under the replication, how deprecated mongodb `--auth` option instead use network security strategies <br /> base on gxservice

mongodb security tour

purpose

under the replication, how deprecated mongodb --auth option instead use network security strategies

resources

assume

server collect:

server1, ip: 33.33.13.11, memory: 1024
server2, ip: 33.33.13.12, memory: 1024
server3, ip: 33.33.13.13, memory: 1024
server4, ip: 33.33.13.14, memory: 1024

define vagrant config file

# -*- mode: ruby -*-
# vi: set ft=ruby :

Vagrant.configure("2") do |config|
  config.vm.box = "centos-6_4-x86_64"

  config.vm.define :server1 do |app_config|
    app_config.vm.provider "virtualbox" do |v|
      v.customize ["modifyvm", :id, "--name", "server1", "--memory", "1024"]
    end
    app_config.vm.box = "centos-6_4-x86_64"
    app_config.vm.hostname = "server1"
    app_config.vm.network :private_network, ip: "33.33.13.11"
  end
  config.vm.define :server2 do |app_config|
    app_config.vm.provider "virtualbox" do |v|
      v.customize ["modifyvm", :id, "--name", "server2", "--memory", "1024"]
    end
    app_config.vm.box = "centos-6_4-x86_64"
    app_config.vm.hostname = "server2"
    app_config.vm.network :private_network, ip: "33.33.13.12"
  end
  config.vm.define :server3 do |app_config|
    app_config.vm.provider "virtualbox" do |v|
      v.customize ["modifyvm", :id, "--name", "server3", "--memory", "1024"]
    end
    app_config.vm.box = "centos-6_4-x86_64"
    app_config.vm.hostname = "server3"
    app_config.vm.network :private_network, ip: "33.33.13.13"
  end
  config.vm.define :server4 do |app_config|
    app_config.vm.provider "virtualbox" do |v|
      v.customize ["modifyvm", :id, "--name", "server4", "--memory", "1024"]
    end
    app_config.vm.box = "centos-6_4-x86_64"
    app_config.vm.hostname = "server4"
    app_config.vm.network :private_network, ip: "33.33.13.14"
  end
end

vagrant ssh server1
vagrant ssh server2
vagrant ssh server3
vagrant ssh server4

reset all iptables

sudo iptables --flush
sudo iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

install mongodb

sudo yum install vim -y
sudo vim /etc/yum.repos.d/10gen.repo
sudo yum install mongo-10gen mongo-10gen-server -y

# sudo vim /etc/yum.repos.d/10gen.repo
[10gen]
name=10gen Repository
baseurl=http://downloads-distro.mongodb.org/repo/redhat/os/x86_64
gpgcheck=0
enabled=1

init origin database

mongo
use admin
// db.addUser('testmongoadmin','testmongoadmin')
// db.auth('testmongoadmin','testmongoadmin')
db.runCommand( { logRotate : 1 } )
use testmongo_development
db.addUser('testmongo_db','testmongodb')
db.auth('testmongo_db','testmongodb')

mongo 127.0.0.1:27017/testmongo_development -u testmongo_db -p testmongodb

rails c
5000.times {|i| Post.create(title: "title #{i}", body: "this is body", author_id: rand(1..500)); sleep 1}

some test for auth

when comment `auth = true`

no user 'testmongo_db' add to db testmongo or db.system.users.remove()

failures with mongo 127.0.0.1:27017/testmongo_development -u testmongo_db -p testmongodb
sucess with mongo 127.0.0.1:27017/testmongo_development show collections
sucess with mongo 33.33.13.11:27017/testmongo_development
failures with mongo 33.33.13.11:27017/testmongo_development -u testmongo_db -p testmongodb

add user db.addUser('testmongo_db','testmongodb')

sucess with mongo 127.0.0.1:27017/testmongo_development -u testmongo_db -p testmongodb
sucess with mongo 127.0.0.1:27017/testmongo_development
sucess with mongo 33.33.13.11:27017/testmongo_development -u testmongo_db -p testmongodb
sucess with mongo 33.33.13.11:27017/testmongo_development

