I have a mongodb running in my server, for local connections to the db I don't need any password to protect it(that is within the same physical machine, meaning connect to the server thru the 127.0.0.1 ip address).
But I don't want other people in the network be able connect to my database without password, only the authorized user. So I want to do password protection for the remote user.
How to do it?
Right now monogdb does not support authentication mode based on the user location. So that means if you run mongod with --auth that will apply to everyone.
There are no (yet) advanced authentication schemas like IP, protocol source, etc. For now you can only define if the user has read only or write permissions on a database. So basically the only thing mongodb cares is if you typed the right password for the right user.
Personally in all production environment I would recommend to use the secure mode, because even if you allow only connection from a localhost any users who has access to the local server or any malicious script on the host can easily wipe all your data.
The MongoDB Security and Authentication page has information on configuring user authentication and firewall settings.
Note that when you enable password authentication for a database, the authentication requirement will apply to both local and remote users (so you will also need to connect with a password through the local IP).
MongoDb does not offer an easy way to protect the database. I assume this is the reason why there are tens of thousands of mongodb instances on the net that are unprotected for hackers
Related
I used mongodb on my local without authentication by running mongod as server and connecting it by just mongo as a user.
Now after creating users and running the server as mongod --auth i can connect using user id and pwd assigned by me.
The problem is while connecting back mongo with mongod it again gets connected to the database and whole database is visible again,this should not happen as I have enabled the authentication.
Using mongod as a server should block the users from getting access. Same is the problem for my personal server.
Is there any solution to enable the security permanently that is enable mongod --auth and not just mongod.
If I understand correctly, your concern is that restarting a mongod process without access control enabled allows you to access data without authentication. This is the expected outcome: a user with direct access to restart services or copy MongoDB data files has greater permissions than the mongod process.
Authentication only verifies remote client access to the mongod service: it does not encrypt or protect data files if a user has direct local read access. If you have an environment allowing remote and/or multi-user access, you should take steps to appropropriately limit access to your data files and service management.
If you want to secure data files from direct access, it sounds like you may be looking for Encryption at Rest or Disk Encryption. These security measures prevent direct read access to your data files or filesystem without appropriate credentials, but you still have to limit access appropriately and protect those credentials.
For general measures see the MongoDB Security Checklist.
I have a postgresql 11 instance that need to share with the client, it's ok to let the client do whatever they want except the accounts.
if the client modifies the pg_hba.conf, they can connect without password, is there any way to disable pg_hba, making it no way to connect without password?
PS: the client has the host access
I have enabled the security.authorization setting in /etc/mongod.conf
security:
authorization: enabled
But I am still able to connect to the mongo shell without providing credentials.
mongo
Enabling security.authorization seems to enforce access control on the databases and the anonymous user doesn't seem to be able to perform any actions such as listing databases and/or collections.
I have attempted to enable auth in the /etc/mongodb.conf file, but this didn't seem to have any effect and I can still connect anonymously.
auth = true
How do I set the mongo shell to require authentication so that anonymous connections are blocked.
The authorization mode in mongodb does not work like mysql.
It will prevent non authorized or anonymous users to read or write the DB but it won't forbid people to connect to your DB.
Anonymous users will always be able to connect themselves but can't do anything.
If you want to block the connection from unknown users or server, you can enable the net.bindIp parameter to allow only the selected IP to connect to your database.
I have two databases set up as part of the same Postgresql 9.4 database cluster, and I'm trying to access a table in one of them from the other using a postgres_fdw. I have it all set up and working as a superuser, however when I try to access the foreign table as a normal user, I get the following error:
ERROR: password is required
DETAIL: Non-superuser cannot connect if the server does not request a password.
HINT: Target server's authentication method must be changed.
Now I understand that this is because I have the server set up with trust authentication for certain subnets, including Its own. However, in the 1 USER MAPPING I created, I did specify a password, with the hope that doing so would force it to use password authentication. No such luck apparently.
As such, my question is if there is any way around this somewhat onerous requirement? Is there a way to force this connection, or a specific user, or the like to use password authentication? Or some way to disable the requirement? Or is my only option to change the configuration to require passwords, and deal with whatever that breaks?
As Nick Barnes pointed out in a comment, pg_hba allows different authentication rules for specific users. As such, the solution to this issue was to simply create a user specifically for these FDW connections, and set that user in the pg_hba.conf to require a password. That way my trusted web apps on the trusted network can continue connecting as usual, but the FDW can get the password request it requires.
You can't force FDW to use a password: the server on the other end must request the password. the usual default for local socket connections is no password.
Try connecting via TCP instead of using local sockets: add host=localhost to the connection parameters, that will usually fix it.
I have a MongoDB instance on my EC2 server that I want to be accessible both from the machine itself (on localhost) and also remotely.
I currently have it configured so that I can connect to my db from the machine itself on localhost:27017 (with read/write access). I want to make this db available (but only readonly) to other clients via my.ip.address:27017.
How would I go about setting this up?
If you turn on authentication as well as adding an local user with both read and write permissions you can also add a read-only user.
You would have to manage the authentication in your application / shell code but basically, anyone not from local host should authenticate as the read only user.