1- Secure the host with ssh and make sure it’s not reachable from outside without going through a “gateway”.
2- Use IPTables to lock down any access from unknown servers.
3- Create an admin user and set authentication to admin

Create an administrator user for the entire db server process. This user is stored under the special «admin" database.

If there aren’t  admin users, one might access the database from the localhost interface without authenticating. Thus, from the server running the database (and thus on localhost), run the database shell and configure an administrative user:

$ ./mongo
> use admin
> db.addUser("adminuser", "somepassword")

We now have a user created for database "admin". Note that if we have not previously authenticated, we now must if we wish to perform further operations, as there is now an admin user.

> db.auth("adminuser", "somepassword")

Now, let’s configure a «normal» user for another database.

> use prueba1
> db.addUser("john", "passwordJohn")

Finally, let’s add a readonly user

> use prueba1 > db.addUser("guest", "passwordGuest", true)

Viewing Users

User information is stored in each database’s system.users collection. For example, on a database prueba1, prueba1.system.users will contain user information.

We can view existing users for the current database with the query:

> db.system.users.find()

Changing Passwords

The shell addUser command may also be used to update a password: if the user already exists, the password simply updates.

Deleting Users

To delete a user:

db.removeUser( username )

or

db.system.users.remove( { user: username } ) 4.- Change the port to something other than default 27017. I know, security through obsecurity.