4.13. Restricting Access to mongod
To reduce the risk of data loss, configure only the apache
and root
users to have access to the MongoDB database daemon, mongod
.
To restrict access to mongod
on your Satellite Server, you must update your firewall configuration.
Procedure
Update the firewall configuration by entering the following command:
# firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 27017 -m owner --uid-owner apache -j ACCEPT \ && firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 27017 -m owner --uid-owner apache -j ACCEPT \ && firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 27017 -m owner --uid-owner root -j ACCEPT \ && firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 27017 -m owner --uid-owner root -j ACCEPT \ && firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -o lo -p \ tcp -m tcp --dport 27017 -j DROP \ && firewall-cmd --direct --add-rule ipv6 filter OUTPUT 1 -o lo -p \ tcp -m tcp --dport 27017 -j DROP \ && firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 28017 -m owner --uid-owner apache -j ACCEPT \ && firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 28017 -m owner --uid-owner apache -j ACCEPT \ && firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 28017 -m owner --uid-owner root -j ACCEPT \ && firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p \ tcp -m tcp --dport 28017 -m owner --uid-owner root -j ACCEPT \ && firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -o lo -p \ tcp -m tcp --dport 28017 -j DROP \ && firewall-cmd --direct --add-rule ipv6 filter OUTPUT 1 -o lo -p \ tcp -m tcp --dport 28017 -j DROP
Make the changes persistent:
# firewall-cmd --runtime-to-permanent