Secure mongodb setup using Docker

In recent times, there has been a lot of ransom hacks on unsecured mongodb servers. Many have been victims of this hack due to unsecure setup of mongodb or ignoring few details while setup. Even after setting up with secure authenticated settings on server, few of them have been hacked while upgrading or re-installation in a matter of seconds due to the automated scripts setup by hackers. More on mongodb ransom hack — https://nakedsecurity.sophos.com/2017/01/11/thousands-of-mongodb-databases-compromised-and-held-to-ransom/ Let’s get secured To solve these issues, me and my friend has come up with a easy and scalable setup of mongodb using Docker. We have done this setup on a Virtual Private Server(VPS) running Ubuntu 14.04 on Digital Ocean. Prady To start with, we need to create a directory on our server, where our database actually resides. i.e. the physical location for our database Let’s assume that our application name is “Sample” and name our containers, database and spaces appropriately. mkdir ~/sample_db Creating mongodb container at a port of ur choice. As we all know, 27017 is the default port for mongodb. Let’s make it less obvious by creating our mongodb container on a custom port. sudo docker run -d -p :27017 -v ~/sample_db:/data/db mongo YOUR_PORT List all docker containers sudo docker ps You can name your docker container to easily remember based on application_name or something of ur choice. When we don’t do that — docker assigns something random like “thirsty_roentgen” Rename the docker container sudo docker rename thirsty_roentgen sampledb We created a docker container, but no authentication on it. Without authentication, mongodb container created can be accessed only thru local i.e. when you tunnel into your server using ssh credentials To expose this to outside world, you need to create mongodb container with authentication enabled Since you are already running a container, simply adding — auth docker run — name sampledb -d mongo — auth will result in an error as follows The container name “/sampledb” is already in use by container a2ddcec52f17d95ba067ab4e4e52621b74f762a3a2e2024e1a7852d592192b5c. You have to remove (or rename) that container to be able to reuse that name.. We need to stop the current mongodb instance and remove it and recreate with authentication enabled docker stop sampledbdocker rm sampledb Creating mongodb container with name sampledb and authentication enabled ( — auth) sudo docker run -d — name sampledb -p 29019:27017 -v ~/sample_db:/data/db mongo — auth List the containers sudo docker ps Run the mongodb instance with admin database docker exec -it sampledb mongo admin Enters mongodb shell — now create admin user creating admin user for mongodb server db.createUser({ user: ‘sample_admin’, pwd: ‘p@ssword’, roles: [ { role: “userAdminAnyDatabase”, db: “admin” } ] }); Running mongodb with specified user and password docker exec -it sampledb mongo -u sample_admin -p p@ssword — authenticationDatabase admin enters mongodb shell creating required database use mydatabase creating admin APP user for db security db.createUser({ user: ‘mydb_admin’, pwd: ‘myp@ss’, roles: [“readWrite”, “dbAdmin”] }); and then create your required collections In the next series, we’ll let you know how to connect to this secured setting of mongodb using robomongo.