#MongoDB 3.2.x Security##Network PortsThe standard ports used by mongo are:

1. #MongoDB 3.2.x Security
2.  
3. ##Network Ports
4. The standard ports used by mongo are:
5.  
6. <table>
7. <thead>
8. <tr><th>Process</th><th>Role</th><th>Default Port</th></tr>
9. </thead>
10. <tbody>
11. <tr><td>mongod</td><td>Stand-alone</td><td>27017</td></tr>
12. <tr><td></td><td>--shardsvr</td><td>27018</td></tr>
13. <tr><td></td><td>--configsvr</td><td>27019</td></tr>
14. <tr><td>mongos</td><td>n/a</td><td>27017</td></tr>
15. <tr><td><mongod/td><td>Status page (off)</td><td>+1000</td></tr>
16. </tbody>
17. </table>
18.  
19. You should limit access to the mongo servers using firewall rules to specify the ip addresses that can connect to the database. You can change the default ports but this will not stop an automated script.
20.  
21. You can also limit which specific interfaces are connected to mongo using the ```bindIp: 10.23.22.11``` in the mongod.conf.
22.  
23. Remember that replica/shards sets listen on 27018 and the config server listens on 27019.
24.  
25. ##Mongo with SSL
26. You can enable SSL on your Mongo server by setting it in your mongod.conf.
27.  
28. net:
29. ssl:
30. mode: requireSSL
31. PEMKeyFile: /certs/example_cert.pem
32. PEMKeyPassword: myPassword
33. CAFile: /certs/cacert.pem
34.  
35. You can have four different modes:
36.  
37. * requireSSL - Client must use SSL
38. * allowSSL - Clients may or may not use SSL. Servers do not use SSL to talk to other servers.
39. * preferSSL - Clients may or may not use SSL. Servers will use SSL to talk to other servers.
40. * disabled - Do not use SSL. This is the default.
41.  
42. The PEMKeyFile is the certificate. It should be the fully qualified server name ie ```mongo0.example.com```. Your certificates location should also be protected using file security.
43.  
44. ##Connecting to a Mongo using SSL
45. To connect to a mongo instance using the shell you need to do:
46.  
47. mongo --ssl -sslCAFile /certs/cacert.pem --host mongo0.example.com --sslPEMKeyFile /certs/example_cert.pem --sslPEMKeyPassword myPassword
48.  
49. ##Check the Server Security Status
50.  
51. db.serverStatus().security
52. {
53. "SSLServerSubjectName": "emailAddress=demo@example.com,CN=mongo0.example.com,OU=HQ,O=Plus N,ST=CA,C=US",
54. "SSLServerHasCertificateAuthority": true,
55. "SSLServerCertificateExpirationDate": ISODate("2020-12-31T23:00:00Z")
56. }
57.  
58. ##Users & Roles
59. There are a number of predefined roles:
60.  
61. * root - All powerful. Use with caution
62. * userAdminAnyDatabase - Can create users and assign roles on any database. Use with caution
63. * userAdmin - Can only create users and assign roles in a specific database
64. * read - Read collections in a specific database.
65. * readWrite - Read and Write to a specific database
66.  
67. ###Enabling Authentication
68. To enable authentication you need to ensure that the following line is added to the ```mongod.conf```:
69.  
70. security:
71. authorization: enabled
72.  
73. Then restart mongo. You can connect to a local mongo with the shell and there are no users defined. This is called the localhost exception. It allows you to gain access so that you can start setting up the users. Once the first user is created the localhost exception no longer applies.
74.  
75. ###First User
76. The first user should be an admin user that can manage the database.
77.  
78. use admin
79.  
80. var adminUser = {
81. "user": "adminUser",
82. "pwd": "mypassword",
83. "readOnly" : false,
84. "roles": [
85. {
86. "role": "userAdminAnyDatabase",
87. "db": "admin"
88. }
89. ]
90. }
91.  
92. db.createUser(adminUser)
93.  
94. The ```readOnly: false``` option give the adminUser readWrite access to all databases.
95.  
