Summary MongoDB database Security Configuration Guide

0x00 MongoDB permissions

1. No parameters are added during MongoDB installation. By default, no permission verification is performed. Login users can perform any operations on the database and remotely access the database. The parameter-auth must be enabled.

2. MongoDB has an admin database by default when the installation is complete. At this time, the admin database is empty and no permission-related information is recorded. When admin. system. users is not a user sometimes, even if the-auth parameter is added when mongod is started, if the user is not added to the admin database, at this time, no authentication is required or any operation can be performed (whether or not it is started with the-auth parameter), until in the admin. system. A user is added to users.

3. MongoDB access is divided into connection and permission verification. Even if you start with the-auth parameter, you can still connect to the database without using the user name, but you do not have any permissions to perform any operations.

4. The user name in the admin database can manage all databases. Users in other databases can only manage their databases.

5. in versions earlier than 2.4, user permissions are divided into read-only and all permissions. In version 2.4, permission management is divided into database operation permissions, database user management permissions, and cluster management permissions, it is recommended that super users manage these users in the admin database. However, it is still compatible with user management methods earlier than 2.4.

0x01 roles of users in MongoDB

1. read role

The read-only permission of the database, including:

Aggregate, checkShardingIndex, cloneCollectionAsCapped, collStats, count, dataSize, dbHash, dbStats, distinct, filemd5, mapReduce (inline output only .), text (beta feature .) geoNear, geoSearch, geoWalk, group

2. readWrite role

The read and write permissions of the database, including:

All read role permissions

CloneCollection (as the target database.), convertToCapped, create (and to create collections implicitly.), renameCollection (within the same database.) findAndModify, mapReduce (output to a collection .)
Drop (), dropIndexes, emptycapped, ensureIndex ()

3. dbAdmin role

Database management permissions, including:

Clean, collMod, collStats, compact, convertToCappe
Create, db. createCollection (), dbStats, drop (), dropIndexes
EnsureIndex (), indexStats, profile, reIndex
RenameCollection (within a single database.), validate

4. userAdmin role

Database User management permissions

5. clusterAdmin role

Cluster management permissions (replica set, Shard, master-slave, and other related management), including:

AddShard, closeAllDatabases, connPoolStats, connPoolSync, _ cpuProfilerStart_cpuProfilerStop, cursorInfo, diagLogging, dropDatabase
ShardingState, shutdown, splitChunk, splitVector, split, top, touchresync
ServerStatus, setParameter, setShardVersion, shardCollection
ReplSetMaintenance, replSetReconfig, replSetStepDown, replSetSyncFrom
RepairDatabase, replSetFreeze, replSetGetStatus, replSetInitiate
LogRotate, moveChunk, movePrimary, netstat, removeShard, unsetSharding
HostInfo, db. currentOp (), db. killOp (), listDatabases, listshardsget1_lineopts, getLog, getParameter, getShardMap, getShardVersion
EnableSharding, flushRouterConfig, fsync, db. fsyncUnlock ()

6. readAnyDatabase role

Read-only permission for any database (similar to read)

7. readWriteAnyDatabase role

Read and write permissions of any database (similar to readWrite)

8. userAdminAnyDatabase role

Management permissions of any database user (similar to userAdmin)

9. dbAdminAnyDatabase role

Management permissions of any database (similar to dbAdmin)

0x02 considerations for MongoDB installation

1. Add-auth during installation

MongoDB needs verification only after-auth is added

2. Add-nohttpinterface

If you do not add a port 28017 listener, you can manage mongodb through the web page. Remove it if you do not need it.

3. bind_ip can be added.

Added ip addresses that can be restricted

4. You can add-port

After the port is added, you can reset the port. The default value is 27017.

5. After installation, add a user to the admin database immediately.

Authentication takes effect only when a user is added to the admin database.

Note: the installation process is to add a service and specify the parameters at startup.

0x03 user authorization

1. User management methods for versions earlier than 2.4

1.1 go to admin to create a management account

Use admin

Db. addUser ("test", "test ")

1.2. Create a program to use the user in the database to be used.

Use test

Db. addUser ("test", "test") has the read and write permissions by default.

Db. addUser ("test", "test", True) has read permission

2. You can also use the previous version to manage users of version 2.4.

2.1 go to admin to create a management account

Use admin

Db. addUser ("test", "test ")

2.2 enter admin to create an account with read and write permissions on the database and logs for the database test you are using.

Use admin
Db. addUser ({
"User": "test ",
"Pwd": "test ",
"Roles": [],
"OtherDBRoles ":{
"Test ":[
"ReadWrite"
],
"Test_log ":[
"ReadWrite"
        ]
    }
})

0x04 security configuration scheme

1. Add-auth during installation and create a user in the admin database immediately.

By default, MongoDB does not require verification, so this is a crucial step.

2. You can consider modifying the port and specifying the access ip address during installation.

Specific settings can be set based on the actual situation, or directly on the server firewall

3. We recommend that you add-nohttpinterface to cancel the default webpage management mode during installation.

Default web management is generally not used, and many people do not know, it is best to disable

4. Manage user processing

Because you need to create a management account in admin for management, it is best to set a strong password, but do not use it for other programs

5. MongoDB service running account

In windows, you can use network service or create a user, use the default USERS group, and add write permissions to database files and log storage directories, we recommend that you cancel the execution permission on programs such as cmd.

Create an account in linux and grant the program execution permission and read and write permissions on database files and log directories. We recommend that you cancel the execution permission on the sh and other programs.

6. Control the permissions for connecting users used by websites or other programs.

Users who use websites or other programs only grant permissions to the corresponding database. Do not use the admin account in the admin database.

0x05 Common commands

1. Install

Mongod -- dbpath d: mongodbdata -- logpath d: mongodblogmongodb. log ---- nohttpinterface -- auth -- install

2. Add a user

Use admin

Db. addUser ("test", "test ")

3. Display all databases

Show dbs

4. Use a database

Use test

5. Connect to the database

Mongo test-uroot-p123456

6. Add user authentication

Db. auth ("username", "password ")

7. View Users

Db. system. users. find ()

Just write a few basics. There are a lot of other websites, or use tools to connect them.

0x06 management tools

1. Upgrade Vue

Management tools in client form

2. rockmongo

Php-based web management

Please correct me!