This article mainly introduces the MongoDB security configuration, this article from the domestic security manufacturers cloud platform, explain or more comprehensive, need friends can refer to the
0x00 MongoDB Permissions Introduction
1.MongoDB installation does not add any parameters, the default is not permission to authenticate, the user can log on to the database any operation and remote access to the database, you need to start with the--auth parameter.
2. At the beginning of the installation of the MongoDB has a default admin database, at this time the admin database is empty, there is no record permissions related information. When Admin.system.users is not available to a user, even if the--auth parameter is added when the Mongod is started, if the user is not added to the admin database, no authentication can be done at this time (whether or not it is started with the--auth parameter). Until a user was added to the admin.system.users.
3.MongoDB access is divided into connection and permission validation, even if you start with the--auth parameter or you can connect to the database without using the user name, but you do not have any permissions to do anything
A user name in a 4.admin database can manage all databases, and users in other databases can manage only the databases in which they reside.
5. In the prior 2.4 version, the user's permissions are divided into read-only and have all rights; The 2.4 version of the rights management is mainly divided into: the operation of the database permissions, database user management rights, cluster management rights, it is recommended by the super user in the Admin database to manage these users. However, it is still compatible with the user management approach before version 2.4.
Description of the role of the user in 0x01 MongoDB
1. Read role
Read-only permissions for the database, including:
The code is as follows:
AGGREGATE,CHECKSHARDINGINDEX,CLONECOLLECTIONASCAPPED,COLLSTATS,COUNT,DATASIZE,DBHASH,DBSTATS,DISTINCT,FILEMD5, MapReduce (inline output only.), text (Beta feature.) Geonear,geosearch,geowalk,group
2. ReadWrite role
Read and Write permissions for the database, including:
All permissions for the read role
The code is as follows:
Clonecollection (as the target database.), Converttocapped,create (and to create collections implicitly.), Renamecollection (within the same database.) Findandmodify,mapreduce (output to a collection.)
Drop (), Dropindexes,emptycapped,ensureindex ()
3. Dbadmin role
Administrative permissions for the database, including:
The code is as follows:
Clean,collmod,collstats,compact,converttocappe
Create,db.createcollection (), Dbstats,drop (), dropindexes
Ensureindex (), Indexstats,profile,reindex
Renamecollection (within a single database.), validate
4. Useradmin role
User management permissions for the database
5. Clusteradmin role
Cluster management rights (replica set, fragmentation, master-slave and other related management), including:
The code is as follows:
Addshard,closealldatabases,connpoolstats,connpoolsync,_cpuprofilerstart_cpuprofilerstop,cursorinfo,diaglogging ,
Dropdatabase
Shardingstate,shutdown,splitchunk,splitvector,split,top,touchresync
Serverstatus,setparameter,setshardversion,shardcollection
Replsetmaintenance,replsetreconfig,replsetstepdown,replsetsyncfrom
Repairdatabase,replsetfreeze,replsetgetstatus,replsetinitiate
Logrotate,movechunk,moveprimary,netstat,removeshard,unsetsharding
Hostinfo,db.currentop (), Db.killop (), Listdatabases,listshardsgetcmdlineopts,getlog,getparameter,getshardmap, Getsha
Rdversion
Enablesharding,flushrouterconfig,fsync,db.fsyncunlock ()
6. Readanydatabase role
Read-only permission for any database (similar to read)
7. Readwriteanydatabase role
Read and Write permissions for any database (similar to ReadWrite)
8. Useradminanydatabase role
Administrative rights for any database user (similar to useradmin)
9. Dbadminanydatabase role
Administrative permissions on any database (Dbadmin similar)
0x02 MongoDB Installation Considerations
1. Need to add--auth when installing
MongoDB only needs to be validated after adding--auth.
2. Need to add--nohttpinterface
No addition will have a 28017 port listening, you can manage the MongoDB through the web, do not need to please remove
3. Can add--bind_ip
Plus, you can restrict access to IP
4. Can add--port
The port can be redesigned after the addition, and the default is 27017
5. Add a user to the Admin database immediately after installation
Authentication is only effective if you add a user to the admin database
Note: The installation process is actually adding 1 services, specifying the parameters at startup.
0X03 User Authorization
1. User management methods prior to 2.4
1.1, enter admin to create a management account
The code is as follows:
Use admin
Db.adduser ("Test", "test")
1.2, into the database to be used to create a program to use the user
The code is as follows:
Use test
Db.adduser ("Test", "test") has read and write permissions by default
Db.adduser ("Test", "Test", True) has Read permission
2.2.4 Version of user management, can also use the previous version of the way
2.1, enter admin to create a management account
The code is as follows:
Use admin
Db.adduser ("Test", "test")
2.2, into the admin to use the database test to create a database and log has read and write access to the account
The code is as follows:
Use admin
Db.adduser ({
"User": "Test",
"PWD": "Test",
"Roles": [],
"Otherdbroles": {
"Test": [
"ReadWrite"
],
"Test_log": [
"ReadWrite"
]
}
})
0X04 Security Configuration Scheme
1. Install the time add--auth, and immediately create a user in the admin database
MongoDB is not validated by default, so this is a critical step
2. You can consider the installation of the time to modify the port and specify access to IP
Specific according to the actual situation to set, you can also directly on the server firewall to do
3. When the installation of the proposal plus--nohttpinterface cancel the default of a Web page management method
The default Web management is generally not used, and many people do not know that it is best to close
4. Manage User Handling
Because you need to establish a management account in admin for administration, it is best to set strong passwords, but do not use them for other programs
5. MongoDB Service Operation account
Windows can use the Network service or create a new user, use the default Users group, add write permissions to the database file and log storage directory, and recommend that you remove execution permissions for programs such as CMD.
Linux under a new account, to give the program's execution permissions and database files and log directory read and write permissions, and recommend the removal of SH and other programs to execute permissions.
6. Control the connection user right that the website or other program uses
Users who use the Web site or other programs only give the corresponding library permissions and do not use administrative accounts in the Admin database.
0x05 Common Commands
1. Installation
The code is as follows:
Mongod--dbpath d:mongodbdata--logpath d:mongodblogmongodb.log----nohttpinterface--auth--install
2. Add User
The code is as follows:
Use admin
Db.adduser ("Test", "test")
3. Show all databases
The code is as follows:
Show DBS
4. Use a database
The code is as follows:
Use test
5. Connecting to the database
The code is as follows:
MONGO test-uroot-p123456
6. Add user authentication
The code is as follows:
Db.auth ("username", "password")
7. View User
The code is as follows:
Db.system.users.find ()
Write a few basic, other online a lot, or use tools to connect after operation.
0X06 Management Tools
1. Mongovue
Management tools in the form of a client
2. Rockmongo
Web management based on PHP
The inadequacy of the place beg to correct me!