.NET 4.5.1 Hosting

HostForLIFE.eu Hosting is the first host to offer its customer all the new features of the .NET 4.5.1 Framework. This ASP.NET 4.5.1 framework is part of the service and it is provided free of charge More »

SQL 2012 Hosting

We offer cheap, hiqh quality and best performance SQL Server 2012 Hosting on our European (Amsterdam) data center. We allow remote SQL connection to our databse server via WebAdmin and SQL Management Studio tool More »

Windows 2012 Hosting

We offer the latest Windows Server 2012 Hosting to all our customers on our European (Amsterdam) data center too. Customers have access to all the latest features in Windows Server 2012, such as ASP.NET 4.5 & WebDeploy. More »

Free Apps

There are dozens of ASP.NET and PHP Applications that we can install FREE of charge. These includes DotNetNuke, Joomla, Umbraco, Zikula, Mambo, WordPress, Drupal, Prestashop, ZenCart, PhpBB, Magento and many more... More »

 

HostForLIFE.eu MongoDB Hosting – How To Securely Configure a Production MongoDB Server

If MongoDB is your document store of choice, then this article should help you configure everything securely and properly for a production-ready environment.

HLF-BannerLinuxCloud2

Steps


There are two differently recommended paths that are available. The first is to connect securely to your database through an SSH tunnel. The alternative is to allow connections to your database over the internet. Of the two choices, the former is recommended.

Connect Over SSH Tunnel


By connecting to your Mongo VIrtual Private Server through an SSH tunnel, you can avoid a lot of potential security issues. The caveat is that your VPS must otherwise be totally locked down with few to no other ports open. A recommended SSH configuration is key-only or key+password.

To setup an SSH tunnel, you’ll need to ensure that:

  • You can SSH into your Mongo Droplet
  • Your Mongo instance(s) are bound to localhost

Next, run the following command to initialize the connection:

# The \s are just to multiline the command and make it more readable
ssh \
-L 4321:localhost:27017 \
-i ~/.ssh/my_secure_key \
ssh_user@mongo_db_droplet_host_or_ip

Let’s run through this step-by-step:

  1. SSH tunneling simply requires SSH – there are no special other programs/binaries you’ll need
  2. The `-L` option is telling SSH to setup a tunnel where port 4321 on your current machine will forward to the host `localhost` on port `27017` on Mongo Droplet being SSH’ed into
  3. The `-i` option simply represents the recommendation made above to connect with an SSH key and not a password
  4. The `ssh_user@mongo_db_droplet_host_or_ip` is standard for establishing an SSH connection

Number 2 is really the meat of the instruction. This will determine how you tell your applications or services to connect to your MongoDB Droplets.

Connect Over the Internet


If connecting over an SSH tunnel is not necessarily an option, you can always connect over the internet. There are a few security strategies to consider here.

The first is to use a non-standard port. This is more of an obfuscation technique and simply means that default connection adapters will not work.

# In your MongoDB configuration file, change the following line to something other than 27017
port = 27017

Secondly, you’ll want to bind Mongo directly to your application server’s IP address. This means that Mongo will only accept connections.

# In your MongoDB configuration file, change the following line to your application server's IP address
bind_ip = 127.0.0.1

Lastly, consider using MongoDB’s authentication feature and set a username and password. To set this up, connect to the MongoDB shell as an admin with the `mongo` command and add a user. Once that’s done, make sure you’re adding the newly added username/password in your MongoDB connection strings.

Conclusion


Please consider the above a starting point and not the be-all-end-all for MongoDB security. A key factor NOT mentioned here are server firewall rules. To see the 10gen firewall recommendations for MongoDB, head to their security documentation.