0

I have an issue with establishing a remote connection to MongoDB running on a VPS. I have followed instructions on editing the mongod.conf to bind my IP.

The network section looks like this:

# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1,xx.xx.xxx.xxx

The latter IP is my local machine which I am trying to access MongoDB on using Compass.

I have also tried surrounding the list in [], but it does not work. I am restarting the mongo service after each change like so:

sudo systemctl restart mongod

When I try to run mongo after adding the new comma-separated IP to the bindIp I receive the following error.

MongoDB shell version v4.4.9
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SocketException: Error connecting to 127.0.0.1:27017 :: caused by :: Connection refused :
connect@src/mongo/shell/mongo.js:374:17
@(connect):2:6
exception: connect failed
exiting with code 1

When I edit the mongo.conf to remove the second IP, mongo works and I can use the shell.

I have also created a new user in the MongoDB admin to use as credentials in Compass which I am using to try to connect in Compass.

This is what the user looks like in the admin system.users collection.

{
    "_id" : "admin.newAdmin",
    "userId" : UUID("9b5c9a51-de6b-4e55-a2bc-3ae92d89993c"),
    "user" : "newAdmin",
    "db" : "admin",
    "credentials" : { ... },
    "roles" : [
        {
            "role" : "userAdminAnyDatabase",
            "db" : "admin"
        },
        {
            "role" : "readWriteAnyDatabase",
            "db" : "admin"
        }
    ]
}

The connection string in Compass:

mongodb://username:password@<vps-ip>:27017/?authSource=admin&readPreference=primary&ssl=false

I have seen that replacing bindIp with 0.0.0.0 works, but I am not comfortable with that from a security point of view.

If anyone can help with a solution to securely and easily establishing a remote connection I would much appreciate it.

mikeym
  • 5,705
  • 8
  • 42
  • 62

1 Answers1

2

bindIp is a list of network interfaces to listen on mongodb server, not a list of client IPs.

Assuming mongodb is running on *nix system, list available interfaces in terminal:

ifconfig

or

ip -c a

depending on distributive

there is at least 1 virtual interface "lo" inet 127.0.0.1 - the local loop, and at least 1 physical interface associated with the network card - something like "eth0", "wifi0", etc. Numbers may differ, as well as number of interfaces. Get the IP from inet property and add it to mongodb config.

Let me stress, bindIp does not limit who can connect to mongo, only what networks mongo listens on, so if there are only 2 interfaces - lo and eth0 there is no difference between listing both of them in the config, or using 0.0.0.0.

If you want to limit traffic from specific client IP - use system firewall.

Alex Blex
  • 34,704
  • 7
  • 48
  • 75
  • Thanks for the answer. I am still not sure how to implement it though. If I leave the `mongo.conf` as it is with `bindIp: 127.0.0.1` and set my `ufw` firewall to allow a specific ip, should I be able to connect to my MongoDB securely? – mikeym Aug 21 '22 at 16:23
  • 1
    I figured it out thanks! It's working now. I just need to ensure that the `ufw` is only allowing connections from specific IPs and blocking all others now. – mikeym Aug 21 '22 at 18:31