On this page本页内容
To reduce the risk exposure of the entire MongoDB system, ensure that only trusted hosts have access to MongoDB.为了减少整个MongoDB系统的风险暴露,请确保只有受信任的主机可以访问MongoDB。
Starting with MongoDB 3.6, MongoDB binaries, 从MongoDB 3.6开始,MongoDB二进制文件、mongod
and mongos
, bind to localhost
by default.mongod
和mongos
默认绑定到localhost
。From MongoDB versions 2.6 to 3.4, only the binaries from the official MongoDB RPM (Red Hat, CentOS, Fedora Linux, and derivatives) and DEB (Debian, Ubuntu, and derivatives) packages would bind to 从MongoDB版本2.6到3.4,默认情况下,只有来自官方MongoDB RPM(Red Hat、CentOS、Fedora Linux和衍生工具)和DEB(Debian、Ubuntu和衍生工具)包的二进制文件才会绑定到localhost
by default.localhost
。To learn more about this change, see Localhost Binding Compatibility Changes.要了解有关此更改的更多信息,请参阅本地主机绑定兼容性更改。
Warning警告
Before binding to a non-localhost (e.g. publicly accessible) IP address, ensure you have secured your cluster from unauthorized access.在绑定到非本地主机(例如,公共访问)IP地址之前,请确保已保护集群不受未经授权的访问。For a complete list of security recommendations, see Security Checklist.有关安全建议的完整列表,请参阅安全性检查列表。At minimum, consider enabling authentication and hardening network infrastructure.至少,考虑启用身份验证和强化网络基础设施。
Warning警告
Make sure that your 确保mongod
and mongos
instances are only accessible on trusted networks.mongod
和mongos
实例只能在受信任的网络上访问。If your system has more than one network interface, bind MongoDB programs to the private or internal network interface.如果您的系统有多个网络接口,请将MongoDB程序绑定到专用或内部网络接口。
For more information, see IP Binding.有关更多信息,请参阅IP绑定。
Changed in version 3.6:在版本3.6中更改:MongoDB 3.6 removes the deprecated HTTP interface and REST API to MongoDB.MongoDB 3.6删除了不推荐使用的HTTP接口和REST API to MongoDB。
Firewalls allow administrators to filter and control access to a system by providing granular control over network communications.防火墙允许管理员通过提供对网络通信的细粒度控制来过滤和控制对系统的访问。For administrators of MongoDB, the following capabilities are important: limiting incoming traffic on a specific port to specific systems and limiting incoming traffic from untrusted hosts.对于MongoDB的管理员来说,以下功能很重要:将特定端口上的传入流量限制到特定系统,以及限制来自不受信任主机的传入流量。
On Linux systems, the 在Linux系统上,iptables
interface provides access to the underlying netfilter
firewall.iptables
接口提供对底层netfilter
防火墙的访问。On Windows systems, 在Windows系统上,netsh
command line interface provides access to the underlying Windows Firewall.netsh
命令行界面提供对底层Windows防火墙的访问。For additional information about firewall configuration, see:有关防火墙配置的更多信息,请参阅:
iptables
防火墙netsh
防火墙.For best results and to minimize overall exposure, ensure that only traffic from trusted sources can reach 为了获得最佳结果并最小化总体暴露,请确保只有来自受信任源的流量才能到达mongod
and mongos
instances and that the mongod
and mongos
instances can only connect to trusted outputs.mongod
和mongos
实例,并且mongod
和mongos
实例只能连接到受信任的输出。
Virtual private networks, or VPNs, make it possible to link two networks over an encrypted and limited-access trusted network.虚拟专用网络(vpn)使得通过加密和有限访问的可信网络连接两个网络成为可能。Typically, MongoDB users who use VPNs use TLS/SSL rather than IPSEC VPNs for performance issues.通常,使用vpn的MongoDB用户使用TLS/SSL而不是IPSEC vpn来解决性能问题。
Depending on configuration and implementation, VPNs provide for certificate validation and a choice of encryption protocols, which requires a rigorous level of authentication and identification of all clients.根据配置和实现,vpn提供证书验证和加密协议的选择,这需要对所有客户端进行严格的身份验证和标识。Furthermore, because VPNs provide a secure tunnel, by using a VPN connection to control access to your MongoDB instance, you can prevent tampering and “man-in-the-middle” attacks.此外,由于VPN提供了一个安全的隧道,通过使用VPN连接来控制对MongoDB实例的访问,您可以防止篡改和“中间人”攻击。