MongoDB security configuration details

MongoDB security configuration details

This article mainly introduces MongoDB security configuration details. This article is from the wooyun platform, a domestic security vendor, and provides a comprehensive explanation. For more information, see.

0x00 MongoDB Permissions

1. No parameters are added during MongoDB installation. No permission verification is performed by default. login users can perform any operations on the database and remotely access the database. The -- auth parameter must be used to start the operation.

2. MongoDB has an admin database by default when the installation is complete. At this time, the admin database is empty and no permission-related information is recorded. When admin. system. users is not a user sometimes, even if the -- auth parameter is added when mongod is started, if the user is not added to the admin database, at this time, no authentication is required or any operation can be performed (whether or not the -- auth parameter is enabled) until. system. A user is added to users.

3. MongoDB access is divided into connection and permission verification. Even if you start with the -- auth parameter, you can still connect to the database without using the user name, but you do not have any permissions to perform any operations.

4. the user name in the admin database can manage all databases. Users in other databases can only manage their databases.

5. in versions earlier than 2.4, user permissions are divided into read-only and all permissions. In version 2.4, permission management is divided into database operation permissions, database user management permissions, and cluster management permissions, it is recommended that super users manage these users in the admin database. However, it is still compatible with user management methods earlier than 2.4.

0x01 roles of users in MongoDB

1. read role

The read-only permission of the database, including:

The Code is as follows:

Aggregate, checkShardingIndex, cloneCollectionAsCapped, collStats, count, dataSize, dbHash, dbStats, distinct, filemd5, mapReduce (inline output only .), text (beta feature .) geoNear, geoSearch, geoWalk, group

2. readWrite role

The read and write permissions of the database, including:

All read role Permissions

The Code is as follows:

CloneCollection (as the target database.), convertToCapped, create (and to create collections implicitly.), renameCollection (within the same database.) findAndModify, mapReduce (output to a collection .)

Drop (), dropIndexes, emptycapped, ensureIndex ()

3. dbAdmin role

Database Management permissions, including:

The Code is as follows:

Clean, collMod, collStats, compact, convertToCappe

Create, db. createCollection (), dbStats, drop (), dropIndexes

EnsureIndex (), indexStats, profile, reIndex

RenameCollection (within a single database.), validate

4. userAdmin role

Database User Management Permissions

5. clusterAdmin role

Cluster Management permissions (replica set, Shard, master-slave, and other related management), including:

The Code is as follows:

AddShard, closeAllDatabases, connPoolStats, connPoolSync, _ cpuProfilerStart_cpuProfilerStop, cursorInfo, diagLogging,

DropDatabase

ShardingState, shutdown, splitChunk, splitVector, split, top, touchresync

ServerStatus, setParameter, setShardVersion, shardCollection

ReplSetMaintenance, replSetReconfig, replSetStepDown, replSetSyncFrom

RepairDatabase, replSetFreeze, replSetGetStatus, replSetInitiate

LogRotate, moveChunk, movePrimary, netstat, removeShard, unsetSharding

HostInfo, db. currentOp (), db. killOp (), listDatabases, listshardsget1_lineopts, getLog, getParameter, getShardMap, getSha

RdVersion

EnableSharding, flushRouterConfig, fsync, db. fsyncUnlock ()

6. readAnyDatabase role

Read-Only permission for any database (similar to read)

7. readWriteAnyDatabase role

Read and Write Permissions Of any database (similar to readWrite)

8. userAdminAnyDatabase role

Management permissions of any database user (similar to userAdmin)

9. dbAdminAnyDatabase role

Management permissions of any database (similar to dbAdmin)

0x02 considerations for MongoDB Installation

1. Add -- auth during installation

MongoDB needs verification only after -- auth is added

2. -- nohttpinterface needs to be added

If you do not add a port 28017 listener, you can manage mongodb through the web page. Remove it if you do not need it.

3. You can add -- bind_ip

Added ip addresses that can be restricted

4. You can add -- port

After the port is added, You can reset the port. The default value is 27017.

5. After installation, add a user to the admin database immediately.

Authentication takes effect only when a user is added to the admin database.

Note: the installation process is to add a service and specify the parameters at startup.

0x03 user authorization

1. User management methods for versions earlier than 2.4

1.1 go to admin to create a management account

The Code is as follows:

Use admin

Db. addUser ("test", "test ")

1.2. Create a program to use the user in the database to be used.

The Code is as follows:

Use test

Db. addUser ("test", "test") has the read and write permissions by default.

Db. addUser ("test", "test", True) has read permission

2. You can also use the previous version to manage users of version 2.4.

2.1 go to admin to create a management account

The Code is as follows:

Use admin

Db. addUser ("test", "test ")

2.2 enter admin to create an account with read and write permissions on the database and logs for the database test you are using.

The Code is as follows:

Use admin

Db. addUser ({

"User": "test ",

"Pwd": "test ",

"Roles": [],

"OtherDBRoles ":{

"Test ":[

"ReadWrite"

],

"Test_log ":[

"ReadWrite"

]

}

})

0x04 security configuration Scheme

1. Add -- auth during installation and create a user in the admin database immediately.

By default, MongoDB does not require verification, so this is a crucial step.

2. You can consider modifying the port and specifying the access ip address during installation.

Specific settings can be set based on the actual situation, or directly on the server firewall

3. We recommend that you add -- nohttpinterface to cancel the default webpage management mode during installation.

Default web management is generally not used, and many people do not know, it is best to disable

4. manage user Processing

Because you need to create a management account in admin for management, it is best to set a strong password, but do not use it for other programs

5. MongoDB Service Running Account

In windows, you can use network service or create a user, use the default USERS Group, and add write permissions to database files and log storage directories, we recommend that you cancel the execution permission on programs such as cmd.

Create an account in linux and grant the program execution permission and read and write permissions on database files and log directories. We recommend that you cancel the execution permission on the sh and other programs.

6. Control the permissions for connecting users used by websites or other programs.

Users who use websites or other programs only grant permissions to the corresponding database. Do not use the admin account in the admin database.

0x05 Common commands

1. Install

The Code is as follows:

Mongod -- dbpath d: \ mongodb \ data -- logpath d: \ mongodb \ log \ mongodb. log ---- nohttpinterface -- auth -- install

2. Add a user

The Code is as follows:

Use admin

Db. addUser ("test", "test ")

3. display all databases

The Code is as follows:

Show dbs

4. Use a database

The Code is as follows:

Use test

5. Connect to the database

The Code is as follows:

Mongo test-uroot-p123456

6. Add User Authentication

The Code is as follows:

Db. auth ("username", "password ")

7. View users

The Code is as follows:

Db. system. users. find ()

Just write a few basics. There are a lot of other websites, or use tools to connect them.

0x06 management tools

1. Upgrade vue

Management tools in client form

2. rockmongo

Php-based web Management

Please correct me!