The MongoDB service is started in the official manual without any parameters. Once the client connects, it can perform any operations on the database and remotely access the database. Therefore, we recommend that you do not set any parameters in the development phase, however, you need to carefully consider the security factors in the production environment, and there are several aspects to improve MongoDB database security: bind an IP Intranet address to access the MongoDB service, set the listening port, and use the username and password to log on.
Bind an IP address to access the MongoDB Service
MongoDB can only allow access from a specific IP address. You only need to add the bind_ip parameter at startup, as shown below: only the IP address 192.168.1.103 on the server can access the MongoDB service.
[Root @ localhost bin] #./mongod -- bind_ip 192.168.1.103
Set listening port
The official default listening port is 27017. For security reasons, this listening port is generally modified to avoid malicious connection attempts, as shown below: Change the listening port of the server to 28018
[Root @ localhost bin] #./mongod -- bind_ip 192.168.1.103 -- Port 28018
Log On with the user name and password
By default, MongoDB does not verify the user name and password. After MongoDB is started, it can be connected directly with MongoDB to have root permissions for all databases. Therefore, you can specify parameters at startup to prevent client access and connection.
To enable the system login verification module, you only need to specify the auth parameter at startup, as shown in figure
[Root @ localhost bin] #./mongod -- auth
Create a system root account
Add a new user root in the admin database:
[Root @ localhost bin] #./Mongo
MongoDB shell version: 1.8.1 connecting to: Test> dB. adduser ("root", "111") {"user": "root", "readonly": false, "PWD": "e54950178e2fa777b1d174e9b450b6ab"}> dB. auth ("root", "111 ")
Connect to the local client and specify the user. The result is as follows:
[Root @ localhost bin] #./mongo-u root-P
MongoDB shell version: 1.8.1 enter password: connecting to: Test> show collections; system. Indexes System. Users
Create a user with the specified permission
MongoDB also supports setting users for a specific database. For example, we set a read-only user user_reader for the Test Database: [root @ localhost bin] #. /mongo-u root-P MongoDB shell version: 1.8.1 enter password: connecting to: Test> show collections; system. indexes System. users> use test switched to DB test> dB. adduser ("user_reader", "user_pwd", true) {"user": "user_reader", "readonly": True, "PWD": "0809760bb61ee027199e513c5ecdedc6"
}