我得到了一个 mongodb 服务器,它从日志文件中获得了来自远程 IP 地址的连接,尽管由于 mongodb 配置文件,它显然是不允许的(或者更准确地说:mongod 未绑定到任何公共接口),如下所示。
该 IP 地址尝试在不使用 ssl 的情况下进行连接并且访问被拒绝 - 但是,显然缺少日志。所以,我假设,他们清理了 mongodb.log 的一部分,虽然不是全部,所以例如,在显示远程 IP 地址的地方留下了一个条目(可能是他们使用的其中之一?)。
所以,问题是:如何使用公共 ip 地址访问 mongodb 服务器?由于以下各种事实,他们似乎获得了 ssh 访问权限,但即便如此,他们也需要使用本地接口连接到 mongodb,对吧?
到目前为止我发现了什么:
- /var/log/auth.log 已在 mongodb docker 容器中删除(或者它还不存在,因为我没有直接 ssh 到 docker 容器),但它仍然存在于守护进程父计算机上,尽管它开始于Apr 24 06:25:29 所以我认为他们删除了它。
- 他们在mongodb根目录中留下了一个READ_ME(空)文件夹和PLEASE_READ_ME文件夹,文件“./PLEASE_READ_ME/collection-0-*****.wt”(屏蔽)以以下消息开头:
Don't panic. Your DB is in safety and backed up (check logs). To restore send 0.1 BTC and email with your server ip or domain name. Each 48 hours we erase all the data... - 他们没有创建额外的数据库用户(或者至少,额外的用户不存在 atm)
这是父机器上的服务列表(netstat)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1281/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1296/exim4
tcp 0 0 0.0.0.0:54885 0.0.0.0:* LISTEN 707/ rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 697/rpcbind
tcp6 0 0 :::22 :::* LISTEN 1281/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1296/ exim4
tcp6 0 0 :::35619 :::* LISTEN 707/rpc.statd
tcp6 0 0 :::27017 :::* LISTEN 1172/docker-proxy tcp6 0 0 :::111 :::* LISTEN 697/rpcbind
udp 0 0 127.0.0.1:883 0.0.0.0:* 707/rpc.statd
udp 0 0 0.0.0.0:39217 0.0.0.0:* 707/rpc.statd
udp 0 0 0.0.0.0:872 0.0.0.0:* 697/rpcbind
udp 0 0 0.0.0.0:111 0.0.0.0:* 697/rpcbind
udp6 0 0 :::49550 :::* 707/rpc.statd
udp6 0 0 :::872 :::* 697/rpcbind
udp6 0 0 :::111 :::* 697/rpcbind
建筑学:
- 在使用 debian 8.7 的虚拟机上运行的 Docker 守护程序
- 每个 docker 容器也运行 debian 8.7
- 一个用于 mongodb 的 docker 容器,一个用于应用程序(通过 docker 网络连接)
版本
MongoDB shell version: 3.2.11
日志(数据库名称、主体名称和 ip 的掩码):
2017-04-23T12:03:03.511Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:44575 #16 (5 connections now open)
2017-04-23T12:03:03.540Z I ACCESS [conn16] Successfully authenticated as principal *** on testdatabase
2017-04-23T12:03:15.461Z I NETWORK [conn16] end connection ***.***.***.***:44575 (4 connections now open)
2017-04-24T05:07:57.711Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:27790 #17 (5 connections now open)
2017-04-24T05:07:57.724Z I NETWORK [conn17] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-24T05:45:35.997Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:54235 #18 (5 connections now open)
2017-04-24T05:45:36.027Z I ACCESS [conn18] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:36.053Z I NETWORK [conn18] end connection ***.***.***.***:54235 (4 connections now open)
2017-04-24T05:45:36.063Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:54236 #19 (5 connections now open)
2017-04-24T05:45:36.086Z I ACCESS [conn19] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:39.843Z I NETWORK [conn19] end connection ***.***.***.***:54236 (4 connections now open)
2017-04-24T05:45:39.853Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:54237 #20 (5 connections now open)
2017-04-24T05:45:39.874Z I ACCESS [conn20] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:40.071Z I NETWORK [conn20] end connection ***.***.***.***:54237 (4 connections now open)
2017-04-24T05:45:40.080Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:54238 #21 (5 connections now open)
2017-04-24T05:45:40.101Z I ACCESS [conn21] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:40.108Z I NETWORK [conn21] end connection ***.***.***.***:54238 (4 connections now open)
2017-04-24T05:45:40.117Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:54239 #22 (5 connections now open)
2017-04-24T05:45:40.138Z I ACCESS [conn22] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:44.784Z I NETWORK [conn22] end connection ***.***.***.***:54239 (4 connections now open)
2017-04-24T05:45:44.797Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:54245 #23 (5 connections now open)
2017-04-24T05:45:44.820Z I ACCESS [conn23] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:44.824Z I NETWORK [conn23] end connection ***.***.***.***:54245 (4 connections now open)
2017-04-24T05:45:44.833Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:54246 #24 (5 connections now open)
2017-04-24T05:45:44.854Z I ACCESS [conn24] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:44.858Z I NETWORK [conn24] end connection ***.***.***.***:54246 (4 connections now open)
