Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to solve all kinds of security problems in mongoDB. The content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

The default installation of Mongo often leads to a variety of security problems, such as unauthorized access to a Phoenix New Media system and mongodb.

Today we are going to talk about the security configuration of MongoDB.

1.MongoDB installation does not add any parameters, the default is no permission to verify, login users can operate on the database and can access the database remotely, you need to start with the-auth parameter.

two。 When MongoDB is installed, there is an admin database by default. At this time, the admin database is empty and there is no information about permissions. When there is no user in admin.system.users, even if the-auth parameter is added when mongod starts, if no user is added to the admin database, anything can be done without any authentication at this time (regardless of whether it is started with the-auth parameter or not) until a user is added to admin.system.users.

The access of 3.MongoDB is divided into connection and permission verification. Even if you start with the-auth parameter, you can still connect to the database without using a user name, but you will not have any permission to do anything.

User names in the 4.admin database can manage all databases, while users in other databases can only manage their own databases.

5. In version 2.4, the permissions of users are divided into read-only and all permissions; the permissions management of version 2.4 is mainly divided into: database operation rights, database user management rights, and cluster management rights. It is recommended that super users manage these users in the admin database. However, it is still compatible with user management methods prior to version 2.4.

Description of the role of the user in 0 × 01 MongoDB

1. Read role

Read-only permissions for the database, including:

Aggregate,checkShardingIndex,cloneCollectionAsCapped,collStats,count,dataSize,dbHash,dbStats,distinct,filemd5,mapReduce (inline output only.), text (beta feature.) geoNear,geoSearch,geoWalk,group

2. ReadWrite role

Read and write permissions for the database, including:

All permissions for the read role

CloneCollection (as the target database.), convertToCapped,create (and to create collections implicitly.), renameCollection (within the same database.) findAndModify,mapReduce (output to a collection.) Drop (), dropIndexes,emptycapped,ensureIndex ()

3. DbAdmin role

Administrative permissions for the database, including:

Clean,collMod,collStats,compact,convertToCappe create,db.createCollection (), dbStats,drop (), dropIndexes ensureIndex (), indexStats,profile,reIndex renameCollection (within a single database.), validate

4. UserAdmin role

User management rights of the database

5. ClusterAdmin role

Cluster management permissions (replica set, sharding, master-slave, etc.), including:

AddShard,closeAllDatabases,connPoolStats,connPoolSync,_cpuProfilerStart_cpuProfilerStop,cursorInfo,diagLogging,dropDatabase shardingState,shutdown,splitChunk,splitVector,split,top,touchresync serverStatus,setParameter,setShardVersion,shardCollection replSetMaintenance,replSetReconfig,replSetStepDown,replSetSyncFrom repairDatabase,replSetFreeze,replSetGetStatus,replSetInitiate logRotate,moveChunk,movePrimary,netstat,removeShard,unsetSharding hostInfo,db.currentOp (), db.killOp (), listDatabases,listShardsgetCmdLineOpts,getLog,getParameter,getShardMap,getShardVersion enableSharding,flushRouterConfig,fsync,db.fsyncUnlock ()

6. ReadAnyDatabase role

Read-only access to any database (similar to read)

7. ReadWriteAnyDatabase role

Read and write permissions for any database (similar to readWrite)

8. UserAdminAnyDatabase role

Administrative privileges of any database user (similar to userAdmin)

9. DbAdminAnyDatabase role

Administrative permissions for any database (dbAdmin similar)

0x02 MongoDB installation considerations

1. Need to add-auth when installing

MongoDB needs verification only after-auth is added.

two。 Need to add-nohttpinterface

If you don't add it, there will be a 28017 port listening. You can manage mongodb through the web page. If you don't need it, please remove it.

3. You can add-bind_ip.

Ip to which access can be restricted after addition

4. You can add-port.

You can reconfigure the port after adding it. The default is 27017.

5. You need to add a user to the admin database immediately after installation

Authentication can only be made effective after adding a user to the admin database.

Note: the process of installation is to add a service and specify the parameters at startup.

0x03 user authorization

1. Prior to 2.4 user management

Go to admin and create a management account

Use admin db.addUser ("test", "test")

1.2. Go to the database you need to use and create a program to use the user.

Use test db.addUser ("test", "test") has read and write permissions by default. Db.addUser ("test", "test", True) has read permissions.

2. 2.4 version of user management, you can also use the previous version of the way

2.1.Go to admin to create a management account

Use admin db.addUser ("test", "test")

2.2. Go to admin to create an account with read and write access to the database and logs to the database test

Use admin db.addUser ({"user": "test", "pwd": "test", "roles": [], "otherDBRoles": {"test": ["readWrite"], "test_log": ["readWrite"]}})

0 × 04 security configuration scheme

1. Add-auth during installation and immediately create a user in the admin database

By default, MongoDB does not need to be verified, so this is a crucial step

two。 You can consider modifying the port and specifying access to the ip during installation

Set it according to the actual situation, or you can do it directly on the server firewall.

3. When installing, it is recommended to add-nohttpinterface to cancel the default web page management method.

Default web management is generally not used, and many people do not know, * turn off

4. Manage user processing

Due to the need to set up an administrative account in admin for management, * is to set a strong password, but do not use it for other programs.

5. MongoDB service operation account

Under windows, you can use network service or create a new user, use the default USERS group, then add write permissions to database files and log storage directories, and it is recommended to cancel the execution permissions for programs such as cmd.

Create a new account under linux, give the execution authority of the program and the read and write permission of database files and log directories, and suggest to cancel the execution authority of sh and other programs.

6. Control the connection user rights used by websites or other programs

Users of websites or other programs only give permissions to the corresponding libraries and do not use administrative accounts in the admin database.

0 × 05 common commands

1. Installation

Mongod-dbpath d:\ mongodb\ data-logpath d:\ mongodb\ log\ mongodb.log-nohttpinterface-auth-install

two。 Add user

Use admin db.addUser ("test", "test")

3. Show all databases

Show dbs

4. Use a database

Use test

5. Connect to the database

Mongo test-uroot-p123456

6. Add user authentication

Db.auth ("username", "password")

7. View users

Db.system.users.find ()

Just write a few basics, there are a lot of others online, or use tools to connect and operate.

06 management tools

1. MongoVUE

Management tools in the form of client

2. Rockmongo

Web Management based on php

On how to solve a variety of mongoDB security problems to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.