Database Manual / Self-Managed Deployments / Security

Network and Configuration Hardening for Self-Managed Deployments自我管理部署的网络和配置强化

To reduce the risk exposure of the entire MongoDB system, ensure that only trusted hosts have access to MongoDB.为了降低整个MongoDB系统的风险,请确保只有受信任的主机才能访问MongoDB。

MongoDB Configuration HardeningMongoDB配置强化

IP BindingIP绑定

MongoDB binaries, mongod and mongos, bind to localhost by default.MongoDB二进制文件mongodmongos默认绑定到localhost

Warning

Before you bind your instance to a publicly-accessible IP address, you must secure your cluster from unauthorized access. 在将实例绑定到可公开访问的IP地址之前,必须保护集群免受未经授权的访问。For a complete list of security recommendations, see Security Checklist for Self-Managed Deployments. 有关安全建议的完整列表,请参阅自我管理部署的安全检查表At minimum, consider enabling authentication and hardening network infrastructure.至少,考虑启用身份验证加强网络基础设施

Warning

Make sure that your mongod and mongos instances are only accessible on trusted networks. If your system has more than one network interface, bind MongoDB programs to the private or internal network interface.确保mongodmongos实例只能在受信任的网络上访问。如果系统有多个网络接口,请将MongoDB程序绑定到专用或内部网络接口。

For more information, see IP Binding in Self-Managed Deployments.有关更多信息,请参阅自我管理部署中的IP绑定

Network Hardening网络强化

Firewalls防火墙

Firewalls allow administrators to filter and control access to a system by providing granular control over network communications. 防火墙允许管理员通过提供对网络通信的精细控制来筛选和控制对系统的访问。For administrators of MongoDB, the following capabilities are important: limiting incoming traffic on a specific port to specific systems and limiting incoming traffic from untrusted hosts.对于MongoDB的管理员来说,以下功能很重要:将特定端口上的传入流量限制到特定系统,并限制来自不受信任主机的传入流量。

On Linux systems, the iptables interface provides access to the underlying netfilter firewall. On Windows systems, netsh command line interface provides access to the underlying Windows Firewall. For additional information about firewall configuration, see:在Linux系统上,iptables接口提供对底层netfilter防火墙的访问。在Windows系统上,netsh命令行界面提供对底层Windows防火墙的访问。有关防火墙配置的更多信息,请参阅:

For best results and to minimize overall exposure, ensure that only traffic from trusted sources can reach mongod and mongos instances and that the mongod and mongos instances can only connect to trusted outputs.为了获得最佳结果并最大限度地减少整体暴露,请确保只有来自可信来源的流量才能到达mongodmongos实例,并且mongodmongos示例只能连接到可信输出。

Virtual Private Networks虚拟专用网络

Virtual private networks, or VPNs, make it possible to link two networks over an encrypted and limited-access trusted network. Typically, MongoDB users who use VPNs use TLS/SSL rather than IPSEC VPNs for performance issues.虚拟专用网络(VPN)使通过加密和受限访问的可信网络链接两个网络成为可能。通常,使用VPN的MongoDB用户使用TLS/SSL而不是IPSEC VPN来解决性能问题。

Depending on configuration and implementation, VPNs provide for certificate validation and a choice of encryption protocols, which requires a rigorous level of authentication and identification of all clients. Furthermore, because VPNs provide a secure tunnel, by using a VPN connection to control access to your MongoDB instance, you can prevent tampering and "man-in-the-middle" attacks.根据配置和实现,VPN提供证书验证和加密协议的选择,这需要对所有客户端进行严格的身份验证和识别。此外,由于VPN提供了一个安全的隧道,通过使用VPN连接来控制对MongoDB实例的访问,您可以防止篡改和“中间人”攻击。

Disable IP Forwarding禁用IP转发

IP forwarding allows servers to forward packets to other systems. Disable this feature on servers that host mongod.IP转发允许服务器将数据包转发到其他系统。在托管mongod的服务器上禁用此功能。

Linux

To disable IP forwarding on Linux, use the sysctl command:要在Linux上禁用IP转发,请使用sysctl命令:

sudo sysctl -w net.ipv4.ip_forward=0

To make the change persistent, edit the /etc/sysctl.conf file to add this line:要使更改持久化,请编辑/etc/sysctl.conf文件以添加以下行:

net.ipv4.ip_forward = 0
Windows

IP forwarding is disabled by default on Windows.默认情况下,Windows上禁用IP转发。