2017-04-24T05:45:44.868Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:54247 #25 (5 connections now open)
2017-04-24T05:45:44.888Z I ACCESS [conn25] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:56.683Z I NETWORK [conn25] end connection ***.***.***.***:54247 (4 connections now open)
2017-04-24T06:00:01.936Z I NETWORK [conn3] end connection ***.***.***.***:39610 (3 connections now open)
2017-04-24T06:00:01.937Z I NETWORK [conn2] end connection ***.***.***.***:39609 (3 connections now open)
2017-04-24T06:00:01.937Z I NETWORK [conn4] end connection ***.***.***.***:39636 (3 connections now open)
2017-04-24T06:00:01.937Z I NETWORK [conn1] end connection ***.***.***.***:39548 (3 connections now open)
2017-04-24T06:00:05.915Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:49695 #26 (1 connection now open)
2017-04-24T06:00:05.951Z I ACCESS [conn26] Successfully authenticated as principal *** on testdatabase
2017-04-24T06:00:09.089Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:49758 #27 (2 connections now open)
2017-04-24T06:00:09.103Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:49760 #28 (3 connections now open)
2017-04-24T06:00:09.125Z I ACCESS [conn28] Successfully authenticated as principal *** on testdatabase
2017-04-24T06:00:20.916Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:49790 #29 (4 connections now open)
2017-04-24T06:05:32.404Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:54712 #30 (5 connections now open)
2017-04-24T06:05:32.414Z I ACCESS [conn30] Unauthorized: not authorized on admin to execute command { getLog: "startupWarnings" }
配置文件(数据库名称被屏蔽):
storage:
dbPath: "/***"
directoryPerDB: true
journal:
enabled: true
systemLog:
destination: file
path: "/***/mongodb.log"
logAppend: true
timeStampFormat: iso8601-utc
processManagement:
fork: true
net:
bindIp: [127.0.0.1,172.0.0.5]
port: 27017
wireObjectCheck : false
unixDomainSocket:
enabled : true
http:
enabled: false
ssl:
mode: requireSSL
PEMKeyFile: /certs/server-***.***.***.***.pem
CAFile: /certs/ca.pem
#CRLFile: <string>
allowConnectionsWithoutCertificates: false
allowInvalidCertificates: false
allowInvalidHostnames: true
#disabledProtocols: false
#FIPSMode: <boolean>
security:
authorization: enabled
父 docker deamons /var/log/auth.log 的负责人(IP 被屏蔽)
Apr 24 06:25:29 *** sshd[5332]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:25:32 *** sshd[4660]: Received disconnect from ***.***.***.***: 11: disconnected by user
Apr 24 06:25:32 *** sshd[4660]: pam_unix(sshd:session): session closed for user root
Apr 24 06:25:41 *** CRON[5111]: pam_unix(cron:session): session closed for user root
Apr 24 06:25:44 *** sshd[5342]: Invalid user admin from ***.***.***.***
Apr 24 06:25:44 *** sshd[5342]: input_userauth_request: invalid user admin [preauth]
Apr 24 06:25:44 *** sshd[5342]: Disconnecting: Too many authentication failures for invalid user admin from ***.***.***.*** port 41822 ssh2 [preauth]
Apr 24 06:26:19 *** sshd[5393]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:28:26 *** sshd[5423]: Invalid user pat from ***.***.***.***
Apr 24 06:28:26 *** sshd[5423]: input_userauth_request: invalid user pat [preauth]
Apr 24 06:28:26 *** sshd[5423]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:28:28 *** sshd[5421]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:30:46 *** sshd[5450]: Accepted publickey for root from ***.***.***.*** port 47739 ssh2: RSA 74:72:c0:b4:6e:6d:11:3a:2e:c5:4e:be:34:60:e1:99
Apr 24 06:30:46 *** sshd[5450]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 24 06:30:49 *** sshd[5499]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:33:16 *** sshd[5842]: Invalid user postgres from ***.***.***.***
Apr 24 06:33:16 *** sshd[5842]: input_userauth_request: invalid user postgres [preauth]
Apr 24 06:33:16 *** sshd[5842]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:36:16 *** sshd[5844]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:38:02 *** sshd[5846]: Invalid user nginx from ***.***.***.***
Apr 24 06:38:02 *** sshd[5846]: input_userauth_request: invalid user nginx [preauth]
Apr 24 06:38:02 *** sshd[5846]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:38:28 *** sshd[3979]: Timeout, client not responding.
