Of Stack

MongoDB security configuration details

  • 2020-05-17 06:52:12
  • OfStack

0x00 MongoDB permission introduction

1. When installing MongoDB, no parameters are added. By default, there is no permission verification.

2. At the beginning of the installation, MongoDB has one admin database by default. At this time, admin database is empty and no information related to permissions is recorded. When there is no admin.system.users1 user, even if the --auth parameter is added when mongod is started, if no user is added to the admin database, you can still do anything without any authentication (whether started with the --auth parameter or not) until a user is added to admin.system.users.

3. The access of MongoDB is divided into connection and permission verification. Even if started with the --auth parameter, you can still connect to the database without using the user name, but you will not have any permission to perform any operation

4. The user name in admin database can manage all databases; users in other databases can only manage their own database.

5. In the previous version of 2.4, the user's permissions were divided into read-only and all-access; 2.4 version of the authority management is mainly divided into: database operation authority, database user management authority, cluster management authority, it is recommended that the super user in admin database management of these users. However, it is still compatible with the user management methods before version 2.4.

User role description in 0x01 MongoDB

1. read role

Read only permissions for the database, including: 



aggregate,checkShardingIndex,cloneCollectionAsCapped,collStats,count,dataSize,dbHash,dbStats,distinct,filemd5 . mapReduce (inline output only.),text (beta feature.)geoNear,geoSearch,geoWalk,group

2. readWrite role

Read and write access to the database, including:

All permissions for the read role 



cloneCollection (as the target database.),convertToCapped . create (and to create collections implicitly.) . renameCollection (within the same database.)findAndModify,mapReduce (output to a collection.) 

drop(),dropIndexes,emptycapped,ensureIndex()

3. dbAdmin role

Database management rights, including: 



clean,collMod,collStats,compact,convertToCappe 

create,db.createCollection(),dbStats,drop(),dropIndexes 

ensureIndex() . indexStats,profile,reIndex 

renameCollection (within a single database.),validate

4. userAdmin role

User management rights for the database

5. clusterAdmin role

Cluster management authority (copy set, sharding, master and subordinate management), including: 



addShard,closeAllDatabases,connPoolStats,connPoolSync,_cpuProfilerStart_cpuProfilerStop,cursorInfo,diagLogging,dropDatabase 

shardingState,shutdown,splitChunk,splitVector,split,top,touchresync 

serverStatus,setParameter,setShardVersion,shardCollection 

replSetMaintenance,replSetReconfig,replSetStepDown,replSetSyncFrom 

repairDatabase,replSetFreeze,replSetGetStatus,replSetInitiate 

logRotate,moveChunk,movePrimary,netstat,removeShard,unsetSharding 

hostInfo,db.currentOp(),db.killOp(),listDatabases,listShardsgetCmdLineOpts,getLog,getParameter,getShardMap,getShardVersion 

enableSharding,flushRouterConfig,fsync,db.fsyncUnlock()

6. readAnyDatabase role

Read only permissions for any database (similar to read)

7. readWriteAnyDatabase role

Read and write access to any database (similar to readWrite)

8. userAdminAnyDatabase role

Administrative rights for any database user (similar to userAdmin)

9. dbAdminAnyDatabase role

Administrative rights for any database (dbAdmin similar)

Notes for installation of 0x02 MongoDB

1. Install with --auth

MongoDB doesn't need to be verified until --auth is added

2. Need to add --nohttpinterface

There will be 1 28017 port monitoring without adding, mongodb can be managed through the webpage, please remove it

3. You can add --bind_ip

Add in ip, which can restrict access

4. You can add --port

After adding, you can reconfigure the port, which defaults to 27017

5. Add one user to the admin database immediately after installation
Authentication takes effect only when a user is added to the admin database

Note: the installation process is simply adding a service and specifying the parameters at startup.

0x03 user authorization

1. 2.4 user management mode of previous versions

1.1. Enter admin to create an administrative account 



use admin 

db.addUser("test","test")

1.2. Enter the database that needs to be used to create a program user 


use test 

db.addUser("test","test") The default is read and write  

db.addUser("test","test",True) Have access

2. 2.4 version of user management, can also use the previous version of the way
2.1. Enter admin to create an administrative account 


use admin 

db.addUser("test","test")

2.2 enter test to create an account with read and write access to the database and log 


use admin 

db.addUser({

    "user": "test", 

    "pwd": "test", 

    "roles": [ ], 

    "otherDBRoles": {

        "test": [

            "readWrite"

        ], 

        "test_log": [

            "readWrite"

        ]

    }

})

0x04 security configuration scheme

1. Add --auth to the installation and immediately create a user in the admin database

By default, MongoDB does not require validation, so this is a crucial step

2. Consider changing the port at installation time and specifying access to ip

Specific according to the actual situation to set, you can also do directly in the server firewall

3. It is recommended to add --nohttpinterface to cancel the default mode of 1 page management when installing

The default web admin 1 will not work, and many people do not know it, so it is best to turn it off

4. Manage user processing

Since you need to set up an administrative account in admin for administration, it is best to set up a strong password, but do not use it for other programs

5. MongoDB service running account

You can use network service under windows or create a new user, use the default USERS group, then add write permissions to the database files and log storage directory, and it is recommended to cancel the execution permissions of cmd and other programs.

Create a new account under linux, give the execution permission of the program and the read and write permission of database files and log directory, and suggest to cancel the execution permission of sh and other programs.

6. Control the access rights of users to websites or other programs
Users of web sites or other programs are only given access to the appropriate libraries, and do not use administrative accounts in the admin database.

0x05 common commands

1. Install 



mongod --dbpath d:\mongodb\data --logpath d:\mongodb\log\mongodb.log ----nohttpinterface --auth --install

2. Add users 


use admin 

db.addUser("test","test")

3. Display all databases 


show dbs

4. Use a database 


use test

5. Connect to the database 


mongo test -uroot -p123456

6. Add user authentication 


db.auth("username","password")

7. View users 


db.system.users.find()

Write a few basic, a lot of other online, or with tools connected to the operation.

0x06 management tools

1. MongoVUE

Management tools in the form of clients

2. rockmongo

web management based on php

Ask Daniel to correct the shortcomings!

Related articles: