Shulou(Shulou.com)05/31 Report--

How to implement security management in MongoDB? in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Mode 1 iptables setting

Linux Firewall settings only the server where the application resides, ip, can access the server where MongoDB resides.

It is actually very simple for Linux to disable access to a certain IP address, and the most common way is to use iptalbes. This method has nothing to do with MongoDB itself, but borrows the iptalbes feature of Linux to restrict the ip address allowed to access the MongoDB port. The specific method (ip and port need to correspond to the reader) is as follows:

# deny all requests for access to port 27017

Sudo iptables-I INPUT-p tcp-- dport 27017-j DROP

# allow 192.168.1.1 server access to mongo port

Sudo iptables-I INPUT-s 192.168.1.1-p tcp-- dport 27017-j ACCEPT

Sudo iptables-save

Or

Vi / etc/sysconfig/iptables

Put

Iptables-I INPUT-p tcp-- dport 27017-j DROP

Iptables-I INPUT-s 192.168.1.1-p tcp-- dport 27017-j ACCEPT

These two sentences are added to

-An INPUT-j REJECT-- reject-with icmp-host-prohibited

-A FORWARD-j REJECT-- reject-with icmp-host-prohibited

In front of.

Then restart the firewall

Service iptables restart

View firewall status

Service iptables status

This only allows the 192.168.1.1 server to access the MongoDB service.

Note that the order of orders cannot be reversed. If you restrict not only one port but all ports, you can remove dport 27017.

Mode two: hosts.allow and hosts.deny

The configuration file / etc/hosts.allow control in Linux allows access to the local IP address, and the / etc/hosts.deny control prohibits access to the native IP. The order of execution is deny and then allow, so if the configuration of the two files conflicts, / etc/hosts.allow shall prevail.

The / etc/hosts.allow and / etc/hosts.deny files control remote access settings and allow or deny customers of a certain ip or ip segment access to a service of linux. The service is identified by the process name, for example, the service process name of MongoDB is mongod, and we restrict all ip access unless ip is 192.168.1.1.

Edit hosts.deny:

Vi / etc/hosts.deny

Deny all ip access to MongoDB service inputs:

# no mongod

Mongod:all:deny

Esc input: wq save away.

Mongod:all:deny denies all ip access to the mongod service. Deny can be omitted and written as mongod:all.

Edit hosts.allow:

Vi / etc/hosts.allow

Allow 192.168.1.1 access to MongoDB service inputs:

Mongod:192.168.1.1

Esc input: wq save away.

Restart the interceptor after modification to make the previous change take effect:

Service xinetd restart

After setting up, you need to verify whether the restrictions are in effect. If it is more important data that is not satisfied with restricting ip access, add user authentication, which needs to be weighed by the reader.

For databases with high security requirements, SSL can also be enabled.

If you don't use SSL, the data you transfer between the MongoDB client and the MongoDB server is plaintext and is vulnerable to eavesdropping, tampering, and man-in-the-middle attacks. If you are connecting to the MongoDB server through a non-secure network such as a public network, it is important to enable SSL.

Detailed SSL configuration can be found on the official website:

Https://docs.mongodb.com/manual/tutorial/configure-ssl/ .

Method 3 do not deploy MongoDB to the same machine as other services

Turn off the NUMA function when starting MongoDB, and follow the prompts to add the numactl-- interleave option before starting the command. Use the following command when starting:

Numactl-interleave=all mongod-dbpath=/data/db/-fork-logpath=/data/logs/db.log

If there is no numactl command on the system, use yum to install

Yum install-y numactl

Use the command again

Echo 0 > / proc/sys/vm/zone_reclaim_mode

Vi / proc/sys/vm/zone_reclaim_mode

Sysctl-w vm.zone_reclaim_mode=0

This is the answer to the question about how to achieve security management in MongoDB. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.