Launch mongodb with high security on the server

help
1

Hello to all friends.
I have been running mongodb on my server for some time.
But I can not enable its security. As a result, my database was hacked and all my information was lost.

But my problem is that my meteor software does not run without replication, in this case, without replication, I can enable security and access the database by creating a user. But when the meteor software can not connect to the database, while I am sure I entered the username and password correctly.
I get this error:

 Error: $MONGO_OPLOG_URL must be set to the 'local' database of a Mongo replica set

Here are my settings:


{
  "apps": [
    {
      "name": "ghadr",
      "cwd": "/home/Ghadr/Ghadr",
      "script": "main.js",
      "instances":1,
      "env": {
        "NODE_ENV": "staging",
        "WORKER_ID": "0",
        "PORT": "3000",
        "ROOT_URL": "http://ghadr.org",
        "MONGO_URL": "mongodb://username:password@127.0.0.1:27017/meteor?authSource=admin",
        "MONGO_OPLOG_URL": "mongodb://username:password@127.0.0.1:27017/local?authSource=admin",
        "HTTP_FORWARDED_COUNT": "1",
      }
    }
  ]
}

I also created the database user with the following command :

use admin
db.createUser(
  {
    user: "username",
    pwd: "password", 
    roles: [ 
    { role: "userAdminAnyDatabase", db: "admin" },
    { role: 'readWrite', db:'meteor'},
    { role: 'readWrite', db:'local'},
     "readWriteAnyDatabase" ,"dbAdminAnyDatabase"
    ]
  }
)

In short, with what I said, the meteor does not connect to the database. I even deleted “MONGO_OPLOG_URL” but still got the same error, if I thought the definition of this variable was not mandatory.

2

I also did not understand the correct way to enable security with replication.
Note My meteor software and my database are on the same server

3

Please Help Me … :woozy_face: :woozy_face: :woozy_face: :woozy_face: :woozy_face:

4

I do not like at all that no one has experience running on a vps server.

Please help me, I just want to run mongodb securely on my server.
So that the meteor can connect to it.
only this
Tip I run both mongodb and meteor on a server

5

Typically you always enable a firewall or private network to set as default NO open ports … disable all incoming port traffic on all your boxes then launch a reverse proxy ( nginx or haproxy ) on the box(s) which you map your DNS to your domain ( the box which is exposed to the internet ) then ONLY on this exposed box you open up ports 22, 80 and 443 … then in the reverse proxy config redirect traffic from 80 to 443 then terminate TLS in your reverse proxy … then the reverse proxy will forward internet traffic on those ports to your internal servers who listen to say 3000 or anything other than 80 and 443 … a simple setup could be

internet <–> nginx <–> your server <–> your database

This way ONLY the reverse proxy is exposed to the internet and NONE of your own servers ever directly listen to the internet ( port 80 and 443 ) … I have setup my system this way and all runs just fine including mongo with or without replication … it goes without saying that you MUST setup TLS as part of your reverse proxy to enable encrypted traffic from your internet clients ( https and not http ) … use the free letsencrypt to create and refresh your TLS certs

Also in your sshd config you disable login username and password technique to login to all of your machines … this forces all logins to use ssh key pairs … never ever allow login to a box using login username and password that is so 20th century … this is very important and will block all the various script kiddie hacks … Keep in mind every internet exposed box is under attack at all times every few seconds in my reverse proxy logs I can see yet another hack connection attempt which is thwarted because I have disabled login password technique … this is life so get prepared

Did I know how to do any of this before becoming the first employee of a software startup no … it took me months of struggle with hard core battles to discover even what the questions are say nothing about actually implementing what I needed to do to setup the above … will it take you 4 days to learn this … more like 4 months if you’re lucky assuming you previously have really learned how to learn … good luck

6 Likes
6

I think this is a long and difficult process.
The way is very simple, I just have to define my username and password for my mongodb.
And I can connect to the database in meteor with that username and password.
But I do not understand how to do this.

7

@planckdensity Perhaps an example makes the issue more understandable

8

I installed mongodb on my ubuntu server. Here is some part of /etc/mongod.conf file

# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1

security:
  authorization: enabled

and this is some meteor settings:

Environment=MONGO_URL=mongodb://user:passwd@127.0.0.1:27017/database_name?authSource=admin
#Environment=MONGO_OPLOG_URL=mongodb://user:passwd@127.0.0.1:27017/local?authSource=admin
1 Like
9

@minhna Is the line related to MONGO_OPLOG_URL comments?
That means MONGO_OPLOG_URL should not be defined?

10

@minhna Which version of mongodb did it work with?
Is there a need for replication?

11

mongodb 4.2.14.
no replication setup.

12

it works without MONGO_OPLOG_URL.
At first I tried with oplog url, but with recently meteor version, it doesn’t need that one.

13

You can not have an oplog url without a replica set. The easiest way is to use the free tier of mongodb Atlas or any other hosted mongodb provider.

The other cheap way is to create a replica set on the same instance. It is not recommended because it mars the purpose of improving the availability and backups, but I had been using it till very recently. There are lots of tutorial on the web, eg: Setup MongoDB Replica Set - Example

Additionally, since you run your db and app on the same instance, simply firewall the mongodb port via your vps provider and you will be secure. If it is firewalled, there can be only 2 options:

  1. Your instance itself is hacked - which is a real possibility if you use password logins
  2. Your app itself is insecure - kindly check and address your allow/deny rules

As a side note, even if you are running a small MVP app, you should think of moving your db to a separate instance. Simple reason being that your db instance, once finalized, will rarely need reconfiguration, while your app instance will probably keep on changing/getting modified. Plus, separate performance metrics will help you figure out if you need to fix your queries or your code.

1 Like