Objective
as MongoDB uses a growing group of businesses, hackers ' attention has shifted to it. For example, last year's very hot MongoDB hijacking incident, many people to MongoDB security also more and more attention. Today, we will briefly summarize some of MongoDB's security protections. First of all, regarding this aspect, the official also has the explanation, refer to the following link:https://docs.mongodb.com/manual/administration/security-checklist/;
1. Enable access control and mandatory authentication
Turn on authentication and create authenticated Users:
- In the admin database, create a
admin
user
Use Admindb.createuser ( { User: "Myuseradmin", pwd: "abc123", roles: [{role: " Useradminanydatabase ", DB:" Admin "}] })
- Authorizing a specific library
Use Reportingdb.createuser ( { User: "Reportsuser", pwd: "12345678", roles: [ {role: "read", DB: " Reporting "}, {role:" read ", DB:" Products "}, {role:" read ", DB:" Sales "}, {role:" ReadWrite ", DB:" Accou NTS "} ] })
Tip: Add--auth to the startup item or add it to the configuration filesecurity.authorization: enabled。并且,MongoDB还可以使用外部系统进行认证,比如LADP等;
2. Configuring role-based access control
It needs to be clear here that the basic security of MongoDB is divided into two types, one is authentication, and the other is authorization. In fact, English will be more clear point: authorization, authentication.
Authentication is an account password check that is logged in as a user, similar to MySQL Root/password, in most applications, once a connection is created (for connection pooling), the connection will only be done once, so there is no need to worry about the overhead associated with authentication.
Authentication is the authorization of the account in the database, similar to the privilege in MySQL.
3. Two-way authentication based on TSL
Open MongoDB's TLS/SSL configuration, the Community edition needs to download an SSL version, or you can upgrade from the Community edition to the SSL version of the upgrade step, the Enterprise version comes with SSL.
SSL ensures that all connections to MongoDB (input and output connections) are encrypted.
4. Restricting Network exposure
By specifying Bindip, and by restricting access to IP addresses by Linux through Iptables, and by turning off MongoDB's HTTP interface and REST API on the production line to circumvent network import security issues.
Iptables-a input-s <ip-address>-P TCP--destination-port 27017-m state--state new,established-j Acceptiptables -A output-d <ip-address>-p TCP--source-port 27017-m state--state established-j ACCEPT
5. Create MongoDB dedicated running user
Use a MongoDB user to start MongoDB instead of using the root user;
Useradd-m mongodb-s/bin/nologinsudo-u mongodb-s
6. Running MongoDB with security configuration items
MongoDB Security Configuration