Disabling connections to mongodb server without a password

Aytek_Ustundag · 2023-06-01T16:57:29.375Z

Hello, I am a long time mongodb user. I recently found out that even I set a password to my mongodb and set security features from my mongod.cfg like

security:
authorization: enabled
setParameter:
enableLocalhostAuthBypass: false

If it is binded to 0.0.0.0, any user can connect to my database from remote.

When they connect to the database without a password, they cant see databases or collections but can run scripts. Even if they cant read or write to database, this is a security risk even if they can run simple scripts they can consum cpu etc…

Am I missing something? I tried a lot of parameters. I want only authenticated people to connect to the database.

kevinadi · 2023-06-02T02:23:34.866Z

Hi @Aytek_Ustundag welcome to the community!

Aytek_Ustundag:

I want only authenticated people to connect to the database.

I’d like to turn that question around. What if you deliberately restrict everyone from connecting to the database?

Of course this depends on your use case. However, if the goal is to provide data access to many people in a limited context (e.g. they’re not DBAs), then how about creating an e.g. REST API interface in front of the database? This way, you can put the database behind very secure firewall, and only allow connection from the REST API app. As a bonus, it can act as a shield since it’s not possible for people to accidentally call db.collection.drop() unless your API allows it.

Best regards
Kevin