96. ####Reporting User
97. Change the database to the applicationDB unless you want to have a central authentication using the admin database.
98.  
99. user applicationDB
100. var rptUser = {user: 'rptUser', pwd: '1234', roles: [{role: 'read', db: 'mydatabase'}]}
101. db.createUser(rptUser)
102.  
103. ####Application
104.  
105. use applicationDB
106. var appUser = {user: 'appUser', pwd: '1234', roles: [{role: 'readWrite', db: 'mydatabase'}]}
107. db.createUser(appUser)
108.  
109. ###Deleting a user:
110.  
111. db.dropUser("fred")
112.  
113. ###Add Roles to Users
114. If we want to add the ability for the adminUser to be able to read and write to the database then we can grant this role to the user. The admin user can manage users and roles.
115.  
116. db.grantRolesToUser("adminUser",["readWrite"])
117.  
118. When the role is expressed as a string ie "readWrite" then it is assumed to mean the current database.
119.  
120. To give access to specific database
121.  
122. db.grantRolesToUser("fred",[{db: "mydatabase", role: "read"])
123.  
124. To remove a role from a user:
125.  
126. db.revokeRolesFromUser("fred", ["read"])
127.  
128.  
129. ###Viewing user Details
130. There are two ways to view the user details:
131.  
132. show users
133.  
134. or, if you can read the ```system.users``` table, you can just find it.
135.  
136. ##Authentication Database
137. If it quite possible to authenticate with a different database from the one you are using. For example you may have a number of databases but only one central user database. The user will still only have the rights on the database that have been assigned to it, regardless of the authentication right on the user database. To log on using a specific authentication database:
138.  
139. mongo --username fred --password mypassword --authenticationDatabase userdatabase
140.  
141. ##Logging in and out from the mongo Shell
142.  
143. db.logout("fred")
144. db.auth("fred","mypassword")
145.  
146. ##Intra Cluster Authentication
147. To ensure that all members of a cluster (replica set or shards or both) are real you can give each one a key file containing a shared secret. The Key File has the following properties:
148.  
149. * Arbitrary content
150. * 6-1024 characters
151. * Base64 characters only
152. * User-only file read properties
153.  
154. You need to specify the Key File in the mongod.conf.
155.  
156. ###Server1
157.  
158. storage:
159. dbPath: /data
160.  
161. replication:
162. replSetName: rs1
163.  
164. security:
165. keyFile: /certs/clusterKeyFile.txt
166. clusterAuthMode: sendKeyFile
167.  
168. net:
169. port: 27017
170. ssl:
171. mode: requireSSL
172. PEMKeyFile: /certs/clusterHost1_complete.pem
173. PEMKeyPassword: mypassword
174. CAFile: /certs/cacert.pem
175.  
176. ###Server2
177.  
178. storage:
179. dbPath: /data
180.  
181. replication:
182. replSetName: rs1
183.  
184. security:
185. keyFile: /certs/clusterKeyFile.txt
186. clusterAuthMode: sendKeyFile
187.  
188. net:
189. port: 27017
190. ssl:
191. mode: requireSSL
192. PEMKeyFile: /certs/clusterHost2_complete.pem
193. PEMKeyPassword: mypassword
194. CAFile: /certs/cacert.pem
195.  
196. ###Initiating a replica set using SSL Certs
197. When you intitialize a set which are using certs you ned to specify the exact name as per the certs:
198.  
199. var cfg = { _id: "rs1", members: [{_id: 0, "host1.example.com:27017"}, {_id: 1, "host2.example.com:27017"}] }
200. rs.initiate(cfg)
201.  
202. You then need to create the ```superUser``` so that you can vire the ```rs.status()``` or ```rs.config()```.
203.  
204. use admin
205. db.createUser({ "user": "root", "pwd": "mypassword", "roles": ["root"]})
206.  
207. Then log in as this user:
208.  
209. db.auth("root","mypassword")
210. rs.config()
211.  
212. That means the replica set is running with SSL and Authentication is enabled and it is uing a Key File to authenticate the members of the cluster.