一、背景
在腾讯云弄了一个服务器放自己的小项目玩,没想到mongodb数据库因为没有启动账号验证登录,居然被黑客黑了,也算一次有意思的体验了。
黑客居然还留言让我使用BTC支付赎回数据哈哈
All your data is a backed up. You must pay 0.005 BTC to xxxxxxxx 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server! You can buy bitcoin here, does not take much time to buy https://xxx.com with this guide https://localbitcoins.com/guides/how-to-buy-bitcoins After paying write to me in the mail with your DB IP: xxxxxx@cock.li
二、mongodb创建用户
#登录服务器,进入Mongodb shell
use admin
# 查询当前用户,没有用户的话查询结果为空
show users
# 创建用户
db.createUser({user:'admin',pwd:'xxxxx',roles:['root']})
# 再次查询用户,可以看到admin用户已经创建
show users
三、开启账户验证登录
#登录服务器,进入Mongodb安装目录的bin目录,修改mongodb.conf文件
vi ./mongodb.conf
# 添加/修改 auth=true ,然后:wq保存文件
auth=true
# 以用户名密码登录mongod
mongod -u admin -p xxxxx
# 关闭mongodb服务
use admin
db.shutdownServer()
exit
#重新启动mongodb服务
./mongod -f /yourpath/bin/mongodb.conf
