MongoDB Security & Defaults

Ryan S. Brown ryansb at
Fri Feb 13 13:26:32 UTC 2015


After reading this article[1] on how many totally unsecured mongodb
installations there are on the internet, I noticed a recent (and
worrying) change in the defaults on Fedora's mongodb package.

In January, the Fedora rawhide package for mongo[2] was changed to
listen on all interfaces by default, but I haven't been able to find any
information about why it was changed. To help protect users, I think the
default should be changed back to localhost only. Operators can change
this setting post-install if needed, hopefully after assessing how risky
it is to have an open-world database.

This change could probably be reverted safely as-is, since (I hope)
nobody is running production mongo clusters on rawhide.

Debian and Ubuntu have mongodb set to (by default) only listen on
localhost[3], which is sane and normal for a database that does *no
authentication of any kind* by default. The same has been true of
MongoDB Inc.'s[4] example config since approximately 2013[5].


Ryan Brown / Software Engineer, Openstack / Red Hat, Inc.

More information about the devel mailing list