Im reading the mongodb guide, but I dont get this:
mongodb://fred:foobar#localhost
It says I can connect to the mongodb through web browser.
I have tried this, but it doesn't work. Safari/Firefox can't recognize the mongodb protocol.
And why should I do it?
Isn't the mongodb server just for connecting through the command line?
And what is the difference between port 27017 and 28017?
Should I connect through http or mongodb protocol?
When you start mongod (the MongoDB daemon), it starts listening on two ports by default.
27017: the default port accessed by the various MongoDB drivers.
28017: a port that handles HTTP requests and provides some general monitoring.
What you've listed mongodb://fred:foobar#localhost actually represents this: mongodb://fred:foobar#localhost:27017 and this is the access protocol for MongoDB drivers.
The other "thing" you're seeing is port 28017. This is (by default) simply an overview of what's happening with the mongod instance on that server. Requests made from a web browser to this port will show an HTML output of the server overview.
If you start mongod with a different port number (i.e.: 7777), the "monitor" port will always be 1000 higher (i.e.: 8777).
If you want some advanced features like the ability to query via the web browser, you can start mongod with the --rest switch. You will then be able to run certain queries with a simple http get requestlink text (http://localhost:8777/mydb/mycollection/?filter_a=1).
If you're using language-specific MongoDB drivers (like most people will). Then you'll find that you'll have "connection strings" of the form mongodb://user:pwd#host:port/. These are similar in purpose to the usual connection strings you're used to for other Database products.
Increment by one thousand (28017), and use HTTP, not mongodb.
Note that this will "connect" you to the mongodb process, but it's not like phpMyAdmin or anything.
Related
I ran a scan on Shodan for my server IP and I noticed it listed my MongoDB with "Authentication partially enabled"
Now, I can't find what it actually mean. I am sure I set up authentication right way but the word "partially" concern me.
It means you have a mongodb database with enabled authentication.
I guess Shodan uses this fancy wording to highlight that the database is still listening on the externally facing interface, i.e. you can connect to the database with command
mongo <your IP>
from anywhere.
There are commands that don't require authentication, e.g.
db.isMaster()
db.runcommand({buildInfo:1})
db.auth()
....
It leaves room for exploitation of vulnerabilities, brute force attack, etc.
The server responds to the connection request which exposes the fact that you are using mongo. Version of your server, ssl libraries, compilation options and other information advertised by the server can be used to search known or 0day vulnerabilities.
You can see what info is exposed on shodan https://www.shodan.io/search?query=mongodb+server+information. Compare it with amount of information available for hosts without "Authentication partially enabled"
The most popular ways to harden mongodb set up is to make it accessible from local network/VPC/VPN only. If nature of your business requires bare mongo accessible from the internet, hide it behind a firewall to allow connections only from known IPs. In both cases you will be completely invisible to Shodan and similar services.
I would like to use a GUI instead of just the Mongo shell on my cloud nine instance. Is there a way I can connect a tool like Mongo chef to the Mongo server that's running on cloud nine?
Currently Cloud9 workspaces only forward one port, port 8080. So in order for your GUI app to gain access to your mongodb, it will have to be listening on 0.0.0.0:8080 and you have set your application url to public (if you don't know how to do that, just click on 'Share' near the top left of the IDE, and click 'Public' next to 'Application').
However, the problem is that since you're also probably running your application on port 8080, you'll have to do some housekeeping and use different ports for Mongodb while your app is running and when you need to access the db using your GUI app.
I have some issues with MongoDB (or Linux security, perhaps):
1 I am runing MongoDB 3.0 in an OpenSuSE 13.1 machine (which acts as the data server). I have a local network of 4 computers with different OSs.
2 I can connect from a Windows 8.1 Laptop using the mongo command, using the pymongo Python library, or Robomongo. Everything works just fine: I can query the server and insert things.
3 However, when I try to access port 27017 to see the "It looks like you're accessing..." message, the browser says "The connection was reset".
