Installing MongoDB on Debian Server
MongoDB is an open source NoSQL document database used usually in modern web applications and it comes as a free. In this article, you will come to know how to setup MongoDB on your server to be used in production application environment. You can install MongoDB and configure the firewall rules to limit the access to MongoDB.
1) Installing the MongoDB
MongoDB has been previously included in Debian's package repositories, however, the official MongoDB repository offers the recent up-to-date version and it is that the recommended method of installing the software. In this article, we will add the official repository to the server.
Debian will ensure the authenticity of software packages by verifying either they are signed with GPG keys, now you need to import the key for the official MongoDB repository.
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 0C49F3730359A14518585931BC711F9BA15703C6
Once you have successfully imported the key, you will find:
gpg: Total number processed: 2
gpg: imported: 2 (RSA: 2)
Next, you need have to add the MongoDB repository information so the appropriate will come to know where to download the packages exactly from.
You can issue the following command to create a list of file for MongoDB.
echo "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/3.4 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.4.list
As soon as adding the repository details, update the list of packages:
sudo apt-get update
Now you need to install the MongoDB package itself with the command mentioned below:
sudo apt-get install -y mongodb-org
After adding the repository details, you need to update the package list:
sudo apt-get update
Now you have to install the MongoDB package with the below-mentioned command:
sudo apt-get install -y MongoDB-org
Later use systemctl to check whether the service has been started in a right manner:
sudo systemctl status mongod
You should be able to see the following output,which indicates that the service is running:
● mongod.service - High-performance, schema-free document-oriented database
Loaded: loaded (/lib/systemd/system/mongod.service; enabled)
Active: active (running) since Wed 2016-10-29 15:42:10 UTC; 10s ago
Main PID: 8958 (mongod)
└─8958 /usr/bin/mongod --quiet --config /etc/mongod.conf
Wed 2016-10-29 15:42:10 cart-61037 systemd: Started High-performance, schema-free document-oriented database.
2) Securing MongoDB with the Firewall
In most of the cases, MongoDB will be accessed only from few of the trusted locations, like other server hosting an application. To accomplish this particular task, you'll enable access on MongoDB default port during the time of specifying the IP address of another server which will be clearly permitted to attach. You can use the iptables firewall to set up the rule, along with few other rules to secure the system.
Before writing any rules, you need to install the iptables-persistent package so that you will be able to save the rules which you create. In this manner, the rules would have been applied every time you restart the server. You need to execute the below command:
sudo apt-get install iptables-persistent
Next, you need to remove the existing rules which may be in place, just in the case:
sudo iptables -F
Then you need to add the rule which permits the established connections for continuing the talk. In this manner the existing SSH connection will not be interrupted:
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
And next, you need to ensure that SSH access is permitted:
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
If you have a plan of connecting to MongoDB from the remote server, you need to add these rules which will permit the access to MongoDB's default port from the application server:
sudo iptables -A INPUT -s your_other_server_ip -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -d your_other_server_ip -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT
Next, you need to add these rules which permits the traffic on the local loopback device:
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
And Finally, you need to alter the firewall policy to drop all other different traffic:
sudo iptables -P INPUT DROP
You need to verify whether the rules are correct:
sudo iptables -S
You should also see the same output similar to the below query:
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s your_other_server_ip/32 -p tcp -m tcp --dport 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -d your_other_server_ip/32 -p tcp -m tcp --sport 27017 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
At last, save the rules:
3) Enabling the access to external servers
You need to edit the MongoDB configuration file:
sudo nano /etc/mongod.conf
Locate this section:
# network interfaces
Mongo is been listed on the local loopback address, so it is capable of only accepting the local connections. Change the bindIp value so that it will include the IP address of the specific MongoDB server:
# network interfaces
bindIp: 000.0.0.0, your_server_ip
You need to save the file and exit from the editor.
And then restart MongoDB to make any changes:
sudo systemctl restart mongod
Your remote machine will now be capable of connecting. Moreover, you may require enabling authentication to secure the database even further.