Shulou(Shulou.com)05/31 Report--

It is believed that many inexperienced people have no idea about how to default security settings in MongoDB and how to implement and protect JavaScript in MongoDB. Therefore, this article summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

By default, mongod is listening above 0.0.0.0. Any client can connect directly to 27017 without authentication. The advantage is that developers or dba can get started instantly without having to worry about being distracted by a bunch of configurations. The downside is, obviously, if you build MongoDB directly on a public network server, then everyone can directly access and modify your database data. The following editor will explain how MongoDB defaults to security settings, and how to implement and protect JavaScript in MongoDB.

How about MongoDB default security settings

By default, mongod is listening above 0.0.0.0. Any client can connect directly to 27017 without authentication. The advantage is that developers or dba can get started instantly without having to worry about being distracted by a bunch of configurations. The downside is, obviously, if you build MongoDB directly on a public network server, then everyone can directly access and modify your database data.

By default, mongod also does not have an administrator account. So unless you add an administrator account with the db.addUser () command in the admin database and start mongod with the-auth parameter, anyone in the database can execute all commands without authentication. Including delete and shutdown.

In addition, mongod listens to port 28017 by default and binds all ip as well. This is a web monitoring interface that comes with mongod. From this, you can get the current connection to the database, log, status, running system and other information. If you enable the-rest parameter, you can even query the data directly through the web interface and execute the mongod command.

I tried to spend a night scanning a B segment at home and a B segment abroad. As a result, 78 MongoDB have been opened abroad, while 60 have been opened at home. Among them, I randomly selected 10 to try to connect, and only one machine was authenticated with an administrator account, and the others were all unguarded cities. It can be seen that the problem is still quite serious.

In fact, MongoDB itself has very detailed security configuration guidelines, obviously he also thought of it, but he pushed the security task to the user to solve, this own strategy is biased towards ease of use, for security, it has to stand aside.

User information preservation and authentication process

Similar to MySQL, the system user information is stored in the mysql.user table. MongoDB also stores the username and pwd of system users in the admin.system.users collection. Where pwd=md5 (username+ ": mongo:" + real_password). There is nothing wrong with this in itself. Username and: mongo: equivalent to adding a salt value to the original password, even if the attacker gets the md5hash stored in the database, he can't simply find the original password from the rainbow table.

Let's take a look at how MongoDB's authentication interaction with the client is implemented. Both mongoclient and server interactions are based on plaintext, so they can be easily crawled by network sniffing and other ways. Here, we use the mongosniff that comes with the database to directly dump all interactive packets between the client and the server:

[root@localhostbin] #. / mongosniff--sourceNETlo

Sniffing27017

. / / omit the packet at the beginning and look directly at the authentication process. Here is the interaction that occurs when the user enters db.auth (username,real_passwd).

127.0.0.1ambigu34142 127.0.0.1:27017admin.62bytesid:88-> >

Query: {getnonce:1.0} ntoreturn:-1ntoskip:0

127.0.0.1:27017127.0.0.1:27017admin.152bytesid:99

Query: {authenticate:1.0,user: "admin", nonce: "df97182fb47bd6d0", key: "3d839522b547931057284b6e1cd3a567"} ntoreturn:-1ntoskip:0

127.0.0.1:27017

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.