Secure Your MongoDB: A Guide to SCRAM Authentication & Best Practices

Mydbops
Jun 19, 2024
15
Mins to Read
All


Enable SSL/TLS encryption to ensure that all data transmitted between the client and server is encrypted. This protects against eavesdropping and other types of network attacks.

Use Role-Based Access Control

Use role-based access control (RBAC) to restrict access to the database. With RBAC, you can define roles that determine the actions that users can perform on the database.

Regularly Update MongoDB

Regularly update MongoDB to the latest version to ensure that you have the latest security updates and bug fixes.

Enable Auditing

Enable auditing to track all database activities. Auditing allows you to identify and respond to security threats quickly.

Use a Firewall

Use a firewall to restrict access to the MongoDB server. A firewall allows you to restrict access to the database from only authorized IP addresses.

Securing MongoDB authentication is critical to protecting your database from unauthorized access. By following the best practices discussed in this blog, you can ensure that your MongoDB database is secure and protected from cyber threats.

Deep Dive SCRAM

We will dive into SCRAM and understand how it works, its benefits and best practices for using it.

What is SCRAM

The Salted Challenge Response Authentication Mechanism (SCRAM) is an authentication mechanism used to secure connections between clients and MongoDB. It's based on a cryptographic hash function that uses a secret key, known only to the client and the server to generate a message authentication code (MAC). This mechanism is based on the IETF standard RFC 5802.

SCRAM is a challenge-response mechanism that consists of the following steps:

MongoDB SCRAM Authentication
MongoDB SCRAM Authentication

Benefits of SCRAM

There are several benefits of using SCRAM for authentication in MongoDB:

  • Strong security: SCRAM provides a strong security mechanism by using a hash function to generate the client key and MAC. This ensures that the password is never sent over the network and provides a secure way to authenticate the user.
  • Support for multiple iterations: SCRAM supports multiple iterations for the hash function, making it more resistant to brute-force attacks.
  • Compatibility with many drivers: SCRAM is compatible with many MongoDB drivers, making it easy to use with different programming languages.
  • Scalability: SCRAM can scale to support large numbers of users and connections, making it a good choice for large-scale applications.

Best Practices for Using SCRAM

Use Strong Passwords

SCRAM relies on strong passwords to ensure that user accounts are secure. Make sure to enforce password policies that require users to choose complex passwords. This includes requiring passwords to be a certain length, contain uppercase and lowercase letters, and include numbers and special characters.

Rotate Passwords Regularly

Periodically rotating passwords is a best practice for any system. With SCRAM, it is recommended to rotate passwords every few months. This ensures that even if a password is compromised, it will not be valid for long.

Limit Access to Administrative Accounts

Administrative accounts have elevated privileges that allow users to manage the MongoDB deployment. It is important to limit access to administrative accounts to only those who need it. This includes limiting access to the MongoDB server and administrative accounts to specific IP addresses or IP address ranges.

Monitor Activity and Logins

Monitoring activity and logins can help detect any suspicious activity or potential security breaches. This includes monitoring failed login attempts, successful logins, and user activity. This information can be used to detect and respond to security incidents.

Regularly update MongoDB

MongoDB regularly releases security patches and updates that address known vulnerabilities. It is important to regularly update MongoDB to ensure that the deployment is running the latest version with the latest security features and patches.

By following these best practices, you can significantly increase the security of your MongoDB deployment when using SCRAM authentication.

Steps to Enable SCRAM Authentication in MongoDB

To enable SCRAM (Salted Challenge Response Authentication Mechanism) for existing standalone MongoDB deployment, we have followed the below steps:

Validate MongoDB Deployment Without Access Control

FYI: By default access control is disabled. But cross-verify the config file.

 
# less /etc/mongod.conf
	

Connect to the MongoDB Server Using the Mongo Shell

Connect to the DB server using the Mongo shell from the server itself and cross verify DB configuration and validate any users are already created or not as below.

 
# mongo --port 27017

> db.adminCommand({getCmdLineOpts: 1})

> db.getSidblingDB(‘admin’).getUsers()
	

We have confirmed that there are no users in the admin DB.

Create a User in the Admin Database with a Root Role

Create a user with administrative privileges.

 
> db.getSiblingDB("admin").createUser(

{

    user: "Root_User",

    pwd: "My_Root_123",

    roles: [ "root" ]

})
	

Note: Don’t expose the root credentials to all the users.

FYI: In MongoDB, if no users have been created on the deployment, MongoDB allows the creation of users after starting the MongoDB by enabling authentication.

Enable the Authentication Option in the MongoDB Configuration File

Edit the configuration file to enable authentication:

 
# mongo --port 27017

> db.adminCommand({getCmdLineOpts: 1})

> db.getSidblingDB(‘admin’).getUsers()
	

Add or update the following lines:

 
security:
    authorization: enabled
	

Restart the mongod process.

 
# systemctl restart mongod

# systemctl status mongod
	

Checklist for Creating First Users

If you are creating the first user in MongoDB then you need to know about the best concept i.e local host exception, which allows you to create a first user or role in any DB.

Check List

  • Is there any user that exists in your database?
  • Are you creating a user that can create other users with any privileges?
  • Are you creating a user in the admin database or not?
  • Is the enableLocalhostAuthBypass: false mentioned in the config file?

Note:

  • By default, the enableLocalhostAuthBypass is enabled.
  • There is no run-time option to alter the localHost Exception in MongoDB.
  • We can set the parameter in the config file only.
 
setParameter:

  enableLocalhostAuthBypass: 1
	

Authenticating Users in MongoDB

Using the Mongo Shell

 
db.getSiblingDB("admin").auth("User", "Password")
	

Using a Connection String

 
mongo "mongodb://User:Password@:/admin?authSource=admin"
	

Using Command-Line Options

We suggest using the db.auth() function to authenticate the user. The user credentials were never revealed to the other users who have access to the same host machine’s history.

What if Authentication Failed

  • Validate the credentials ( username, PWD, authenticationDatabase ).
  • Verify the method of authentication mechanism.
  • Check the port on which the mongo is running.

SCRAM is an excellent authentication mechanism for securing MongoDB connections. Its robust security, support for multiple iterations and compatibility with many drivers make it a popular choice for developers. By following the best practices outlined in this blog, you can ensure that your MongoDB deployment is secure and protected against unauthorized access.

Secure your MongoDB deployment with Mydbops' expert managed services, consulting, and remote DBA support. Contact us today to ensure your database is protected against unauthorized access and cyber threats.

{{cta}}

No items found.

About the Author

Mydbops

Subscribe Now!

Subscribe here to get exclusive updates on upcoming webinars, meetups, and to receive instant updates on new database technologies.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.