mongodb安全

Posted Qiao_Zhi

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了mongodb安全相关的知识,希望对你有一定的参考价值。

 1.流程:

  (1)创建超级管理员

  (2)修改配置文件,验证身份登录

  (3)重启服务

  (4)使用超级管理员登录

  (5)创建普通用户

  (6)使用普通用户登录对应的数据库

 

 

 

 

mongodb数据库角色:

 

 

1创建用户:(只要指明角色和授予的数据库)

 

创建用户:(注意切换到admin数据库:)

> use admin
switched to db admin
> db.createUser({"user":"root",pwd:"123456",roles:[{role:"root",db:"admin"}]})
Successfully added user: {
        "user" : "root",
        "roles" : [
                {
                        "role" : "root",
                        "db" : "admin"
                }
        ]
}

 

 

 

 2.修改配置文件,启动验证身份:

  •  linux下面修改/etc/mongod.conf (注意后面有空格)

 

重启服务即可

 

 

  • windows下面:  在启动mongod的时候后面携带--auth 参数,其中参数有很多,在最后会附上启动参数。
mongod --auth

 

  如果需要制定数据路径:

mongod --auth --dbpath c:\\data\\db

 

 

  因此可以将上面命令写入一bat脚本。(前提是将mongod的目录配置到环境变量path)

 

例如我的一个bat脚本:(我的安装目录是E:\\mongodb\\mongodb-win32-x86_64-enterprise-windows-64-3.6.3\\bin)

e:
cd E:\\mongodb\\mongodb-win32-x86_64-enterprise-windows-64-3.6.3\\bin
mongod.exe --auth --dbpath c:\\data\\db
pause

 

 

 3.登录数据库:(需要制定数据库和密码)

 直接登录:

mongo -u root -p 123456 --authenticationDatabase admin

 

  这是以管理员身份登录,登录之后可以对任何数据库进行操作

 

因此将上面命令也可以写成一个脚本:

e:
cd E:\\mongodb\\mongodb-win32-x86_64-enterprise-windows-64-3.6.3\\bin
mongod.exe --auth --dbpath c:\\data\\db
pause

 

 

 

4.实际开发中是超级管理员创建一普通账户并给其分配对应的数据库,因此此用户只能操作其对应的数据库

  •  创建普通用户(对mydb数据库具有读写权限,账号密码都是user)
db.createUser({
    "user":"user",
    "pwd":"user",
    roles:[{
        "role":"readWrite",
        "db":"mydb"
        }]
    })

 

 

 

 

  •  重启服务之后测试:
C:\\Users\\liqiang>mongo -u user -p user --authenticationDatabase admin  #普通用户登录admin数据库报错
MongoDB shell version v3.6.3
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.6.3
2018-03-26T22:32:07.191+0800 E QUERY    [thread1] Error: Authentication failed.
:
DB.prototype._authOrThrow@src/mongo/shell/db.js:1608:20
@(auth):6:1
@(auth):1:2
exception: login failed

C:\\Users\\liqiang>mongo -u user -p user --authenticationDatabase mydb  #普通用户登录分配给他的mydb数据库正常
MongoDB shell version v3.6.3
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.6.3

 

 

 

MongoDB Enterprise > db
admin
MongoDB Enterprise > use mydb  #访问admin数据库报错
switched to db mydb
MongoDB Enterprise > show tables   #访问mydb正常
mydb
MongoDB Enterprise >

 

 

 

 

 

 

附一些mongod启动参数:

C:\\Users\\liqiang>mongod/?
Invalid command: /?
Options:

