MongoDB Security & Defaults

Marek Skalický mskalick at redhat.com
Mon Feb 16 11:56:59 UTC 2015 

Hello,
this change was in version 2.6.6-4.

I were cleaning config files, adding new options,... I didn't want to
change any default configuration.

So bind_ip change isn't intended. I wrongly understood this mongod
comment:
"--bind_ip arg         comma separated list of ip addresses to listen on
                       - all local ips by default"

Thanks for reporting. I've fixed it and there should be upgrade to
version 2.6.7-4 ASAP
https://koji.fedoraproject.org/koji/taskinfo?taskID=8949655
https://koji.fedoraproject.org/koji/taskinfo?taskID=8949651

Marek

Ryan S. Brown píše v Pá 13. 02. 2015 v 08:26 -0500:
> Hello,
> 
> After reading this article[1] on how many totally unsecured mongodb
> installations there are on the internet, I noticed a recent (and
> worrying) change in the defaults on Fedora's mongodb package.
> 
> In January, the Fedora rawhide package for mongo[2] was changed to
> listen on all interfaces by default, but I haven't been able to find any
> information about why it was changed. To help protect users, I think the
> default should be changed back to localhost only. Operators can change
> this setting post-install if needed, hopefully after assessing how risky
> it is to have an open-world database.
> 
> This change could probably be reverted safely as-is, since (I hope)
> nobody is running production mongo clusters on rawhide.
> 
> Debian and Ubuntu have mongodb set to (by default) only listen on
> localhost[3], which is sane and normal for a database that does *no
> authentication of any kind* by default. The same has been true of
> MongoDB Inc.'s[4] example config since approximately 2013[5].
> 
> 
> [1]: http://thehackernews.com/2015/02/mongodb-database-hacking.html
> [2]:
> http://pkgs.fedoraproject.org/cgit/mongodb.git/tree/mongodb.conf?id=be37804b64d9a9b8e8f305d5a89a9c477deac619
> [3]:
> http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/utopic/mongodb/utopic/view/head:/debian/mongodb.conf
> [4]: https://github.com/mongodb/mongo/blob/master/rpm/mongod.conf
> [5]:
> https://github.com/mongodb/mongo/commit/f8699f77f90ff9b24d23729644ee7cd7ed0e9600
> 
> -- 
> Ryan Brown / