10 Ways to Improve MongoDB Security

Source: Internet
Author: User
Tags mongodb client mongodb documentation mongodb server

MongoDB provides a series of components to improve data security. Data security is the most important in MongoDB-so it uses these components to reduce the exposure surface. The following are 10 tips for improving the security of your personal or cloud MongoDB server.

1. Enable auth-even if you enable auth when deploying a MongoDB server in a trusted network. When your network is under attack, it can provide "Deep defense ". Edit the configuration file to enable auth

1

Auth = true

2. Do not expose the database in the production environment to the Internet-limiting physical access to the database is a very important measure of security. Do not expose the database in the production environment to the Internet unless necessary. If attackers cannot physically connect to the MongoDB server, the data will not be more secure. If you deploy the service on Amazon web Service (AWS), you should deploy the database in the private subnet of the Virtual Private cloud (VPC. For more information, see the blog article "Deploying MongoDB in a private cloud (VPC ".

3. Use firewall to restrict the entities allowed to connect to the MongoDB server. The best solution is to allow only your own application server to access the database. If you deploy your website on Amazon web Service (AWS), you can use the "Security Group" function to restrict access permissions. If you deploy the service on a host of a provider that does not support the firewall function, you can use "iptables" to perform simple configuration on the server. See the mongodb documentation to configure iptables for the specific environment you are facing.

4. Use the key file to create a replication server cluster-specify the shared key file and enable communication between MongoDB instances in the replication cluster. Add the keyfile parameter to the configuration file as follows. The content of this file on all machines in the replication cluster must be the same.

1

KeyFile =/srv/mongodb/keyfile

5. Disable the HTTP Status interface. By default, Mongodb runs the http interface on port 28017 to provide the "master" status page. We recommend that you do not use this interface in the production environment. It is best to disable this interface. You can use the "nohttpinterface" configuration to disable this http interface.

1

Nohttpinterface = true

6. Disable the REST interface-we recommend that you do not enable the REST interface of MongoDB in the production environment. This interface does not support any authentication. This interface is disabled by default. If you use the "rest" configuration option to enable this interface, you should disable it in the production system.

1

Rest = false

7. Configure bind_ip-if your system uses multiple network interfaces, you can use the "bind_ip" option to restrict the mongodb server to listen only on the interfaces associated with this configuration item. By default, mongoDB is bound to all interfaces.

1

Bind_ip = 10.10.0.25, 10.10.0.26

8. Enable SSL-if you do not use SSL, the data you transmit between the MongoDB client and the MongoDB server is in plaintext, which is vulnerable to eavesdropping, tampering, and man-in-the-middle attacks. If you connect to the MongoDB server through a non-secure network such as the internet, it is very important to enable SSL.

9. Role-Based Authentication-MongoDB supports role-based authentication, so that you can perform fine-grained control over the actions that each user can perform. Role-based authentication can be used to restrict access to the database, rather than all users are administrators. For more information, see the role documentation.

10. Enterprise MongoDB and kerberos-enterprise mongodb inherit kerberos authentication. For more information, see the mongodb documentation. Username/password-based systems are inherently insecure. Therefore, if possible, use kerberos-based authentication.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.