Docs / Security / How to Secure Redis, MongoDB, and Elasticsearch from Unauthorized Access

How to Secure Redis, MongoDB, and Elasticsearch from Unauthorized Access

By Admin · Mar 15, 2026 · Updated Apr 23, 2026 · 277 views · 2 min read

Redis, MongoDB, and Elasticsearch are frequently exposed to the internet without authentication, making them prime targets for data theft and ransomware. This guide covers essential security configurations for each service.

The Problem

By default, many NoSQL databases and search engines bind to all interfaces (0.0.0.0) without authentication. Automated scanners find these exposed services within minutes and either steal data or deploy ransomware.

Securing Redis

# /etc/redis/redis.conf

# 1. Bind to localhost only
bind 127.0.0.1 ::1

# 2. Set a strong password
requirepass YourStrongPasswordHere123!

# 3. Disable dangerous commands
rename-command FLUSHALL ""
rename-command FLUSHDB ""
rename-command CONFIG ""
rename-command DEBUG ""
rename-command EVAL ""

# 4. Enable TLS (Redis 6+)
tls-port 6380
tls-cert-file /etc/redis/tls/redis.crt
tls-key-file /etc/redis/tls/redis.key
tls-ca-cert-file /etc/redis/tls/ca.crt

# 5. Set memory limits
maxmemory 256mb
maxmemory-policy allkeys-lru

# Restart Redis
sudo systemctl restart redis

Securing MongoDB

# /etc/mongod.conf

# 1. Bind to localhost
net:
  bindIp: 127.0.0.1
  port: 27017

# 2. Enable authentication
security:
  authorization: enabled

# 3. Create admin user (connect first without auth)
mongosh
use admin
db.createUser({
  user: "admin",
  pwd: "YourStrongPassword",
  roles: ["root"]
})

# 4. Create application-specific users
use myappdb
db.createUser({
  user: "myapp",
  pwd: "AppPassword123",
  roles: ["readWrite"]
})

# 5. Enable TLS
net:
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongodb.pem
    CAFile: /etc/ssl/ca.pem

sudo systemctl restart mongod

Securing Elasticsearch

# /etc/elasticsearch/elasticsearch.yml

# 1. Bind to localhost
network.host: 127.0.0.1
http.port: 9200

# 2. Enable security (Elasticsearch 8+ has it on by default)
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

# 3. Set passwords for built-in users
/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic

# 4. Disable unnecessary features
action.destructive_requires_name: true

# 5. Configure HTTPS
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: http.p12

sudo systemctl restart elasticsearch

Firewall Rules

# Block external access to database ports
sudo ufw deny 6379/tcp   # Redis
sudo ufw deny 27017/tcp  # MongoDB
sudo ufw deny 9200/tcp   # Elasticsearch
sudo ufw deny 9300/tcp   # Elasticsearch transport

# These should NEVER be accessible from the internet

Verification

# Check that services are NOT externally accessible
ss -tlnp | grep -E "6379|27017|9200"
# All should show 127.0.0.1, NOT 0.0.0.0

# Test from external (should fail)
nmap -p 6379,27017,9200 YOUR_SERVER_IP

Was this article helpful?

Related Articles