提升 MongoDB 安全性的 10 个提示
2016-04-28 22:56
501 查看
| MongoDB provides a number of constructs to improve the security of your data. The security of your data in MongoDB is paramount - so it is important to leverage these constructs to reduce your surface area. Here are 10 tips you can use to improve the security of your MongoDB servers on premise and in the cloud. 1. Enable auth - Even if you have deployed your Mongodb servers in a trusted network it is good security practice to enable auth. It provides you "Defense in depth" if your network is compromised. Edit your mongod configuration file to enable auth auth = true | 译者信息 MongoDB提供了一系列组件来提升数据的安全性。数据安全在MongoDB中是最重要的——因此它利用这些组件来减少曝光面。下面是10个可以用来改善你个人或云中MongoDB服务器安全的小提示。 1. 启用auth — 即使在可信赖网络中部署MongoDB服务器时启用auth也是项好的安全实践。当你的网络受攻击时它能够提供“深层防御”。编辑配置文件来启用auth auth = true |
| 2. Don't expose your production db to the internet - Restricting physical access to your database is an important aspect of security. If it is not necessary do not expose your production database to the internet. In case of any compromise if an attacker cannot physically connect to your MongoDB server, your data is that much more secure. If you are on AWS you can place your db's in a VPC private subnet. Read the blog post Deploying MongoDB in a VPC for more information. 3. Use firewalls - Use firewalls to restrict which other entities are allowed to connect to your mongodb server. Best practice is to only allow your application servers access to the database. If you are hosted on AWS use 'Security groups' to restrict access. If you are hosted on a provider that does not support firewall constructs you can easily configure it yourself using 'iptables'. Refer to the mongodb documentation to configure iptables for your scenario. | 译者信息 2.不要把生产环境的数据库暴露在Internet上-限制对数据库的物理访问是安全性的非常重要的一个措施。如果没有必要,就不要把生产环境的数据库暴露在Internet上。如果攻击者不能物理地连接到MongoDB服务器这种情形大打折扣,那么数据就不会比现在更安全。如果你把服务部署在亚马逊web服务(AWS)上,那么你应当把数据库部署在虚拟私有云(VPC)的私有子网里。有关这方面的更多信息请阅读博客文章"在私有云(VPC)里部署MongoDB"。 3.使用防火墙-防火墙的使用可以限制允许哪些实体连接MongoDB服务器。最佳的措施就是仅仅允许你自己的应用服务器访问数据库。如果你把无法部署在亚马逊web服务(AWS)上,你可以使用"安全组“功能限制访问权限。如果你把服务部署在不支持防火墙功能的提供商的主机上,那么你可以亲自使用"iptables"对服务器进行简单的配置。请参考mongodb的文档,实现对你所面对的具体环境配置iptables。 |
| 4. Use key files to setup the replica set - Specify a shared key file to enable communication between your mongodb instances in a replica set. To enable this add the keyfile parameter to the config file as below. The contents of the file need to be the same on all the machines. keyFile = /srv/mongodb/keyfile 5. Disable HTTP status interfaceMongodb by default provides a http interface running by default on port 28017 which provides the "home" status page. This interface is not recommended for production use and is best disabled. Use the "nohttpinterface" configuration setting to disable the http interface. nohttpinterface = true | 译者信息 4.使用key文件建立复制服务器集群-指定共享的key文件,启用复制集群的MongoDB实例之间的通信。如下给配置文件中增加keyfile参数。复制集群里的所有机器上的这个文件的内容必须相同。 keyFile = /srv/mongodb/keyfile 5.禁止HTTP状态接口- 默认情况下Mongodb在端口28017上运行http接口,以提供“主”状态页面。在生产环境下推荐不要使用此接口,最好禁止这个接口。使用"nohttpinterface"配置设置可以禁止这个http接口。 nohttpinterface = true |
| 6. Disable the REST interfaceThe monogdb REST interface is not recommended for production. It does not support any authentication. It is turned off by default. If you have turned it on using the "rest" configuration option you should turn it off for production systems. rest = false 7. Configure Bind_ipIf your system has multiple network interfaces you can use the "bind_ip" option to restrict your mongodb server to listen only on the interfaces that are relevant. By default mongodb will bind to all the interfaces bind_ip = 10.10.0.25,10.10.0.26 8. Enable SSL - If you don't use SSL your data is traveling between your Mongo client and Mongo server unencrypted and is susceptible to eavesdropping, tampering and "man in the middle" attacks. This is especially important if you are connecting to your Mongodb server over unsecure networks like the internet. | 译者信息 6.禁止REST接口-在生产环境下建议不要启用MongoDB的REST接口。这个接口不支持任何认证。默认情况下这个接口是关闭的。如果你使用的"rest"配置选项打开了这个接口,那么你应该在生产系统中关闭它。 rest = false 7.配置bind_ip- 如果你的系统使用的多个网络接口,那么你可以使用"bind_ip"选项限制mongodb服务器只在与该配置项关联的接口上侦听。默认情况下mongoDB绑定所有的接口。 bind_ip = 10.10.0.25,10.10.0.26 8.启用SSL- 如果你没有使用SSL,那么你在MongoDB客户端和MongoDB服务器之间的传输的数据就是明文的,容易受到窃听、篡改和“中间人”攻击。如果你是通过像internet这样的非安全网络连接到MongoDB服务器,那么启用SSL就显得非常重要。 |
| 9. Role based authorization - MongoDB supports role based authentication to give you fine grained control over the actions that can be performed by each user. Use role based constructs to restrict access instead of making all your users admins. Refer to the roles documentation for more details. 10. Enterprise MongoDB & KerberosEnterprise mongodb integrates with Kerberos for authentication. Refer to the mongodb documentation for more details. Username/password systems are inherently insecure - use kerb based authentication if possible. | 译者信息 9.基于角色进行认证- MongoDB支持基于角色的认证,这样你就可以对每个用户可以执行的动作进行细粒度的控制。使用基于角色的认证组建可以限制对数据库的访问,而不是所有的用户都是管理员。更多的信息请参考有关角色的文档。 10.企业级MongoDB与kerberos- 企业级mongodb继承了kerberos认证。有关这方面的更多信息请参考mongodb文档。基于用户名/密码的系统本身就是不安全的,因此如果可能的话,请使用基于kerberos的认证。 |
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- NoSQL Mongodb的快速入门
- mongodb csv 文件导入数据库,删除特定字段
- mongodb的用户管理及安全认证
- 使用MongoDB 记录业务日志
- MongoDB查询语法
- Node.js + MongoDB + AngularJS - 6 访问文件系统-1
- Python中MySQL数据迁移到MongoDB脚本的方法
- 一个慌里慌张的中午
- MongoDB数据仓储
- Python迁移MySQL数据到MongoDB脚本
- mongodb 3.x for java
- Python中MySQL数据迁移到MongoDB脚本的方法
- MongoEngine文档 新手教程 安装MongoEngine&连接MongoDB
- MongDB 分片和副本集
- MongoDB涉及的业务比较慢--慢查询优化分析案例--以及参数说明
- MongoDB学习(1)--Windows安装与运行
- Node.js + MongoDB + AngularJS - 5 在Node.js中处理数据I0-2
- mongoDB 使用手册
- mongodb练习
- learn MongoDB (二) 常用修改器