MongoDB safe operation and maintenance

0x00 MongoDB Permissions Introduction

1.MongoDB installation does not add any parameters, by default, there is no permission authentication, the logged on user can be arbitrary operation of the database and can access the database remotely, need to start with the –auth parameter.

2. When the installation is complete, MongoDB has an admin database by default, at this time the admin database is empty, there is no record permission related information. When a user does not have a admin.system.users, even if Mongod is started with the –auth parameter added, if the user is not added to the admin database, no authentication can be done at this time, regardless of whether it is started with the –auth parameter, Until a user has been added to the admin.system.users.

3.MongoDB access is divided into connections and permissions validation, even if you start with the –auth parameter or you can connect to the database without a user name, but there is no permission to do anything

A user name in a 4.admin database can manage all databases, and users in other databases can only manage the database in which they reside.

5. In the previous version of 2.4, the user's permissions are divided into read-only and have all permissions, 2.4 version of the rights management is mainly divided into: database operation permissions, database user management permissions, cluster management permissions, recommended by the Superuser in the admin database to manage these users. However, it is still compatible with user management methods prior to version 2.4.

The role description of the user in 0x01 MongoDB 1. Read role

Read-only permissions for the database, including:

2. ReadWrite role

Read and Write permissions for the database, including:

All permissions for the read role

3. Dbadmin role

Administrative permissions for the database, including:

4. Useradmin role

User administration permissions for the database

5. Clusteradmin role

Cluster Management permissions (replica set, Shard, Master-slave and other related management), including:

6. Readanydatabase role

Read-only permission for any database (similar to read)

7. Readwriteanydatabase role

Read and write access to any database (similar to ReadWrite)

8. Useradminanydatabase role

Administrative privileges for any database user (similar to useradmin)

9. Dbadminanydatabase role

Administrative permissions for any database (Dbadmin similar)

0x02 MongoDB Installation Considerations 1. Need to add –auth when installing

MongoDB needs verification after adding –auth.

2. Need to add –nohttpinterface

No, there will be a 28017 port monitoring, you can manage MongoDB via web page, do not need to remove

3. Can add –bind_ip

In addition, you can restrict the IP access

4. Can add –port

Once added, you can re-establish the port, which defaults to 27017.

5. Add a user to the Admin database immediately after installation

The authentication will only take effect if a user is added to the admin database

Note: The installation process is actually to add 1 services, specify the parameters at the start time.

0X03 User Authorization 1.2.4 Previous version of user management mode 1.1, enter admin to create a management account

1.2. Create a program to use the user in the database you need to use

2.2.4 Version of user management, you can also use the previous version of Mode 2.1, enter the admin to create a management account

2.2. Enter admin to use database test create an account that has read and write access to the database and log

0X04 Security Configuration Scheme 1. Add –auth when installing, and immediately create a user in the admin database

MongoDB is not validated by default, so this is a critical step

2. You can consider the installation of the time to modify the port and the specified access IP

Depending on the actual situation, you can also do it directly on the server firewall.

3. When installing, we suggest adding –nohttpinterface to cancel the default one page management mode

The default Web management is generally not used, and many people do not know, it is best to close

4. Manage User Processing

Because you need to set up an admin account in admin for administration, it's best to set strong passwords, but don't use them for other programs.

5. MongoDB Service running Account

Under Windows, you can use the Network service or create a new user, use the default Users group, add write permissions to the database files and log store directories, and recommend that you remove Execute permissions for programs such as CMD.

Create a new account under Linux, give the program execution permissions and database files and log directory read and write permissions, and recommend canceling the SH and other programs to execute permissions.

6. Control the connection user rights used by the website or other programs

Users who use the site or other programs only give permissions to the corresponding library, and do not use the Admin account in the administrator database.

0x05 Common Commands 1. Installation

mongod --dbpath d:\mongodb\data --logpath d:\mongodb\log\mongodb.log ----nohttpinterface --auth --install

2. Add Users

3. Show all databases

4. Use a database

5. Connect to the database

6. Add user authentication

7. View the user

Just write a few basic, other online a lot, or use tools to connect to the operation.

0X06 Management Tools 1. Mongovue

Management tools in the form of clients

2. Rockmongo

PHP-based web Management

----------------------------------------------

From Zhangsan ' s blog/wooyundrops

MongoDB safe operation and maintenance