when set `auth = true`

no user 'testmongo_db' add to db testmongo or db.system.users.remove()

failures with mongo 127.0.0.1:27017/testmongo_development -u testmongo_db -p testmongodb
sucess with mongo 127.0.0.1:27017/testmongo_development
sucess with mongo 33.33.13.11:27017/testmongo_development
failures with mongo 33.33.13.11:27017/testmongo_development -u testmongo_db -p testmongodb

add user db.addUser('testmongo_db','testmongodb')

sucess with mongo 127.0.0.1:27017/testmongo_development -u testmongo_db -p testmongodb
sucess with mongo 127.0.0.1:27017/testmongo_development
sucess with mongo 33.33.13.11:27017/testmongo_development -u testmongo_db -p testmongodb
sucess with mongo 33.33.13.11:27017/testmongo_development but show collections failures

Import and Export MongoDB Data

# sudo ufw allow 27017
# /etc/mongodb.conf
# commit as
# bind_ip = 127.0.0.1

http://docs.mongodb.org/manual/core/import-export/ http://blog.csdn.net/liuzhoulong/article/details/6849978

# back
mongodump -h 127.0.0.1 -o all_test_db_dump
# restore
mongorestore /vagrant/all_test_db_dump/
# sudo -u mongodb mongod -f /etc/mongodb.conf &
# sudo /etc/init.d/mongod start

# mongo 33.33.13.11:27017/testmongo_development -u testmongo_db -p testmongodb

auth with keyfile

cd /vagrant && openssl rand -base64 741 > mongodb.keyfile
sudo cp /vagrant/mongodb.keyfile /var/lib/mongo/
sudo chmod 600 /var/lib/mongo/mongodb.keyfile
sudo chown mongod /var/lib/mongo/mongodb.keyfile

# insert bellow to mongod.config
keyFile=/var/lib/mongo/mongodb.keyfile

use replication

# insert bellow to mongod.config to all notes
replSet = rs0
# for convenient
# you can insert
auth = true
keyFile=/var/lib/mongo/mongodb.keyfile

replSet = rs0

# and exec

sudo cp /vagrant/mongodb.keyfile /var/lib/mongo/
sudo chmod 600 /var/lib/mongo/mongodb.keyfile
sudo chown mongod /var/lib/mongo/mongodb.keyfile
sudo /etc/init.d/mongod start

/etc/init.d/mongod restart

init replica_set config

should better type bellow commend on local shell, otherwise may throw

rs.initiate( rsconf )
{ "ok" : 0, "errmsg" : "unauthorized" }

rsconf = {
           _id: "rs0",
           members: [
		                  {
			                  "_id" : 1,
			                  "host" : "33.33.13.11:27017"
			                },
			                {
			                  "_id" : 2,
			                  "host" : "33.33.13.12:27017"
			                },
			                {
			                  "_id" : 3,
			                  "host" : "33.33.13.13:27017"
			                },
			                {
			                  "_id" : 4,
			                  "host" : "33.33.13.14:27017"
		                  }

                    ]
         }

rs.initiate( rsconf )

start to deprecated 'auth'

create testmongo

create application testmongo with mongoid

rails new testmongo -j=jquery --skip-bundle --skip-test-unit --skip-active-record

