@@ -6,7 +6,7 @@ Security Practices and Management
66
77As with all software running in a networked environment,
88administrators of MongoDB must consider security and risk
9- exposures for a MongoDB deployment. There are no magic solution for risk
9+ exposures for a MongoDB deployment. There are no magic solutions for risk
1010mitigation, and maintaining a secure MongoDB deployment is an ongoing
1111process. This document takes a *Defense in Depth* approach to securing
1212MongoDB deployments, and addresses a number of different methods for
@@ -80,7 +80,8 @@ By default, listens for connections on the following ports:
8080
8181``27017``
8282 This is the default port :program:`mongod` and :program:`mongos`
83- instances. You can change this port with :setting:`port`.
83+ instances. You can change this port with :setting:`port` or
84+ :option:`--port <mongod --port>`.
8485
8586``27018``
8687 This is the default port when running with :option:`--shardsvr
@@ -89,7 +90,7 @@ By default, listens for connections on the following ports:
8990
9091``27019``
9192 This is the default port when running with :option:`--configsvr
92- <mongod --configsvr>` runtime operation or :setting:`commonsvr `
93+ <mongod --configsvr>` runtime operation or :setting:`configsvr `
9394 setting.
9495
9596``28017``
@@ -279,7 +280,7 @@ authentication system:
279280
280281- When setting up authentication for the first time you must either:
281282
282- a . add at least one user to the ``admin`` database before starting
283+ # . add at least one user to the ``admin`` database before starting
283284 the :program:`mongod` instance with :setting:`auth`.
284285
285286 #. add the first user to the ``admin`` database when connected to
@@ -295,7 +296,7 @@ Consider the
295296document which outlines procedures for configuring and maintaining
296297users and access with MongoDB's authentication system.
297298
298- .. [#sharded-localhost] Becasue of :issue:`SERVER-6591`, you cannot
299+ .. [#sharded-localhost] Because of :issue:`SERVER-6591`, you cannot
299300 add the first user to a sharded cluster using the ``localhost``
300301 connection in 2.2. If you are running a 2.2 sharded cluster, and
301302 want to enable authentication, you must deploy the cluster and add
@@ -310,14 +311,14 @@ totally controling risk exposure. Consider the recommendations in the
310311following section, for limiting exposure other interface-related
311312risks.
312313
313- JavaScript and the Security of the ``mongo`` Sell
314- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
314+ JavaScript and the Security of the ``mongo`` Shell
315+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
315316
316317Be aware of the following capabilities and behaviors of the
317318:program:`mongo` shell:
318319
319320- :program:`mongo` will evaluate a ``.js`` file passed to the
320- :option:`mongo --eval` operation. command . The :program:`mongo`
321+ :option:`mongo --eval` option . The :program:`mongo`
321322 shell does not validate the input of JavaScript input to
322323 :option:`--eval <mongo --eval>`.
323324
@@ -326,24 +327,24 @@ Be aware of the following capabilities and behaviors of the
326327 :option:`mongo --norc`` option.
327328
328329 On Linux and Unix systems, :program:`mongo` reads the
329- `` .mongorc.js`` file from `` $HOME/.mongorc.js` `
330- (i.e. `` ~/.mongorc.js`` ), and Windows :program:`mongo` reads the
331- `` .mongorc.js`` file from `` %HOME%\.mongorc.js` ` or
332- `` %HOMEDRIVE%\ %HOMEPATH%\.mongorc.js` `.
330+ :file:` .mongorc.js` file from :file:`{ $HOME} /.mongorc.js`
331+ (i.e. :file:` ~/.mongorc.js`), and Windows :program:`mongo.exe ` reads the
332+ :file:` .mongorc.js` file from :file:`{ %HOME%} \.mongorc.js` or
333+ :file:`{ %HOMEDRIVE%}\{ %HOMEPATH%} \.mongorc.js`.
333334
334335HTTP Status Interface
335336~~~~~~~~~~~~~~~~~~~~~
336337
337338The HTTP status interface provides a web-based interface that includes
338339a variety of operational data, logs, and status reports regarding the
339340:program:`mongod` or :program:`mongos` instance. The HTTP interface is
340- always avalible on the the port numbered ``1000`` greater than the
341+ always available on the the port numbered ``1000`` greater than the
341342primary :program:`mongod` port. By default this is ``28017``, but is
342343indirectly set using the :setting:`port` option which allows you to
343344configure the primary :program:`mongod` port.
344345
345346Without the :setting:`rest` setting, this interface is entirely
346- read-only, and limited in scope; nevertheless, this iterface may
347+ read-only, and limited in scope; nevertheless, this interface may
347348represent an exposure. To disable the HTTP interface, set the
348349:setting:`nohttpinterface` run time option or the
349350:option:`--nohttpinterface <mongod --nohttpinterface>` command line
@@ -375,13 +376,13 @@ Data Encryption
375376
376377To support audit requirements, you may need to encrypt data stored in
377378MongoDB. For best results you can encrypt this data in the application
378- layer, by encrytping the content of fields that hold secure data.
379+ layer, by encrypting the content of fields that hold secure data.
379380
380381Additionally, `10gen`_ has a `partnership`_ with `Gazzang`_ to encrypt
381- and secure senitive data within MongoDB. The solution encrypts data in
382+ and secure sensitive data within MongoDB. The solution encrypts data in
382383real time and Gazzang provides advanced key management that ensures
383- only authorized processes and can access this data. THe Gazzang
384- software ensures that the cryptogrpahic keys rmeain safe and ensures
384+ only authorized processes and can access this data. The Gazzang
385+ software ensures that the cryptographic keys remain safe and ensures
385386compliance with standards including HIPPA, PCI-DSS, and FERPA. For
386387more information consider the following resources:
387388
0 commit comments