MongoDB Security Configuration Detailed

This article mainly introduces the MongoDB security configuration, this article from the domestic security manufacturers cloud platform, explain or more comprehensive, need friends can refer to the

0x00 MongoDB Permissions Introduction

1.MongoDB installation does not add any parameters, the default is not permission to authenticate, the user can log on to the database any operation and remote access to the database, you need to start with the--auth parameter.

2. At the beginning of the installation of the MongoDB has a default admin database, at this time the admin database is empty, there is no record permissions related information. When Admin.system.users is not available to a user, even if the--auth parameter is added when the Mongod is started, if the user is not added to the admin database, no authentication can be done at this time (whether or not it is started with the--auth parameter). Until a user was added to the admin.system.users.

3.MongoDB access is divided into connection and permission validation, even if you start with the--auth parameter or you can connect to the database without using the user name, but you do not have any permissions to do anything

A user name in a 4.admin database can manage all databases, and users in other databases can manage only the databases in which they reside.

5. In the prior 2.4 version, the user's permissions are divided into read-only and have all rights; The 2.4 version of the rights management is mainly divided into: the operation of the database permissions, database user management rights, cluster management rights, it is recommended by the super user in the Admin database to manage these users. However, it is still compatible with the user management approach before version 2.4.

Description of the role of the user in 0x01 MongoDB

1. Read role

Read-only permissions for the database, including:

The code is as follows:

AGGREGATE,CHECKSHARDINGINDEX,CLONECOLLECTIONASCAPPED,COLLSTATS,COUNT,DATASIZE,DBHASH,DBSTATS,DISTINCT,FILEMD5, MapReduce (inline output only.), text (Beta feature.) Geonear,geosearch,geowalk,group

2. ReadWrite role

Read and Write permissions for the database, including:

All permissions for the read role

The code is as follows:

Clonecollection (as the target database.), Converttocapped,create (and to create collections implicitly.), Renamecollection (within the same database.) Findandmodify,mapreduce (output to a collection.)

Drop (), Dropindexes,emptycapped,ensureindex ()

3. Dbadmin role

Administrative permissions for the database, including:

The code is as follows:

Clean,collmod,collstats,compact,converttocappe

Create,db.createcollection (), Dbstats,drop (), dropindexes

Ensureindex (), Indexstats,profile,reindex

Renamecollection (within a single database.), validate

4. Useradmin role

User management permissions for the database

5. Clusteradmin role

Cluster management rights (replica set, fragmentation, master-slave and other related management), including:

The code is as follows:

Addshard,closealldatabases,connpoolstats,connpoolsync,_cpuprofilerstart_cpuprofilerstop,cursorinfo,diaglogging ,

Dropdatabase

Shardingstate,shutdown,splitchunk,splitvector,split,top,touchresync

Serverstatus,setparameter,setshardversion,shardcollection

Replsetmaintenance,replsetreconfig,replsetstepdown,replsetsyncfrom

Repairdatabase,replsetfreeze,replsetgetstatus,replsetinitiate

Logrotate,movechunk,moveprimary,netstat,removeshard,unsetsharding

Hostinfo,db.currentop (), Db.killop (), Listdatabases,listshardsgetcmdlineopts,getlog,getparameter,getshardmap, Getsha

Rdversion

Enablesharding,flushrouterconfig,fsync,db.fsyncunlock ()

6. Readanydatabase role

Read-only permission for any database (similar to read)

7. Readwriteanydatabase role

Read and Write permissions for any database (similar to ReadWrite)

8. Useradminanydatabase role

Administrative rights for any database user (similar to useradmin)

9. Dbadminanydatabase role

Administrative permissions on any database (Dbadmin similar)

0x02 MongoDB Installation Considerations

1. Need to add--auth when installing

MongoDB only needs to be validated after adding--auth.

2. Need to add--nohttpinterface

No addition will have a 28017 port listening, you can manage the MongoDB through the web, do not need to please remove

3. Can add--bind_ip

Plus, you can restrict access to IP

4. Can add--port

The port can be redesigned after the addition, and the default is 27017

5. Add a user to the Admin database immediately after installation

Authentication is only effective if you add a user to the admin database

Note: The installation process is actually adding 1 services, specifying the parameters at startup.

0X03 User Authorization

1. User management methods prior to 2.4

1.1, enter admin to create a management account

The code is as follows:

Use admin

Db.adduser ("Test", "test")

1.2, into the database to be used to create a program to use the user

The code is as follows:

Use test

Db.adduser ("Test", "test") has read and write permissions by default

Db.adduser ("Test", "Test", True) has Read permission

2.2.4 Version of user management, can also use the previous version of the way

2.1, enter admin to create a management account

The code is as follows:

Use admin

Db.adduser ("Test", "test")

2.2, into the admin to use the database test to create a database and log has read and write access to the account

The code is as follows:

Use admin

Db.adduser ({

"User": "Test",

"PWD": "Test",

"Roles": [],

"Otherdbroles": {

"Test": [

"ReadWrite"

],

"Test_log": [

"ReadWrite"

]

}

})

0X04 Security Configuration Scheme

1. Install the time add--auth, and immediately create a user in the admin database

MongoDB is not validated by default, so this is a critical step

2. You can consider the installation of the time to modify the port and specify access to IP

Specific according to the actual situation to set, you can also directly on the server firewall to do

3. When the installation of the proposal plus--nohttpinterface cancel the default of a Web page management method

The default Web management is generally not used, and many people do not know that it is best to close

4. Manage User Handling

Because you need to establish a management account in admin for administration, it is best to set strong passwords, but do not use them for other programs

5. MongoDB Service Operation account

Windows can use the Network service or create a new user, use the default Users group, add write permissions to the database file and log storage directory, and recommend that you remove execution permissions for programs such as CMD.

Linux under a new account, to give the program's execution permissions and database files and log directory read and write permissions, and recommend the removal of SH and other programs to execute permissions.

6. Control the connection user right that the website or other program uses

Users who use the Web site or other programs only give the corresponding library permissions and do not use administrative accounts in the Admin database.

0x05 Common Commands

1. Installation

The code is as follows:

Mongod--dbpath d:mongodbdata--logpath d:mongodblogmongodb.log----nohttpinterface--auth--install

2. Add User

The code is as follows:

Use admin

Db.adduser ("Test", "test")

3. Show all databases

The code is as follows:

Show DBS

4. Use a database

The code is as follows:

Use test

5. Connecting to the database

The code is as follows:

MONGO test-uroot-p123456

6. Add user authentication

The code is as follows:

Db.auth ("username", "password")

7. View User

The code is as follows:

Db.system.users.find ()

Write a few basic, other online a lot, or use tools to connect after operation.

0X06 Management Tools

1. Mongovue

Management tools in the form of a client

2. Rockmongo

Web management based on PHP

The inadequacy of the place beg to correct me!