MongoDB Security & Defaults
Marek Skalický
mskalick at redhat.com
Mon Feb 16 11:56:59 UTC 2015
Hello,
this change was in version 2.6.6-4.
I were cleaning config files, adding new options,... I didn't want to
change any default configuration.
So bind_ip change isn't intended. I wrongly understood this mongod
comment:
"--bind_ip arg comma separated list of ip addresses to listen on
- all local ips by default"
Thanks for reporting. I've fixed it and there should be upgrade to
version 2.6.7-4 ASAP
https://koji.fedoraproject.org/koji/taskinfo?taskID=8949655
https://koji.fedoraproject.org/koji/taskinfo?taskID=8949651
Marek
Ryan S. Brown píše v Pá 13. 02. 2015 v 08:26 -0500:
> Hello,
>
> After reading this article[1] on how many totally unsecured mongodb
> installations there are on the internet, I noticed a recent (and
> worrying) change in the defaults on Fedora's mongodb package.
>
> In January, the Fedora rawhide package for mongo[2] was changed to
> listen on all interfaces by default, but I haven't been able to find any
> information about why it was changed. To help protect users, I think the
> default should be changed back to localhost only. Operators can change
> this setting post-install if needed, hopefully after assessing how risky
> it is to have an open-world database.
>
> This change could probably be reverted safely as-is, since (I hope)
> nobody is running production mongo clusters on rawhide.
>
> Debian and Ubuntu have mongodb set to (by default) only listen on
> localhost[3], which is sane and normal for a database that does *no
> authentication of any kind* by default. The same has been true of
> MongoDB Inc.'s[4] example config since approximately 2013[5].
>
>
> [1]: http://thehackernews.com/2015/02/mongodb-database-hacking.html
> [2]:
> http://pkgs.fedoraproject.org/cgit/mongodb.git/tree/mongodb.conf?id=be37804b64d9a9b8e8f305d5a89a9c477deac619
> [3]:
> http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/utopic/mongodb/utopic/view/head:/debian/mongodb.conf
> [4]: https://github.com/mongodb/mongo/blob/master/rpm/mongod.conf
> [5]:
> https://github.com/mongodb/mongo/commit/f8699f77f90ff9b24d23729644ee7cd7ed0e9600
>
> --
> Ryan Brown / Software Engineer, Openstack / Red Hat, Inc.
More information about the devel
mailing list