General options:
  -h [ --help ]                         show this usage information
  --version                             show version information
  -f [ --config ] arg                   configuration file specifying
                                        additional options
  -v [ --verbose ] [=arg(=v)]           be more verbose (include multiple times
                                        for more verbosity e.g. -vvvvv)
  --quiet                               quieter output
  --port arg                            specify port number - 27017 by default
  --bind_ip arg                         comma separated list of ip addresses to
                                        listen on - localhost by default
  --bind_ip_all                         bind to all ip addresses
  --ipv6                                enable IPv6 support (disabled by
                                        default)
  --listenBacklog arg (=2147483647)     set socket listen backlog size
  --maxConns arg                        max number of simultaneous connections
                                        - 1000000 by default
  --logpath arg                         log file to send write to instead of
                                        stdout - has to be a file, not
                                        directory
  --logappend                           append to logpath instead of
                                        over-writing
  --logRotate arg                       set the log rotation behavior
                                        (rename|reopen)
  --timeStampFormat arg                 Desired format for timestamps in log
                                        messages. One of ctime, iso8601-utc or
                                        iso8601-local
  --redactClientLogData                 Redact client data written to the
                                        diagnostics log
  --pidfilepath arg                     full path to pidfile (if not set, no
                                        pidfile is created)
  --timeZoneInfo arg                    full path to time zone info directory,
                                        e.g. /usr/share/zoneinfo
  --keyFile arg                         private key for cluster authentication
  --noauth                              run without security
  --setParameter arg                    Set a configurable parameter
  --transitionToAuth                    For rolling access control upgrade.
                                        Attempt to authenticate over outgoing
                                        connections and proceed regardless of
                                        success. Accept incoming connections
                                        with or without authentication.
  --clusterAuthMode arg                 Authentication mode used for cluster
                                        authentication. Alternatives are
                                        (keyFile|sendKeyFile|sendX509|x509)
  --networkMessageCompressors [=arg(=disabled)] (=snappy)
                                        Comma-separated list of compressors to
                                        use for network messages
  --auth                                run with security
  --clusterIpSourceWhitelist arg        Network CIDR specification of permitted
                                        origin for `__system` access.
  --slowms arg (=100)                   value of slow for profile and console
                                        log
  --slowOpSampleRate arg (=1)           fraction of slow ops to include in the
                                        profile and console log
  --profile arg                         0=off 1=slow, 2=all
  --cpu                                 periodically show cpu and iowait
                                        utilization
  --sysinfo                             print some diagnostic system
                                        information
  --noIndexBuildRetry                   don\'t retry any index builds that were
                                        interrupted by shutdown
  --noscripting                         disable scripting engine
  --notablescan                         do not allow table scans

Windows Service Control Manager options:
  --install                             install Windows service
  --remove                              remove Windows service
  --reinstall                           reinstall Windows service (equivalent
                                        to --remove followed by --install)
  --serviceName arg                     Windows service name
  --serviceDisplayName arg              Windows service display name
  --serviceDescription arg              Windows service description
  --serviceUser arg                     account for service execution
  --servicePassword arg                 password used to authenticate
                                        serviceUser

Replication options:
  --oplogSize arg                       size to use (in MB) for replication op
                                        log. default is 5% of disk space (i.e.
                                        large is good)

Master/slave options (old; use replica sets instead):
  --master                              master mode
  --slave                               slave mode
  --source arg                          when slave: specify master as
                                        <server:port>
  --only arg                            when slave: specify a single database
                                        to replicate
  --slavedelay arg                      specify delay (in seconds) to be used
                                        when applying master ops to slave
  --autoresync                          automatically resync if slave data is
                                        stale

Replica set options:
  --replSet arg                         arg is <setname>[/<optionalseedhostlist
                                        >]
  --replIndexPrefetch arg               specify index prefetching behavior (if
                                        secondary) [none|_id_only|all]
  --enableMajorityReadConcern [=arg(=1)] (=1)
                                        enables majority readConcern

Sharding options:
  --configsvr                           declare this is a config db of a
                                        cluster; default port 27019; default
                                        dir /data/configdb
  --shardsvr                            declare this is a shard db of a
                                        cluster; default port 27018

SSL options:
  --sslOnNormalPorts                    use ssl on configured ports
  --sslMode arg                         set the SSL operation mode
                                        (disabled|allowSSL|preferSSL|requireSSL
                                        )
  --sslPEMKeyFile arg                   PEM file for ssl
  --sslPEMKeyPassword arg               PEM file password
  --sslClusterFile arg                  Key file for internal SSL
                                        authentication
  --sslClusterPassword arg              Internal authentication key file
                                        password
  --sslCAFile arg                       Certificate Authority file for SSL
  --sslCRLFile arg                      Certificate Revocation List file for
                                        SSL
  --sslDisabledProtocols arg            Comma separated list of TLS protocols
                                        to disable [TLS1_0,TLS1_1,TLS1_2]
  --sslWeakCertificateValidation        allow client to connect without
                                        presenting a certificate
  --sslAllowConnectionsWithoutCertificates
                                        allow client to connect without
                                        presenting a certificate
  --sslAllowInvalidHostnames            Allow server certificates to provide
                                        non-matching hostnames
  --sslAllowInvalidCertificates         allow connections to servers with
                                        invalid certificates
  --sslFIPSMode                         activate FIPS 140-2 mode at startup

