Mongodb --authentication

Question

I used mongodb on my local without authentication by running mongod as server and connecting it by just mongo as a user. Now after creating users and running the server as mongod --auth i can connect using user id and pwd assigned by me.

The problem is while connecting back mongo with mongod it again gets connected to the database and whole database is visible again,this should not happen as I have enabled the authentication.

Using mongod as a server should block the users from getting access. Same is the problem for my personal server.

Is there any solution to enable the security permanently that is enable mongod --auth and not just mongod.

Answer 1

If I understand correctly, your concern is that restarting a mongod process without access control enabled allows you to access data without authentication. This is the expected outcome: a user with direct access to restart services or copy MongoDB data files has greater permissions than the mongod process.

Authentication only verifies remote client access to the mongod service: it does not encrypt or protect data files if a user has direct local read access. If you have an environment allowing remote and/or multi-user access, you should take steps to appropropriately limit access to your data files and service management.

If you want to secure data files from direct access, it sounds like you may be looking for Encryption at Rest or Disk Encryption. These security measures prevent direct read access to your data files or filesystem without appropriate credentials, but you still have to limit access appropriately and protect those credentials.

For general measures see the MongoDB Security Checklist.