MongoDB Security & Defaults

Reindl Harald h.reindl at thelounge.net
Fri Feb 13 16:50:54 UTC 2015


Am 13.02.2015 um 17:25 schrieb Frank Ch. Eigler:
> "Ryan S. Brown" <ryansb at redhat.com> writes:
>
>> [...]  In January, the Fedora rawhide package for mongo[2] was
>> changed to listen on all interfaces by default [...]  To help
>> protect users, I think the default should be changed back to
>> localhost only. [...]
>
> We have a slew of network-servers in the fedora distribution.
> Apprx. none of them are supposed to be turned on just by virtue of rpm
> installation (so, require an explicit systemctl enable), and apprx.
> none of them get through the system-default firewalld setup.  The
> out-of-the-box risk is therefore nil

that is as wrong as it can be

* the workstation product don't block incoming high ports
   and hence i still call this defaults harmful and wrong

* it is not unlikely that a developer installs mongodb
   on his workstation - since the target audience are
   developers it is even high likely

* monogdb is listening on a port above 1024

do i need to explain the result or is that enough that you as well as 
the workstation guys re-consider their mistakes?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150213/2d8c82bd/attachment.sig>


More information about the devel mailing list