无需凭据即可访问MongoDB服务器 [英] MongoDB server can still be accessed without credentials

问题描述

我的机器上有一个新的mongodb服务器(2.6.0)，并使用以下配置文件启动了mongod实例:

I have a fresh mongodb server (2.6.0) in my machine and I started the mongod instance with the following config file:

dbpath = c:\mongo\data\db
port = 27017
logpath = c:\mongo\data\logs\mongo.log
auth = true

后来，我通过mongo shell连接到此mongod实例并创建了一个管理员用户:

Later, I connected to this mongod instance through mongo shell and created an admin user:

use admin
db.createUser(
  {
    user: "tugberk",
    pwd: "12345678",
    roles:
    [
      {
        role: "userAdminAnyDatabase",
        db: "admin"
      }
    ]
  }
)

然后，我从外壳注销，并使用以下命令重新连接:

Then, I logged out from the shell and reconnect with the following command:

mongo --host localhost --port 27017 -u tugberk -p 12345678 --authenticationDatabase admin

然后，我创建了一个具有root用户访问权限的用户:

Then, I created a user with root access:

use admin
db.createUser(
    {
      user: "tugberkRoot",
      pwd: "12345678",
      roles: [ "root" ]
    }
)

这里不需要最后一步，但是现在应该完全禁用匿名访问.但是，我仍然可以通过mongo shell匿名连接到它(即使我无权执行任何操作):

The last step is not necessary here but the anonymous access now should have been fully disabled. However, I can still connect to it anonymously through mongo shell (even if I don't have any access to do anything):

我应该怎么做才能阻止任何匿名连接?

What should I do to prevent any anonymous connection?

推荐答案

身份验证会阻止您对数据库执行操作(如屏幕截图所示-您甚至无法列出数据库)，它不会阻止连接-毕竟，您必须能够连接才能进行身份验证.

Authentication prevents you from performing actions on the database (as your screenshot shows - you can't even list databases), it doesn't prevent connections - after all, you have to be able to connect to be able to authenticate.

有一个添加超时的功能请求，但是目前这基本上是该服务器应表现为正常运行.

There is a feature request to add timeouts, but for now this is essentially how the server is meant to behave.

值得注意的是，直到您尝试做某件事为止，这实际上与仅使用telnet连接到端口没有什么不同-开始处的连接到:"等处显示的文本来自客户端，而不是客户端.服务器.一旦尝试执行未经身份验证的任何操作，甚至列出服务器警告，就会抛出错误，因为它没有足够的权限.

It's worth noting that up until you try to do something, this is really no different than just connecting to the port with telnet - the text displayed at the start "connecting to:" etc. is from the client, not the server. As soon as it tries to do anything unauthenticated, even list the server warnings, an error is thrown because it does not have sufficient permissions.

如果要从连接角度锁定事物，从MongoDB角度来看，唯一的选择是使用

If you want to lock down things from a connection perspective, the only option from a MongoDB perspective is to restrict the IP addresses it listens on (default is all) using the bindIp option. Using 127.0.0.1 would lock it down to local usage for example (but you would then be unable to connect from a remote host), which makes replication an issue so be careful when choosing your bound address.

在MongoDB之外，您应该从防火墙的角度来考虑将其锁定.在Linux上，这将是 IPTables ， hosts.allow/deny 或类似. Windows防火墙不是我的专业领域，但我想您也可以在其中做类似的事情.

Outside MongoDB, you should look at locking things down from a firewall perspective. On Linux this would be IPTables, ufw, hosts.allow/deny or similar. Windows firewall is not my area of expertise, but I would imagine you can do similar there also.

这篇关于无需凭据即可访问MongoDB服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！