MongoDB Security & Defaults
Ryan S. Brown
ryansb at redhat.com
Fri Feb 13 13:26:32 UTC 2015
After reading this article on how many totally unsecured mongodb
installations there are on the internet, I noticed a recent (and
worrying) change in the defaults on Fedora's mongodb package.
In January, the Fedora rawhide package for mongo was changed to
listen on all interfaces by default, but I haven't been able to find any
information about why it was changed. To help protect users, I think the
default should be changed back to localhost only. Operators can change
this setting post-install if needed, hopefully after assessing how risky
it is to have an open-world database.
This change could probably be reverted safely as-is, since (I hope)
nobody is running production mongo clusters on rawhide.
Debian and Ubuntu have mongodb set to (by default) only listen on
localhost, which is sane and normal for a database that does *no
authentication of any kind* by default. The same has been true of
MongoDB Inc.'s example config since approximately 2013.
Ryan Brown / Software Engineer, Openstack / Red Hat, Inc.
More information about the devel