MongoDB study note (2): security configurations - Setup username and password, Bind interface and Iptables (on Ubuntu 16.04/mongoDB 3.4)

-

Setting up username and password

First, check your /etc/mongod.conf to confirm it is not in the auth mode. Add comment symbol '#' of the following code and restart mongod service:

#security:
  #authorization: enabled
 sudo service mongod restart

Then, Connect to local mongodb:

mongo --port 27017

Switch to admin database:

use admin

Create admin user:

db.createUser({ user: "admin", pwd: "<your password>", roles: [{ role: "userAdminAnyDatabase", db: "admin" }] })

Grant Roles:

db.grantRolesToUser('admin',[{ role: "root", db: "admin" }])

Check if successfully added (should return 1):

db.auth("admin", "<your password>")

Exit mongo client:

exit

Enable the auth mode in your /etc/mongod.conf by activating the following lines and then restart the service:

security:
  authorization: enabled
 sudo service mongod restart

Go back to mongo shell, and switch to admin and authenticate:

use admin db.auth("admin", "<your password>")

Switch to your database and create an user:

use <yourdatabase> db.createUser({ user: "<youruser>", pwd: "<yourpassword>", roles: [{ role: "dbOwner", db: "<yourdatabase>" }] })
You may need other types of role. Please check this page: Built-In Roles

Final step, now check the results:

db.auth("<youruser>", "<yourpassword>") show collections

You may connect to your database by using the following connection string from your application:

mongodb://<youruser>:<yourpassword>@localhost/<yourdatabase>

Interface binding

To setup the interface and port for mongodb, we need to use the 'net' field and subfield - 'port' (mongodb's default port is 27017) and 'bindIp' in /etc/mongod.conf . For example, our server intranet ip (private ip) is 192.168.1.100 and internet ip (public ip) is 34.177.10.33 . We can do the following settings for different purposes.

Only allow access from local machine

net:
  port:27017
  bingIp:127.0.0.1

Allow access from local and intranet

net:
  port:27017
  bingIp:127.0.0.1,192.168.1.100

Allow access from local, intranet, and internet. And set port to 27016

net:
  port:27016
  bingIp:127.0.0.1,192.168.1.100,34.177.10.33

All access allowed

net:
  port:27017
  bingIp:0.0.0.0
Please remember to restart the service after these modifications on mongod.conf

Iptables settings

We can use iptables to allow the request from some specific IPs. Please refer to the following examples: (mongodb port is 27017)

Any connections can connect to 27017

iptables -A INPUT -p tcp --dport 27017 -j ACCEPT

Only certain IPs can connect to 27017

iptables -A INPUT -s -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT

评论

发表评论

此博客中的热门博文

Openwrt路由器上配置shadowsocks透明代理+gfwlist(PAC)

-
Shadowsocks 服务推荐: Just My Socks 推荐理由:价格便宜,支持月付,安全灵活。 本文配置的前提是已经有shadowsocks服务。你可以通过购买或者自行搭建的方式获得。以下是链接: 直接购买网上的服务,此处推荐 Just My Socks 快速Just My Socks配置Shadowsocks,请点 这里 。 自行搭建,请参考 KVM VPS上配置V2Ray(Shadowsocks mode) + 加速:普通BBR/魔改BBR(测试于Ubuntu 16.04) 本文所使用的环境,仅作参考: OpenWrt 18.06.1/LuCI openwrt-18.06 整体思路: DNS部分: if 访问地址在gfwlist中     DNS请求转发到127.0.0.1:5353的dns-forwarder的监听端口     dns-forwarder转发到8.8.8.8进行解析     8.8.8.8在gfwlist中,通过匹配iptables规则转发到1080端口     ss-redir监听1080端口,通过shadowsocks代理服务器转发请求 else     正常使用公共DNS或者ISP提供的DNS服务器 其他数据: if 访问地址在gfwlist中     通过匹配iptables规则转发到1080端口     ss-redir监听1080端口,通过shadowsocks代理服务器转发请求 else     正常访问 步骤1:依赖包安装( 非常重要 ) 本文所有的操作都基于SSH和Web管理界面操作。 首先通过SSH添加GPG Key,这样之后添加的源才能通过签名验证: wget http://openwrt-dist.sourceforge.net/packages/openwrt-dist.pub -O /tmp/openwrt-dist.pub opkg-key add /tmp/openwrt-dist.pub 然后在OpenWRT Web管理界面,“系统”>“软件包”>“配置”中,“自定义feeds”最后添加两行源: src/gz openwrt_dist http://openwrt-
阅读全文

Configure shadowsocks transparent proxy + gfwlist(PAC) on OpenWRT Router

-
You must have Shadowsocks services which can be gained in the following way before actually starting to configure. Purchase Shadowsocks Service directly online. Recommendation:  Just My Socks Quick Shadowsocks configuration using Just My Socks, please click here . Build the service yourself. Please refer to  Configure V2Ray(Shadowsocks mode) + 加速:普通BBR/魔改BBR on KVM VPS (Tested on Ubuntu 16.04) . The environment this article used, FYI: OpenWrt 18.06.1/LuCI openwrt-18.06 The Overall Idea: DNS part: if the requested address is in gfwlist     forward DNS request to 127.0.0.1:5353 which is listened by dns-forwarder     dns-forwarder forwards the request to 8.8.8.8 for translating     8.8.8.8 is in gfwlist, so match iptables rules and is fowared to 1080     ss-redir listen on port 1080, foward request to shadowsocks server else     use public DNS servers or the DNS servers provided by the ISP other data: if the requested address is in gfwlist     match ipt
阅读全文

Using Haproxy + shadowsocks (ha + ss) to setup multi ss backend and load balance

-
*Install haproxy > sudo apt-get install haproxy *Configure haproxy >vim /etc/haproxy/haproxy.cfg global     ulimit-n 51200     log /dev/log local0     log /dev/log local1 notice     chroot /var/lib/haproxy     pidfile /var/run/haproxy.pid     user haproxy     group haproxy     daemon defaults     log global     mode tcp     option dontlognull     timeout connect 5000       timeout client 50000     timeout server 50000 frontend ss-in     mode tcp       bind $Your_IP:8002     default_backend shadowsocks backend shadowsocks     mode tcp       balance roundrobin         server ss1 $Your_SS_IP1:$Your_SS_PORT1 maxconn 20480         server ss2 $Your_SS_IP2:$Your_SS_PORT2 maxconn 20480 --The haproxy only allows the remote ss servers with the same password. As here haproxy is only providing the function like a load balancing switch. It's like a multi channel valve which does NOT provide any shadowsocks protocol level function
阅读全文