MongoDB Security & Defaults
Ryan S. Brown
ryansb at redhat.com
Fri Feb 13 13:26:32 UTC 2015
Hello,
After reading this article[1] on how many totally unsecured mongodb
installations there are on the internet, I noticed a recent (and
worrying) change in the defaults on Fedora's mongodb package.
In January, the Fedora rawhide package for mongo[2] was changed to
listen on all interfaces by default, but I haven't been able to find any
information about why it was changed. To help protect users, I think the
default should be changed back to localhost only. Operators can change
this setting post-install if needed, hopefully after assessing how risky
it is to have an open-world database.
This change could probably be reverted safely as-is, since (I hope)
nobody is running production mongo clusters on rawhide.
Debian and Ubuntu have mongodb set to (by default) only listen on
localhost[3], which is sane and normal for a database that does *no
authentication of any kind* by default. The same has been true of
MongoDB Inc.'s[4] example config since approximately 2013[5].
[1]: http://thehackernews.com/2015/02/mongodb-database-hacking.html
[2]:
http://pkgs.fedoraproject.org/cgit/mongodb.git/tree/mongodb.conf?id=be37804b64d9a9b8e8f305d5a89a9c477deac619
[3]:
http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/utopic/mongodb/utopic/view/head:/debian/mongodb.conf
[4]: https://github.com/mongodb/mongo/blob/master/rpm/mongod.conf
[5]:
https://github.com/mongodb/mongo/commit/f8699f77f90ff9b24d23729644ee7cd7ed0e9600
--
Ryan Brown / Software Engineer, Openstack / Red Hat, Inc.
More information about the devel
mailing list