MongoDB 服务器仍然可以在没有凭据的情况下访问 [英] MongoDB server can still be accessed without credentials
问题描述
我的机器中有一个新的 mongodb 服务器 (2.6.0),我使用以下配置文件启动了 mongod 实例:
I have a fresh mongodb server (2.6.0) in my machine and I started the mongod instance with the following config file:
dbpath = c:mongodatadb
port = 27017
logpath = c:mongodatalogsmongo.log
auth = true
后来,我通过 mongo shell 连接到这个 mongod 实例并创建了一个 admin 用户:
Later, I connected to this mongod instance through mongo shell and created an admin user:
use admin
db.createUser(
{
user: "tugberk",
pwd: "12345678",
roles:
[
{
role: "userAdminAnyDatabase",
db: "admin"
}
]
}
)
然后,我从 shell 注销并使用以下命令重新连接:
Then, I logged out from the shell and reconnect with the following command:
mongo --host localhost --port 27017 -u tugberk -p 12345678 --authenticationDatabase admin
然后,我创建了一个具有 root 访问权限的用户:
Then, I created a user with root access:
use admin
db.createUser(
{
user: "tugberkRoot",
pwd: "12345678",
roles: [ "root" ]
}
)
这里不需要最后一步,但现在应该完全禁用匿名访问.但是,我仍然可以通过 mongo shell 匿名连接到它(即使我无权执行任何操作):
The last step is not necessary here but the anonymous access now should have been fully disabled. However, I can still connect to it anonymously through mongo shell (even if I don't have any access to do anything):
我应该怎么做才能防止任何匿名连接?
What should I do to prevent any anonymous connection?
推荐答案
身份验证会阻止您对数据库执行操作(如您的屏幕截图所示 - 您甚至无法列出数据库),它不会阻止连接 - 毕竟,您必须能够连接才能进行身份验证.
Authentication prevents you from performing actions on the database (as your screenshot shows - you can't even list databases), it doesn't prevent connections - after all, you have to be able to connect to be able to authenticate.
有一个添加超时的功能请求,但现在基本上是这样服务器是为了表现.
There is a feature request to add timeouts, but for now this is essentially how the server is meant to behave.
值得注意的是,在您尝试做某事之前,这与仅使用 telnet 连接到端口没有什么不同 - 开头显示的文本连接到:"等是来自客户端,而不是服务器.一旦它尝试做任何未经身份验证的事情,甚至列出服务器警告,就会抛出错误,因为它没有足够的权限.
It's worth noting that up until you try to do something, this is really no different than just connecting to the port with telnet - the text displayed at the start "connecting to:" etc. is from the client, not the server. As soon as it tries to do anything unauthenticated, even list the server warnings, an error is thrown because it does not have sufficient permissions.
如果您想从连接的角度锁定事物,从 MongoDB 的角度来看,唯一的选择是使用 bindIp 选项.例如,使用 127.0.0.1 会将其锁定为本地使用(但您将无法从远程主机连接),这使得复制成为一个问题,因此在选择绑定地址时要小心.
If you want to lock down things from a connection perspective, the only option from a MongoDB perspective is to restrict the IP addresses it listens on (default is all) using the bindIp option. Using 127.0.0.1 would lock it down to local usage for example (but you would then be unable to connect from a remote host), which makes replication an issue so be careful when choosing your bound address.
在 MongoDB 之外,您应该从防火墙的角度考虑锁定事物.在 Linux 上,这将是 IPTables、ufw, hosts.allow/deny 或类似的.Windows 防火墙不是我的专业领域,但我想你也可以在那里做类似的事情.
Outside MongoDB, you should look at locking things down from a firewall perspective. On Linux this would be IPTables, ufw, hosts.allow/deny or similar. Windows firewall is not my area of expertise, but I would imagine you can do similar there also.
这篇关于MongoDB 服务器仍然可以在没有凭据的情况下访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
