How to install MongoDB on Debian 8

Introduction

MongoDB is a free and open source NoSQL database commonly used in modern web applications. This tutorial will guide you how to configure MongoDB on a server for use in production applications. You will be installing MongoDB and configuring firewall rules to restrict access to MongoDB

Prerequisites

Following this tutorial, you will need:

  • One 8 is a Debian server with non-superuser access (sudo). You can set up a user with these privileges in our Debian 8 initial server setup guide.

Step 1 – Installing MongoDB

MongoDB is already included in the Debian repository, but the official MongoDB repository provides the most recent version and is the recommended way to install the software. In this step, we will add this official repository to our server.

Debian guarantees the authenticity of software packages by verifying that they are signed with GPG keys, so we must first import their key for the official MongoDB repository.

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 0C49F3730359A14518585931BC711F9BA15703C6

After successfully importing the key, you will see:

Output

gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Next, we need to add the MongoDB repository to apt so they know where to download the packages.

Run the following command to create a list file for MongoDB.

echo "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/3.4 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.4.list

After adding the repository details, update the package list:

sudo apt-get update

Now install the MongoDB package using the following command:

sudo apt-get install -y mongodb-org

This installs the latest stable version of MongoDB, along with some useful management tools for the MongoDB server.

After MongoDB is installed, start the service, and make sure it starts when you reboot your server:

sudo systemctl enable mongod.service
sudo systemctl start mongod

Then use, systemctl to check that the service has started correctly:

sudo systemctl status mongod

You should see the following output, which indicates that the service is running:

Output

● mongod.service - High-performance, schema-free document-oriented database
   Loaded: loaded (/lib/systemd/system/mongod.service; enabled)
   Active: active (running) since Tue 2017-02-28 19:51:51 UTC; 7s ago
     Docs: https://docs.mongodb.org/manual
 Main PID: 8958 (mongod)
   CGroup: /system.slice/mongod.service
           └─8958 /usr/bin/mongod --quiet --config /etc/mongod.conf

Feb 28 19:51:51 cart-61037 systemd[1]: Started High-performance, schema-free document-oriented database.

Now that MongoDB is successfully installed, let’s secure it with a software firewall.

Step 2 – Protecting MongoDB with a Firewall

In most cases, MongoDB should only be accessible from certain trusted locations, such as another server hosting the application. To accomplish this task, you can enable MongoDB port access by default. When specifying the IP address of another server, which will be explicitly allowed to connect. We’ll be using the iptables firewall to configure this rule, along with a few other system security rules.

Before writing any rules, install the package iptables-persistentso that you can save the rules that you create. This way, the rules will be applied every time you restart the server. Run the following command:

sudo apt-get install iptables-persistent

Note: During installation, you may be prompted to save all existing rules. You can opt out of existing rules.

Then remove any existing rules you might have, just in case:

sudo iptables -F

Then add a rule that allows established connections to continue to communicate. This way our existing SSH connection won’t be interrupted:

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Then make sure SSH access is allowed:

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

If you plan to connect to MongoDB from a remote server, add these rules to allow access to the default MongoDB port from the application server:

sudo iptables -A INPUT -s your_other_server_ip -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -d your_other_server_ip -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT

Then add these rules to allow traffic on the local device:

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT

Finally, change your firewall policy to drop all other types of traffic:

sudo iptables -P INPUT DROP

Warning: Changing the default policy to refuse traffic that is not explicitly defined in the rules, which will mean that everything will be blocked. If you want to allow additional traffic in the future, you need to add new rules.

Also, if you accidentally deleted your rules, you will be blocked from your server. It’s a good idea to use sudo iptables -P INPUT ACCEPT to allow traffic if you need to tweak your rules in the future. Then you can use sudo iptables -P INPUT DROP to lock as soon as you are sure everything is set up correctly again.

Make sure the rules look correct:

sudo iptables -S

You should see output similar to this:

Output

-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s your_other_server_ip/32 -p tcp -m tcp --dport 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -d your_other_server_ip/32 -p tcp -m tcp --sport 27017 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

And finally, save the rules:

netfilter-persistent save

To learn more about firewall rules, take a look at How to Use Iptables on Linux.

Step 3 – Activating Access to External Servers (Optional)

Current versions of MongoDB do not accept external connections by default. If you have restricted access to specific IPs with a firewall, you can modify MongoDB’s configuration to enable remote connections.

Edit the MongoDB config file:

sudo nano /etc/mongod.conf

Find this section:

mongod.conf

# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1

MongoDB listens on a local address loopback, so it will only accept local connections. Change the value bindIp so that it includes the IP address of the MongoDB server:

mongod.conf

# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1, your_server_ip

Save the file and exit the editor.

Then restart MongoDB to apply the changes:

sudo systemctl restart mongod

Your remote computer should now be able to connect. However, you can also enable authenticationto make your database even more secure.

Output

Remember to back up your data and read how encrypt data in transit

Sidebar