Apr 24 06:38:28 *** sshd[3979]: pam_unix(sshd:session): session closed for user root
Apr 24 06:38:32 *** sshd[5450]: Timeout, client not responding.
Apr 24 06:38:32 *** sshd[5450]: pam_unix(sshd:session): session closed for user root
Apr 24 06:39:14 *** sshd[4027]: Timeout, client not responding.
Apr 24 06:39:14 *** sshd[4027]: pam_unix(sshd:session): session closed for user root
Apr 24 06:41:42 *** sshd[5848]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:42:07 *** sshd[5850]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:42:08 *** sshd[5852]: Invalid user from ***.***.***.***
Apr 24 06:42:08 *** sshd[5852]: input_userauth_request: invalid user [preauth]
Apr 24 06:42:08 *** sshd[5852]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:42:55 *** sshd[5854]: Invalid user spark from ***.***.***.***
Apr 24 06:42:55 *** sshd[5854]: input_userauth_request: invalid user spark [preauth]
Apr 24 06:42:55 *** sshd[5854]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:47:06 *** sshd[5859]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:47:48 *** sshd[5861]: Invalid user odoo from ***.***.***.***
Apr 24 06:47:48 *** sshd[5861]: input_userauth_request: invalid user odoo [preauth]
Apr 24 06:47:48 *** sshd[5857]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:47:48 *** sshd[5861]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:52:32 *** sshd[5872]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:52:34 *** sshd[5870]: Invalid user steam from ***.***.***.***
Apr 24 06:52:34 *** sshd[5870]: input_userauth_request: invalid user steam [preauth]
Apr 24 06:52:34 *** sshd[5870]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:54:00 *** sshd[5874]: Disconnecting: Too many authentication failures for root from ***.***.***.*** port 46803 ssh2 [preauth]
Apr 24 06:57:22 *** sshd[5877]: Invalid user teste from ***.***.***.***
Apr 24 06:57:22 *** sshd[5877]: input_userauth_request: invalid user teste [preauth]
Apr 24 06:57:22 *** sshd[5877]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:57:58 *** sshd[5879]: Connection closed by ***.***.***.*** [preauth]
Apr 24 07:02:13 *** sshd[5881]: Invalid user hadoop from ***.***.***.***
Apr 24 07:02:13 *** sshd[5881]: input_userauth_request: invalid user hadoop [preauth]
Apr 24 07:02:13 *** sshd[5881]: Connection closed by ***.***.***.*** [preauth]
Apr 24 07:03:16 *** sshd[5885]: Invalid user admin from ***.***.***.***
Apr 24 07:03:16 *** sshd[5885]: input_userauth_request: invalid user admin [preauth]
Apr 24 07:03:16 *** sshd[5883]: Disconnecting: Too many authentication failures for root from ***.***.***.*** port 4792 ssh2 [preauth]
Apr 24 07:03:17 *** sshd[5885]: Disconnecting: Too many authentication failures for invalid user admin from ***.***.***.*** port 4802 ssh2 [preauth]