From 858693abc12019063ac97c4497b51bed93aba595 Mon Sep 17 00:00:00 2001 From: markofu Date: Wed, 24 Oct 2012 16:08:14 +0100 Subject: [PATCH 1/2] Minor Modifications to tech examples, auth & grammar. --- .../vulnerability-notification.txt | 4 ++-- draft/core/security.txt | 16 ++++++++++------ .../configure-linux-iptables-firewall.txt | 7 +++++-- .../configure-windows-netsh-firewall.txt | 4 +--- 4 files changed, 18 insertions(+), 13 deletions(-) diff --git a/draft/administration/vulnerability-notification.txt b/draft/administration/vulnerability-notification.txt index c0bf91f6852..d7dd63a6a19 100644 --- a/draft/administration/vulnerability-notification.txt +++ b/draft/administration/vulnerability-notification.txt @@ -24,14 +24,14 @@ In particular, please include the following: - *Common Vulnerability* information, if applicable, including: - - CVSS (Commong Vulnerability Scoring System) Score + - CVSS (Common Vulnerability Scoring System) Score - CVE (Common Vulnerability and Exposures) Identifier. - Contact information, including an email address and/or phone number, if applicable. -10gen guarantees a response to all vulnerability notifications within +10gen will respond to all vulnerability notifications within 48 hours. Jira diff --git a/draft/core/security.txt b/draft/core/security.txt index 9cc37a64a1c..d6b31252c90 100644 --- a/draft/core/security.txt +++ b/draft/core/security.txt @@ -273,6 +273,10 @@ authentication system: - :issue:`SERVER-7122` - :issue:`SERVER-7124` + and authentication: + + - :issue:`SERVER-7115` + - Once authenticated a "normal" user has full read and write access to a database. @@ -291,7 +295,7 @@ authentication system: Consider the :doc:`/tutorial/use-authentication-to-control-access-to-mongodb` -document which outlines procedures for configuraing and maintaing +document which outlines procedures for configuring and maintaining users and access with MongoDB's authentication system. .. [#sharded-localhost] Becasue of :issue:`SERVER-6591`, you cannot @@ -304,8 +308,8 @@ users and access with MongoDB's authentication system. Interfaces ---------- -Simply limiting access to a :program:`mongod` is not a sufficent for -totally controling risk expsorure. Consider the recomendaitons in the +Simply limiting access to a :program:`mongod` is not sufficent for +totally controling risk exposure. Consider the recommendations in the following section, for limiting exposure other interface-related risks. @@ -338,12 +342,12 @@ a variety of operational data, logs, and status reports regarding the :program:`mongod` or :program:`mongos` instance. The HTTP interface is always avalible on the the port numbered ``1000`` greater than the primary :program:`mongod` port. By default this is ``28017``, but is -indirectly using the :setting:`port` option which allows you to +indirectly set using the :setting:`port` option which allows you to configure the primary :program:`mongod` port. Without the :setting:`rest` setting, this interface is entirely read-only, and limited in scope; nevertheless, this iterface may -represent an exposure. To diable the HTTP interface, set the +represent an exposure. To disable the HTTP interface, set the :setting:`nohttpinterface` run time option or the :option:`--nohttpinterface ` command line option. @@ -372,7 +376,7 @@ the REST API interface: Data Encryption --------------- -To support audit requirements, you may need to envrypt data stored in +To support audit requirements, you may need to encrypt data stored in MongoDB. For best results you can encrypt this data in the application layer, by encrytping the content of fields that hold secure data. diff --git a/draft/tutorial/configure-linux-iptables-firewall.txt b/draft/tutorial/configure-linux-iptables-firewall.txt index e4e95e646f7..cdfa520ab74 100644 --- a/draft/tutorial/configure-linux-iptables-firewall.txt +++ b/draft/tutorial/configure-linux-iptables-firewall.txt @@ -20,7 +20,8 @@ to change the default chain policy to DROP: iptables -P OUTPUT DROP This ensures that any traffic to/from the :program:`mongod` server has -to be explicitly allowed. +to be explicitly allowed. Be careful when executing these commands that +you do not lose access to the server. Traffic to/from a Standalone MongoDB Instance or Replica-Set MongoDB Instance (mongod) @@ -109,7 +110,9 @@ To remove the ``iptables`` firewall rules and revert to the default action of each chain, it is possible to flush all existing rules as follows: -iptables –F +.. code-block:: sh + + iptables -F This change is only temporary as it only affects the rulebase in memory. For example, a restart: diff --git a/draft/tutorial/configure-windows-netsh-firewall.txt b/draft/tutorial/configure-windows-netsh-firewall.txt index 2d45a4b0400..fccffd08916 100644 --- a/draft/tutorial/configure-windows-netsh-firewall.txt +++ b/draft/tutorial/configure-windows-netsh-firewall.txt @@ -45,8 +45,6 @@ To reset the Windows Firewall rules: netsh advfirewall reset - iptables -A OUTPUT -d -p tcp --source-port 27018 -m state --state ESTABLISHED -j ACCEPT - To save administration, you can export or import firewall (from different servers) rules very easily on Windows: @@ -54,7 +52,7 @@ different servers) rules very easily on Windows: netsh advfirewall export "C:\temp\MongoDBfw.wfw" - netsh advfirewall import "C:\temp\ MongoDBfw.wfw" + netsh advfirewall import "C:\temp\MongoDBfw.wfw" It is also possible to configure the Windows Firewall through a GUI, however, this is not within scope for this tutorial. From a0d916eb5ab84d73e62af9955d7cc725e5980c8a Mon Sep 17 00:00:00 2001 From: markofu Date: Wed, 24 Oct 2012 16:57:48 +0100 Subject: [PATCH 2/2] Modifying the default iptables policy section --- .../configure-linux-iptables-firewall.txt | 32 +++++++++++-------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/draft/tutorial/configure-linux-iptables-firewall.txt b/draft/tutorial/configure-linux-iptables-firewall.txt index cdfa520ab74..0faca6efce1 100644 --- a/draft/tutorial/configure-linux-iptables-firewall.txt +++ b/draft/tutorial/configure-linux-iptables-firewall.txt @@ -10,19 +10,6 @@ Input: filters traffic destined for the firewall Output: filters traffic from the firewall -By default, ``iptables`` allows all connections so it's a good idea -to change the default chain policy to DROP: - -.. code-block:: sh - - iptables -P INPUT DROP - - iptables -P OUTPUT DROP - -This ensures that any traffic to/from the :program:`mongod` server has -to be explicitly allowed. Be careful when executing these commands that -you do not lose access to the server. - Traffic to/from a Standalone MongoDB Instance or Replica-Set MongoDB Instance (mongod) @@ -103,6 +90,25 @@ In a sharded infrastructure, the :program:`mongos` router needs to connect to :program:`mongod` shard servers and the shard servers need to connect and communicate amongst themselves. + +Default Policy +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +By default, ``iptables`` allows all connections so it's a good idea +to change the default chain policy to DROP: + +.. code-block:: sh + + iptables -P INPUT DROP + + iptables -P OUTPUT DROP + + +This ensures that any traffic to/from the :program:`mongod` server has +to be explicitly allowed. Be careful when executing these commands that +you do not lose access to the server, i.e. ensure you do this on a +console connection or already have remote-access iptables rules. + Back-Out & Flush iptables rules ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~