Storage options:
  --storageEngine arg                   what storage engine to use - defaults
                                        to wiredTiger if no data files present
  --dbpath arg                          directory for datafiles - defaults to
                                        \\data\\db\\ which is C:\\data\\db\\ based on
                                        the current working drive
  --directoryperdb                      each database will be stored in a
                                        separate directory
  --noprealloc                          disable data file preallocation - will
                                        often hurt performance
  --nssize arg (=16)                    .ns file size (in MB) for new databases
  --quota                               limits each database to a certain
                                        number of files (8 default)
  --quotaFiles arg                      number of files allowed per db, implies
                                        --quota
  --smallfiles                          use a smaller default file size
  --syncdelay arg (=60)                 seconds between disk syncs (0=never,
                                        but not recommended)
  --upgrade                             upgrade db if needed
  --repair                              run repair on all dbs
  --repairpath arg                      root directory for repair files -
                                        defaults to dbpath
  --journal                             enable journaling
  --nojournal                           disable journaling (journaling is on by
                                        default for 64 bit)
  --journalOptions arg                  journal diagnostic options
  --journalCommitInterval arg           how often to group/batch commit (ms)

Auditing Options:
  --auditDestination arg                Destination of audit log output.
                                        (console/syslog/file)
  --auditFormat arg                     Format of the audit log, if logging to
                                        a file.  (BSON/JSON)
  --auditPath arg                       full filespec for audit log file
  --auditFilter arg                     filter spec to screen audit records

Kerberos Options:
  --sspiHostnameCanonicalization arg (=none)
                                        DNS resolution strategy to use for
                                        hostname canonicalization. May be one
                                        of: {none, forward, forwardAndReverse}

SNMP Module Options:
  --snmp-subagent                       run snmp subagent
  --snmp-master                         run snmp as master

Encryption at rest options:
  --enableEncryption                    Enable encryption at rest
  --encryptionKeyFile arg               File path for encryption key file
  --encryptionCipherMode arg            Cipher mode to use for encryption at
                                        rest
  --kmipRotateMasterKey                 Rotate master encryption key
  --kmipKeyIdentifier arg               KMIP unique identifier for existing key
                                        to use
  --kmipServerName arg                  KMIP server host name
  --kmipPort arg                        KMIP server port (defaults to 5696)
  --kmipClientCertificateFile arg       Client certificate for authenticating
                                        to KMIP server
  --kmipClientCertificatePassword arg   Client certificate for authenticating
                                        Mongo to KMIP server
  --kmipServerCAFile arg                CA File for validating connection to
                                        KMIP server

LDAP Module Options:
  --ldapServers arg                     Comma separated list of LDAP servers on
                                        format  host:port
  --ldapTransportSecurity arg (=tls)    Transport security used between MongoDB
                                        and remote LDAP server(none|tls)
  --ldapBindWithOSDefaults              Peform queries with the service
                                        account\'s username and password
  --ldapBindMethod arg (=simple)        Authentication scheme to use while
                                        connecting to LDAP. This may either be
                                        \'sasl\' or \'simple\'
  --ldapBindSaslMechanisms arg (=DIGEST-MD5)
                                        Comma separated list of SASL mechanisms
                                        to use while binding to the LDAP server
  --ldapTimeoutMS arg (=10000)          Timeout for LDAP queries (ms)
  --ldapQueryUser arg                   LDAP entity to bind with to perform
                                        queries
  --ldapQueryPassword arg               Password to use while binding to the
                                        LDAP server to perform queries
  --ldapUserToDNMapping arg (=[{match: "(.+)", substitution: "{0}"}])
                                        Tranformation from MongoDB users to
                                        LDAP user DNs
  --ldapAuthzQueryTemplate arg          Relative LDAP query URL which will be
                                        queried against the host to acquire
                                        LDAP groups. The token {USER} will be
                                        replaced with the mapped username

