Network and Configuration Hardening网络和配置强化
On this page本页内容
To reduce the risk exposure of the entire MongoDB system, ensure that only trusted hosts have access to MongoDB.为了减少整个MongoDB系统的风险暴露,请确保只有受信任的主机才能访问MongoDB。
MongoDB Configuration HardeningMongoDB配置强化
IP BindingIP绑定
MongoDB binaries, MongoDB二进制文件mongod and mongos, bind to localhost by default.mongod和mongos默认绑定到localhost。
Before you bind your instance to a publicly-accessible IP address, you must secure your cluster from unauthorized access. 在将实例绑定到可公开访问的IP地址之前,必须保护群集不受未经授权的访问。For a complete list of security recommendations, see Security Checklist. 有关安全建议的完整列表,请参阅安全检查表。At minimum, consider enabling authentication and hardening network infrastructure.至少,考虑启用身份验证和强化网络基础设施。
For more information, see IP Binding.有关详细信息,请参阅IP绑定。
HTTP Status Interface and REST APIHTTP状态接口和REST API
Changed in version 3.63.6版更改: MongoDB 3.6 removes the deprecated HTTP interface and REST API to MongoDB.:MongoDB 3.6删除了MongoDB中不推荐使用的HTTP接口和REST API。
Network Hardening网络强化
Firewalls防火墙
Firewalls allow administrators to filter and control access to a system by providing granular control over network communications. 防火墙允许管理员通过提供对网络通信的细粒度控制来筛选和控制对系统的访问。For administrators of MongoDB, the following capabilities are important: limiting incoming traffic on a specific port to specific systems and limiting incoming traffic from untrusted hosts.对于MongoDB的管理员来说,以下功能很重要:将特定端口上的传入流量限制到特定系统,并限制来自不受信任主机的传入流量。
On Linux systems, the 在Linux系统上,iptables interface provides access to the underlying netfilter firewall. iptables接口提供对底层netfilter防火墙的访问。On Windows systems, 在Windows系统上,netsh command line interface provides access to the underlying Windows Firewall. For additional information about firewall configuration, see:netsh命令行接口提供对底层Windows防火墙的访问。有关防火墙配置的其他信息,请参阅:
Configure Linux为MongoDB配置LinuxiptablesFirewall for MongoDBiptables防火墙 andConfigure Windows为MongoDB配置WindowsnetshFirewall for MongoDB.netsh防火墙。
For best results and to minimize overall exposure, ensure that only traffic from trusted sources can reach 为了获得最佳结果并最大限度地减少总体暴露,请确保只有来自可信来源的流量才能到达mongod and mongos instances and that the mongod and mongos instances can only connect to trusted outputs.mongod和mongos实例,并且mongod或mongos示例只能连接到可信输出。
Virtual Private Networks虚拟专用网络
Virtual private networks, or VPNs, make it possible to link two networks over an encrypted and limited-access trusted network. Typically, MongoDB users who use VPNs use TLS/SSL rather than IPSEC VPNs for performance issues.虚拟专用网络(VPN)使通过加密和有限访问的可信网络连接两个网络成为可能。通常,使用VPN的MongoDB用户使用TLS/SSL而不是IPSEC VPN来解决性能问题。
Depending on configuration and implementation, VPNs provide for certificate validation and a choice of encryption protocols, which requires a rigorous level of authentication and identification of all clients. Furthermore, because VPNs provide a secure tunnel, by using a VPN connection to control access to your MongoDB instance, you can prevent tampering and "man-in-the-middle" attacks.根据配置和实施,VPN提供证书验证和加密协议的选择,这需要对所有客户端进行严格的身份验证和标识。此外,由于VPN提供了一个安全的隧道,通过使用VPN连接来控制对MongoDB实例的访问,您可以防止篡改和“中间人”攻击。
Disable IP Forwarding禁用IP转发
IP forwarding allows servers to forward packets to other systems. Disable this feature on servers that host IP转发允许服务器将数据包转发到其他系统。在托管mongod.mongod的服务器上禁用此功能。
To disable IP forwarding on Linux, use the 要在Linux上禁用IP转发,请使用sysctl command:sysctl命令:
sudo sysctl -w net.ipv4.ip_forward=0
To make the change persistent, edit the 要使更改持久化,请编辑/etc/sysctl.conf file to add this line:/etc/sysctl.conf文件以添加以下行:
net.ipv4.ip_forward = 0
IP forwarding is disabled by default on Windows.默认情况下,在Windows上禁用IP转发。