未经授权的IP访问MongoDB
我最近一直在我的一台Dev服务器上玩MongoDB,但并没有做任何认真的事情,尽管知道得更好,但我允许来自任何IP的远程连接.几天之内,数据库就遭到了勒索企图黑客入侵".我耸了耸肩,决定继续将该IP绑定到我的个人公共IP和本地服务器上,以为它可以消除漏洞.
I've just been recently playing with MongoDB on one of my Dev servers not doing anything too serious and despite knowing better I allowed remote connections from any IP. Within a few days the database was 'hacked' with a ransom attempt. I shrugged it off and decided to go ahead and bind the IP to my personal public IP and the local server thinking it would shut down the breach.
不.数据库再次遭到破坏,因此我决定查看一下日志,很明显,因为一天表明连接是通过配置中未包含的IP完成的.怎么会这样呢?
Nope. Database has once again been compromised so I decided to take a look at the log and it clear as day shows that connection was completed from an IP that was not included in my config. How could this still be happening?
另外,在进行ipbind更改后,我确实执行了service mongodb restart.
Additionally I did execute service mongodb restart after making the ipbind changes.
这是我的配置的网络接口部分
Here is the network interface section of my config
# network interfaces
net:
port: 27017
bindIp: [127.0.0.1,90.207.xxx.xxx,76.94.xxx.xxx,23.23.xxx.xxx]
The bindIp setting is a list of the IP addresses your MongoDB server listens to, not a firewall to limit remote access. If your server has a private and a public IP, the bindIp list should be at most three entries: 127.0.0.1 (localhost), the private IP, and the public IP.
理想情况下,应该将MongoDB部署限制为仅侦听localhost或私有IP,并通过SSH或VPN进行远程连接.
Ideally you should limit your MongoDB deployment to only listen to localhost or a private IP, and connect remotely via SSH or VPN.
深度安全性需要采取 MongoDB安全性清单中概述的多种措施>.
Security in depth requires multiple measures as outlined in the MongoDB security checklist.
例如,除了更正bindIp设置外,您还应该:
For example, in addition to correcting your bindIp setting you should:
- 启用访问控制&强制执行身份验证.
- 将您的
mongod和mongos服务器配置为对所有网络都要求SSL交流. - 为您的部署配置防火墙.
- 确保您正在运行受支持的MongoDB版本(例如,截至2017年1月的MongoDB 3.0或更高版本).
- 确保已将MongoDB生产系列更新为最新的次要版本(如果使用的是MongoDB 3.2,则为最新的3.2.x).
- 确保已应用了最新的操作系统安全更新.
- Enable access control & enforce authentication.
- Configure your
mongodandmongosservers to require SSL for all network communication. - Configure a firewall for your deployment.
- Make sure you are running a supported release of MongoDB (eg. MongoDB 3.0 or newer as at January, 2017).
- Make sure you have updated to the latest minor release for your MongoDB production series (i.e. latest 3.2.x if you are using MongoDB 3.2).
- Make sure you've applied the latest O/S security updates.