Ackee is a Node.js analytics service with a MongoDB backend. The most important controls are API/admin access protection, MongoDB hardening, and secure handling of tracker domains.
¶ 1) Lock admin and API authentication
- Set strong
ACKEE_USERNAME and ACKEE_PASSWORD values (or disable local auth and use SSO via reverse proxy).
- Do not expose Ackee admin endpoints without HTTPS and authentication.
- Restrict who can create/delete domains in Ackee.
- Rotate admin credentials after staff changes.
¶ 2) Harden MongoDB and data paths
- Bind MongoDB to localhost/private network only.
- Enable MongoDB authentication and TLS where possible.
- Keep database credentials outside git and in service env files only.
- Back up database with encrypted archives.
¶ 3) Reduce tracker abuse and data leakage
- Enforce allow-lists for tracked domains.
- Block internal hostnames from being tracked accidentally.
- Add rate limits for tracker endpoint at reverse proxy.
- Monitor unusual event spikes by source IP/user-agent.
¶ Verification commands
sudo grep -E 'ACKEE_USERNAME|ACKEE_PASSWORD|ACKEE_MONGODB' /etc/ackee/ackee.env
sudo ss -tulpn | grep -E ':3000|:443'
sudo mongosh --quiet --eval 'db.runCommand({connectionStatus:1})' 2>/dev/null | head
- Ackee documentation: https://github.com/electerious/Ackee
- Ackee Docker reference: https://github.com/electerious/Ackee/blob/master/Dockerfile
- Ackee security advisories: https://github.com/electerious/Ackee/security