MongoDB study note (2): security configurations - Setup username and password, Bind interface and Iptables (on Ubuntu 16.04/mongoDB 3.4)

-

Setting up username and password

First, check your /etc/mongod.conf to confirm it is not in the auth mode. Add comment symbol '#' of the following code and restart mongod service:

#security:
  #authorization: enabled
 sudo service mongod restart

Then, Connect to local mongodb:

mongo --port 27017

Switch to admin database:

use admin

Create admin user:

db.createUser({ user: "admin", pwd: "<your password>", roles: [{ role: "userAdminAnyDatabase", db: "admin" }] })

Grant Roles:

db.grantRolesToUser('admin',[{ role: "root", db: "admin" }])

Check if successfully added (should return 1):

db.auth("admin", "<your password>")

Exit mongo client:

exit

Enable the auth mode in your /etc/mongod.conf by activating the following lines and then restart the service:

security:
  authorization: enabled
 sudo service mongod restart

Go back to mongo shell, and switch to admin and authenticate:

use admin db.auth("admin", "<your password>")

Switch to your database and create an user:

use <yourdatabase> db.createUser({ user: "<youruser>", pwd: "<yourpassword>", roles: [{ role: "dbOwner", db: "<yourdatabase>" }] })
You may need other types of role. Please check this page: Built-In Roles

Final step, now check the results:

db.auth("<youruser>", "<yourpassword>") show collections

You may connect to your database by using the following connection string from your application:

mongodb://<youruser>:<yourpassword>@localhost/<yourdatabase>

Interface binding

To setup the interface and port for mongodb, we need to use the 'net' field and subfield - 'port' (mongodb's default port is 27017) and 'bindIp' in /etc/mongod.conf . For example, our server intranet ip (private ip) is 192.168.1.100 and internet ip (public ip) is 34.177.10.33 . We can do the following settings for different purposes.

Only allow access from local machine

net:
  port:27017
  bingIp:127.0.0.1

Allow access from local and intranet

net:
  port:27017
  bingIp:127.0.0.1,192.168.1.100

Allow access from local, intranet, and internet. And set port to 27016

net:
  port:27016
  bingIp:127.0.0.1,192.168.1.100,34.177.10.33

All access allowed

net:
  port:27017
  bingIp:0.0.0.0
Please remember to restart the service after these modifications on mongod.conf

Iptables settings

We can use iptables to allow the request from some specific IPs. Please refer to the following examples: (mongodb port is 27017)

Any connections can connect to 27017

iptables -A INPUT -p tcp --dport 27017 -j ACCEPT

Only certain IPs can connect to 27017

iptables -A INPUT -s -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT

评论

发表评论

此博客中的热门博文

Openwrt路由器上配置shadowsocks透明代理+gfwlist(PAC)

-
Shadowsocks 服务推荐: Just My Socks 推荐理由:价格便宜,支持月付,安全灵活。 本文配置的前提是已经有shadowsocks服务。你可以通过购买或者自行搭建的方式获得。以下是链接: 直接购买网上的服务,此处推荐 Just My Socks 快速Just My Socks配置Shadowsocks,请点 这里 。 自行搭建,请参考 KVM VPS上配置V2Ray(Shadowsocks mode) + 加速:普通BBR/魔改BBR(测试于Ubuntu 16.04) 本文所使用的环境,仅作参考: OpenWrt 18.06.1/LuCI openwrt-18.06 整体思路: DNS部分: if 访问地址在gfwlist中     DNS请求转发到127.0.0.1:5353的dns-forwarder的监听端口     dns-forwarder转发到8.8.8.8进行解析     8.8.8.8在gfwlist中,通过匹配iptables规则转发到1080端口     ss-redir监听1080端口,通过shadowsocks代理服务器转发请求 else     正常使用公共DNS或者ISP提供的DNS服务器 其他数据: if 访问地址在gfwlist中     通过匹配iptables规则转发到1080端口     ss-redir监听1080端口,通过shadowsocks代理服务器转发请求 else     正常访问 步骤1:依赖包安装( 非常重要 ) 本文所有的操作都基于SSH和Web管理界面操作。 首先通过SSH添加GPG Key,这样之后添加的源才能通过签名验证: wget http://openwrt-dist.sourceforge.net/packages/openwrt-dist.pub -O /tmp/openwrt-dist.pub opkg-key add /tmp/openwrt-dist.pub 然后在OpenWRT Web管理界面,“系统”>“软件包”>“配置”中,“自定义feeds”最后添加两行源: src/gz openwrt_dist http://openwrt-
阅读全文

Configure shadowsocks transparent proxy + gfwlist(PAC) on OpenWRT Router

-
You must have Shadowsocks services which can be gained in the following way before actually starting to configure. Purchase Shadowsocks Service directly online. Recommendation:  Just My Socks Quick Shadowsocks configuration using Just My Socks, please click here . Build the service yourself. Please refer to  Configure V2Ray(Shadowsocks mode) + 加速:普通BBR/魔改BBR on KVM VPS (Tested on Ubuntu 16.04) . The environment this article used, FYI: OpenWrt 18.06.1/LuCI openwrt-18.06 The Overall Idea: DNS part: if the requested address is in gfwlist     forward DNS request to 127.0.0.1:5353 which is listened by dns-forwarder     dns-forwarder forwards the request to 8.8.8.8 for translating     8.8.8.8 is in gfwlist, so match iptables rules and is fowared to 1080     ss-redir listen on port 1080, foward request to shadowsocks server else     use public DNS servers or the DNS servers provided by the ISP other data: if the requested address is in gfwlist     match ipt
阅读全文

Configure V2Ray(Shadowsocks mode) + 加速:普通BBR/魔改BBR on KVM VPS (Tested on Ubuntu 16.04)

-
First of all, you will need to deploy a VPS with KVM technology as BBR does not support OpenVZ but KVM. I recommend Bandwagonhost and Vultr because of the price. Here is the link to register and deploy: Bandwagonhost Vultr (Or click here to get a big discount, only available for a LIMITED TIME ) Here I suggest you choose Ubuntu 16.04 or later versions as your OS. After everything is ready and you can successfully ping your server from your local environment, connect to your VPS via SSH. Now let's start. Step 1: V2RAY V2RAY is a new generation of software for data proxy. It supports almost all protocols. Here let's choose Shadowsocks as our protocol with which most of us are familiar. Type in the following command in your SSH terminal to install: bash <(curl -L -s https://install.direct/go.sh) Then use your favorite text editor to edit the configuration file located at '/etc/v2ray/config.json'. Here I use vim as my editor and you can use whatever you a
阅读全文