All Products
Search

This Product

    Cloud Firewall:MongoDB: Best practices for preventing unauthorized access

    Document Center

    Cloud Firewall:MongoDB: Best practices for preventing unauthorized access

    Last Updated:Apr 01, 2026

    An unauthorized access vulnerability in MongoDB can lead to data breaches, data deletion, or extortion.

    Background

    To help secure your services and applications, Cloud Firewall provides the following guidance to remediate this vulnerability.

    After you install MongoDB, an admin database is created by default. This database is initially empty and contains no permissions.

    By default, MongoDB has no access restrictions. If you start the MongoDB service without any parameters, authentication is not required. This allows any user to connect to the default port without a password, perform high-risk operations (such as inserting, deleting, modifying, and querying data), and access the database remotely.

    Therefore, the core hardening operation is to add a user to admin.system.users so that MongoDB's user authentication and authorization services can take effect.

    Remediation

    1. Configure an access control policy in Cloud Firewall.

      1. Restrict the MongoDB service to internal network servers.

        Log on to the Cloud Firewall console. In the left-side navigation pane, choose Analysis > Internet Exposure. On the Exposure Details > Exposed Applications tab, view the public IP address of your MongoDB service. If the service is for internal use only, do not expose it to the internet.

        Run the following command to bind the service to a specific IP address. This configures the MongoDB service to accept requests only from an internal network server. In this example, the MongoDB instance listens only for requests from the internal IP address 192.168.XX.XX.

        mongod --bind_ip 192.168.XX.XX

      2. Configure an access control policy to allow traffic only from trusted sources.

      1. Log on to the Cloud Firewall console. In the left-side navigation pane, choose Protect > Access Control > Policy Configuration > Internet Border, and then click the Inbound tab. Configure an access control policy to allow access only from servers that depend on the MongoDB service.

        1. On the Inbound tab, click Manage Address Books. On the IP Address Book > Custom IP Address Book tab, add all trusted source IP addresses for your MongoDB service to an address book.

        2. On the Inbound tab, click Create Policy. In the Create Inbound Policy > Create Policy panel, create a policy to allow traffic from the trusted source. Configure the following key parameters:

          • Source: Select the address book that contains the trusted MongoDB sources.

          • Destination: The public IP address of the MongoDB service.

          • Protocol Type: Select TCP, which indicates Internet access traffic.

          • Port: Set to 0/0 to include all destination ports.

      2. Deny access from all other untrusted sources.

        In the left-side navigation pane, choose Protect > Access Control > Policy Configuration > Internet Border, and then click the Inbound tab. Configure an access control policy to deny access from other untrusted sources.

        On the Inbound tab, click Create Policy. In the Create Inbound Policy > Create Policy panel, create a policy to deny traffic from untrusted sources. Configure the following key parameters:

        • Source: Set to 0.0.0.0/0 to include all sources.

        • Destination: The public IP address of the MongoDB service.

        • Protocol Type: Select TCP, which indicates Internet access traffic.

        • Port: Set to 0/0 to include all destination ports.

    2. Enable role-based user authentication.

      1. Run the following command to log on to the database in an environment where authentication is not enabled. 

        ./mongo 127.0.0.1:27028 # The default port has been changed.

      2. Run the following command to switch to the admin database. 

        use admin
switched to db admin
        Note

        You can only create an administrator account after you switch to the admin database.

      3. Run the following command to create an administrator account for the admin database. In this example, the username is su**** and the password is supWDx****.

        Note

        Starting from MongoDB v3.0, the addUser() method is deprecated. Use the db.createUser() command instead.

        db.createUser({user: "su****", pwd: "supWDx****", roles: ["root"]})
# The administrator account is in system.users.
db.getCollectionNames()
[ "system.indexes", "system.users", "system.version" ]

        The user account is saved in the system.users collection.

        Note

        Do not use common usernames for administrator accounts. Passwords must meet complexity requirements: be at least eight characters long and include a combination of uppercase letters, lowercase letters, digits, and special characters. Do not use common passwords such as birthdates, names, or ID numbers.

      4. Verify that the user was created successfully.

        A return value of 1 indicates success.

        db.auth("su****","supWDx****")
1

      5. Stop the MongoDB process and then restart the MongoDB service. 

        db.auth("su****","supWDx****")
exit
bye

      6. Run the following command to start the MongoDB service with authentication enabled.

        After you enable user authentication, unauthenticated clients cannot perform any operations.

        mongod --dbpath=/path/mongodb --bind_ip=10.0.0.1 --port=27028 --fork=true logpath=/path/mongod.log --auth&
      Note

      • The admin.system.users collection stores users with higher privileges than users created in other databases. These are superusers. A user created in the admin database can perform operations on data in any other database within the MongoDB system.

      • In a MongoDB system, databases are created by superusers. A database can contain multiple users, but a user can belong to only one database. Users in different databases can have the same name.

      • A user in a specific database, for example, User1 in DB1, cannot access another database, such as DB2. However, the user can access data created by other users in the same database (DB1).

      • Users with the same name in different databases cannot log on to other databases. For example, if both DB1 and DB2 have user1, after logging on to DB1 as user1, you cannot log on to DB2 to perform database operations.

      • You can use the db.auth() method to authenticate a user in a database. If authentication is successful, the method returns 1. Otherwise, it returns 0. The db.auth() method authenticates users only within the current database.

    Check for intrusion risks

    As a MongoDB administrator, you can use the following methods to check for signs of an intrusion:

    • Check if the MongoDB logs are complete. Look for the source IP address, time, and specific actions related to any database deletion operations.

    • Run the db.system.users.find() command to check for any accounts that do not have a password.

    • Run the db.fs.files.find() command to check if any unexpected files have been stored in GridFS by other users.

    • Run the show log global command to review log files and identify any unauthorized access to MongoDB.