MONGO DB
MONGO DB WALKTHROUGH FOR UBUNTU
cf : tuto Mongo DB / install cf : tuto Digital Ocean / install
INSTALL MONGO DB
install MongoDB package (-y == —yes == —assume-yes)
sudo apt update
sudo apt install -y mongodb
check service status
sudo systemctl status mongodb
mongo --eval 'db.runCommand({ connectionStatus: 1 })'
optionnel : stop/start/restart MongoDB service
sudo systemctl stop mongodb
sudo systemctl start mongodb
sudo systemctl restart mongodb
By default, MongoDB is configured to start automatically with the server. If you wish to disable/enable the automatic startup, type:
sudo systemctl disable mongodb
sudo systemctl enable mongodb
UNINSTALL
- cf : https://docs.mongodb.com/manual/tutorial/install-mongodb-on-ubuntu/
sudo systemctl stop mongodb
sudo apt-get purge mongodb-*
sudo rm -r /var/log/mongodb
sudo rm -r /var/lib/mongodb
optionnal : allow an external IP to connect to MongoDB’s ports
sudo ufw allow from YOUR.LOCAL.IP.ADDRESS/32 to any port 27017
add your server’s publicly-routable IP address to the mongod.conf file
sudo nano /etc/mongodb.conf
let this : restrict to local interface
remote connection to db are prohibited except via SSH tunnel
…
logappend=true
# bind_ip = 127.0.0.1
bind_ip = 127.0.0.1,YOUR.SERVER.IP.ADDRESS
# bind_ip = 0.0.0.0
#port = 27017
…
restart service
sudo systemctl restart mongodb
optional : enable automatically starting MongoDB when the system starts
sudo systemctl enable mongod
sudo systemctl stop mongod
sudo systemctl start mongod
sudo systemctl restart mongod
sudo systemctl status mongod
SECURE CONNEXION
cf : tuto Digital Ocean / secure connexion cf : tuto Mongo DB
run MongoDB
mongo
in mongo CLI
use admin
db.createUser({user:"AdminMongo",pwd:"A_MONGO_DB_ADMIN_PWD",roles:[{role:"userAdminAnyDatabase",db:"admin"}]})
db.createUser({user:"RootJpy",pwd:"A_MONGO_DB_ADMIN_PWD",roles:[{role:"root",db:"admin"}]})
Type ‘exit’ and press ENTER or use CTRL+C to leave the client.
add —auth to service
sudo nano /lib/systemd/system/mongodb.service
correct/add this line
ExecStart=/usr/bin/mongod --auth --unixSocketPrefix=${SOCKETPATH} --config ${CONF} $DAEMON_OPTS
systemctl daemon-reload
OR
cf : tuto Digital Ocean / secure
enable security
sudo nano /etc/mongodb.conf
Turn on/off security. Off is currently the default
#noauth = true
auth = true
restart service
sudo systemctl restart mongodb
sudo systemctl status mongod
test access
mongo
show dbs
—> must show error like :
2019-01-18T22:07:43.656+0000 E QUERY [thread1] Error: listDatabases failed:{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0, $db: \"admin\" }",
"code" : 13,
"codeName" : "Unauthorized"
} :
run mongo with admin user
mongo -u AdminMongo -p --authenticationDatabase admin
—> enter password : A_MONGO_DB_ADMIN_PWD
show dbs
test from local terminal
mongo -u AdminMongo -p --authenticationDatabase admin --host XXX.XXX.XXX.XX
create an user for solidata db —> this guy must be added in config_prod.py (secret) in solidata_backend
use solidata
db.createUser({user:"AdminDB",pwd:"A_MONGO_DB_USER_PWD",roles:[{role:"readWrite",db:"solidata"}]})
CONCLUSION
THAT WAY DB IS PROTECTED BY :
- AdminDB + MANDATORY PWD TO CONNECT AND CREATE USERS
- AdminDB USER + MANDATORY PWD TO CONNECT TO CB
- SSH TUNNEL MANDATORY + PASSPHRASE TO CONNECT TO SERVER OR DB
- UFW ONLY ALLOWS SERVER IP AND DEV IP TO ACCESS PORT 2017
- no other way to connect ?…