mongoid config file

development:
  # Configure available database sessions. (required)
  sessions:
    default:
      database: testmongo_development
      username: testmongo_db
      password: testmongodb
      hosts:
        - 127.0.0.1:27017
      options:
        # Change whether the session persists in safe mode by default.
        # (default: false)
        # safe: false
    # This defines a secondary session at a replica set all read from primary.
    strong_set:
      database: testmongo_development
      username: testmongo_db
      password: testmongodb
      hosts:
        - 33.33.13.11:27017
      options:
        # Change whether the session persists in safe mode by default.
        # (default: false)
        # safe: false
        consistency: :strong
        safe: true
    # This defines a secondary session at a replica set.
    replica_set:
      database: testmongo_development
      username: testmongo_db
      password: testmongodb
      hosts:
        - 33.33.13.11:27017
        - 33.33.13.12:27017
        - 33.33.13.13:27017
        - 33.33.13.14:27017
      options:
        # Change whether the session persists in safe mode by default.
        # (default: false)
        # safe: false
        consistency: :eventual
        safe: true
    # This defines a secondary session at a replica set.
    replica_set_auth:
      database: testmongo_development
      username: testmongo_db
      password: testmongodb
      hosts:
        - 33.33.13.11:27017
        - 33.33.13.12:27017
        - 33.33.13.13:27017
        - 33.33.13.14:27017
      options:
        # Change whether the session persists in safe mode by default.
        # (default: false)
        # safe: false
        consistency: :eventual
        safe: true
    # This defines a secondary session at a replica set.
    replica_set_noauth:
      database: testmongo_development
      # username: testmongo_db
      # password: testmongodb
      hosts:
        - 33.33.13.11:27017
        - 33.33.13.12:27017
        - 33.33.13.13:27017
        - 33.33.13.14:27017
    all_node:
      database: testmongo_development
      username: testmongo_db
      password: testmongodb
      hosts:
        - 33.33.13.11:27017
        - 33.33.13.12:27017
        - 33.33.13.13:27017
        - 33.33.13.14:27017
  # Configure Mongoid specific options. (optional)
  options:

rails g mongoid:config && rails g model post title:string body:string author_id:string

to monitor mongodb

5000.times {|i| Post.create(title: "title #{i}", body: "this is body", author_id: rand(1..500)) rescue puts "false"; sleep 1}

howto

configure-linux-iptables-firewall

Traffic to and from mongod Instances This pattern is applicable to all mongod instances running as standalone instances or as part of a replica set.

The goal of this pattern is to explicitly allow traffic to the mongod instance from the application server. In the following examples, replace with the IP address of the application server:

# 192.168.10.180 is will application run
sudo iptables -A INPUT -s 192.168.10.180 -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -d 192.168.10.180 -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT

sudo service iptables save

The first rule allows all incoming traffic from on port 27017, which allows the application server to connect to the mongod instance. The second rule, allows outgoing traffic from the mongod to reach the application server.

update `mongod.config` and update `mongoid.yml` restart it

all mongodb instance edit mongod.config

# auth = true
keyFile=/var/lib/mongo/mongodb.keyfile

replSet = rs0

exec bellow code

def monitor_method
  begin
    Post.with(session: :replica_set_auth).create(title: "title #{rand(1..500)}", body: "this is body", author_id: rand(1..500))
  rescue
    puts "session replica_set_auth false"
  else
    puts "replica_set_auth true"
  end

  begin
    Post.with(session: :replica_set_noauth).create(title: "title #{rand(1..500)}", body: "this is body", author_id: rand(1..500))
  rescue
    puts "replica_set_noauth false"
  else
    puts "replica_set_noauth true"
  end
end

1000.times {|i|
  monitor_method
  sleep 1
}

db.addUser('testmongo_db','testmongodb')
db.removeUser('testmongo_db')
db.auth('testmongo_db','testmongodb')

# should restart all note better
# and will need some time to respond
# on every node
# enter mongo shell type
# db.auth('testmongo_db','testmongodb') to check
# maybe socket connect not reconnect so need some time still

when have amin user set

use admin
// db.addUser('testmongoadmin','testmongoadmin')
// db.auth('testmongoadmin','testmongoadmin')

should must disable 'keyFile=/var/lib/mongo/mongodb.keyfile', otherwise client cannot authorization with mongo replication servers

case db.auth('testmongo_db','testmongodb')

when 1 replica_set_auth true and replica_set_noauth true

when 0 session replica_set_auth false and replica_set_noauth true

// rs.slaveOk()
mongo 33.33.13.11:27017/testmongo_development
mongo 33.33.13.12:27017/testmongo_development -u testmongo_db -p testmongodb
mongo localhost/admin -u testmongoadmin -p testmongoadmin

jhjguxin/mongodb_security_tour.md