/test
There are many benefits to the default native configuration, but it is now necessary to explicitly specify that those networks can connect to the database and prevent untrusted networks from connecting to the system. It is important to ensure that the MONGODB system is not protected from remote attacks, ensuring that only IP on the security list can connect to the system.
You know how to configure additional IP addresses for your system to access the database, you can now configure your replica set. Do not forget to do backup, monitoring. If you don't want to expend too much effort on these tasks, you can learn about our database as a service: MongoDB Atlas.
Turn on MongoDB IP Security on ubuntu