4 SuSe's Firewall and AppArmor are disabled.
QUESTION: There is one computer that can't access the address of the local server. Said computer is in the same local network and is running Windows 8.1. I tried with many other devices and OSs (see miniupdate in comments) and they all managed to access the 27017 port on the server. Of course, the server simply displayed the message "It looks like you are trying to access MongoDB over HTTP on the native driver port.". Do you have any ideas as to why the browser in the problematic computer keeps saying "Connection was reset" instead of showing the message mentioned above? Please note that this computer can do everything I mentioned in point 2. It's the browser thing that is puzzling me.
MongoDB's default port doesn't speak the http protocol. Which is what a browser can speak (among a few others). If you're looking for the web based status page, then that should be on port 28017 (27017 + 1000).
See http://docs.mongodb.org/manual/reference/default-mongodb-port/ for more details.
Found the solution on my own: disable the "Web shield" of Avast Antivirus. It somehow resets the browser's connection to Mongo.
Again, I realize that Mongo doesn't talk HTTP on that port, but still the fact that all other devices but this one were able to connect (to simply get a message) was bugging me.
My question, to be more clear, it is to create a server with mongodb on a cloud hosting (for example) and access it through another server.
Example:
I have a mobile app.
I hosted my mongoDB a cloud hosting (ubuntu).
I want to connect my app to the db on the server cloud.
Is it possible? How?
I'm joining this learning and my question was exactly MongoDB to create a server in a way that I could access it remotely.
Out of "localhost"? Different from all the tutorials I've seen.
From what you are describing, I think you want to implement a 2-Tier-Architecture. For practically all use cases, don't do it!
It's definitely possible, yes. You can open up the MongoDB port in your firewall. Let's say your computer has a fixed IP or a fixed name like mymongo.example.com. You can then connect to mongodb://mymongo.example.com:27017 (if you use the default port). But beware:
Security You need to make sure that clients can only perform those operations that you want to allow, e.g. using MongoDB integrated authentication, otherwise some random script kiddie will steal you database, delete it, or fill it with random data. Many servers, even if they don't host a well-known service, get attacked thousands of times per day. Also, you probably want to encrypt the connection so people can't spy on the connection. And to make it all worse, you will have to store the database credentials in your client app, which is practically impossible to do in a truly secure way.
Software architecture There is a ton of arguments against this architecture, but 1) alone should be enough. You never want to couple your client to the database, be it because of data migrations, software updates, security considerations, etc.
3-Tier
So what to do instead? Use a 3-Tier-Architecture: Host a server of some kind on mymongo.example.com that then connects to the database. That server could be implemented in nginx/node.js, iis/asp.net, apache/php, or whatever. It could even be a plain old C application (like many game servers).
The mongodb can still reside on yet a different machine, but when you use a server, the database credentials are only known to the server, not to all the clients.
Yes, it is possible. You would connect to MongoDB using the ip address of your host, or preferably using it's fully qualified hostname rather than "localhost". If you do that, you should secure your MongoDB installation otherwise anyone would be able to connect to your MongoDB instance. At an absolute minimum, enable MongoDB authentication. You should read up on MongoDB Security.
For a mobile application, you would probably have some sort of application server in front of MongoDB, e.g. your mobile application would not be connecting to MongoDB directly. In that case only your application server would be connecting to MongoDB, and you would secure MongoDB accordingly.
I am trying an example at Spring 3 with MongoDB. I can reach MongoDB's interface on port 28017. However examples use 27017 in configuration files. Which one to use?
28017 is admin interface and admin operations can be checked from there via web. However when using MongoDb at applications 27017 should be defined as port. When trying to reach that port given information is that:
You are trying to access MongoDB on the native driver port. For http diagnostic access, add 1000 to the port number
I find it very interesting by doing a very stupid thing. Added 1000 to 27017 and it become 28017, I access localhost:28017 and the admin panel appeared.
best of luck
I suggest you do not use default port in your application.
that is the first hackers are looking for.