WiredTiger options:
  --wiredTigerCacheSizeGB arg           maximum amount of memory to allocate
                                        for cache; defaults to 1/2 of physical
                                        RAM
  --wiredTigerJournalCompressor arg (=snappy)
                                        use a compressor for log records
                                        [none|snappy|zlib]
  --wiredTigerDirectoryForIndexes       Put indexes and data in different
                                        directories
  --wiredTigerCollectionBlockCompressor arg (=snappy)
                                        block compression algorithm for
                                        collection data [none|snappy|zlib]
  --wiredTigerIndexPrefixCompression arg (=1)
                                        use prefix compression on row-store
                                        leaf pages

InMemory options:
  --inMemorySizeGB arg                  maximum amount of memory to allocate
                                        for InMemory data; defaults to 50% of
                                        physical RAM less 1GB

 

 

附一些mongo的参数:

C:\\Users\\liqiang>mongo -help
MongoDB shell version v3.6.3
usage: mongo [options] [db address] [file names (ending in .js)]
db address can be:
  foo                   foo database on local machine
  192.168.0.5/foo       foo database on 192.168.0.5 machine
  192.168.0.5:9999/foo  foo database on 192.168.0.5 machine on port 9999
Options:
  --shell                               run the shell after executing files
  --nodb                                don\'t connect to mongod on startup - no
                                        \'db address\' arg expected
  --norc                                will not run the ".mongorc.js" file on
                                        start up
  --quiet                               be less chatty
  --port arg                            port to connect to
  --host arg                            server to connect to
  --eval arg                            evaluate javascript
  -h [ --help ]                         show this usage information
  --version                             show version information
  --verbose                             increase verbosity
  --ipv6                                enable IPv6 support (disabled by
                                        default)
  --disableJavaScriptJIT                disable the Javascript Just In Time
                                        compiler
  --disableJavaScriptProtection         allow automatic JavaScript function
                                        marshalling
  --ssl                                 use SSL for all connections
  --sslCAFile arg                       Certificate Authority file for SSL
  --sslPEMKeyFile arg                   PEM certificate/key file for SSL
  --sslPEMKeyPassword arg               password for key in PEM file for SSL
  --sslCRLFile arg                      Certificate Revocation List file for
                                        SSL
  --sslAllowInvalidHostnames            allow connections to servers with
                                        non-matching hostnames
  --sslAllowInvalidCertificates         allow connections to servers with
                                        invalid certificates
  --sslFIPSMode                         activate FIPS 140-2 mode at startup
  --retryWrites                         automatically retry write operations
                                        upon transient network errors
  --jsHeapLimitMB arg                   set the js scope\'s heap size limit

Authentication Options:
  -u [ --username ] arg                 username for authentication
  -p [ --password ] arg                 password for authentication
  --authenticationDatabase arg          user source (defaults to dbname)
  --authenticationMechanism arg         authentication mechanism
  --gssapiServiceName arg (=mongodb)    Service name to use when authenticating
                                        using GSSAPI/Kerberos
  --gssapiHostName arg                  Remote host name to use for purpose of
                                        GSSAPI/Kerberos authentication

Kerberos Options:
  --sspiHostnameCanonicalization arg (=none)
                                        DNS resolution strategy to use for
                                        hostname canonicalization. May be one
                                        of: {none, forward, forwardAndReverse}

file names: a list of files to run. files have to end in .js and will exit after
 unless --shell is specified

 

以上是关于mongodb安全的主要内容,如果未能解决你的问题,请参考以下文章

MongoDB PHP

ios - Heroku 和 MongoDb 上的自定义解析服务器错误 3080:JSON 文本没有以数组或对象开头,并且允许未设置片段的选项

CPNtools协议建模安全分析---实例变迁标记

《安富莱嵌入式周报》第279期:强劲的代码片段搜索工具,卡内基梅隆大学安全可靠C编码标准,Nordic发布双频WiFi6 nRF7002芯片

mongodb关联查询

安全测试 web安全测试 常规安全漏洞 可能存在SQL和JS注入漏洞场景分析。为什么自己没有找到漏洞,哪么可能存在漏洞场景是?SQL注入漏洞修复 JS注入漏洞修复 漏洞存在场景分析和修复示例(代码片段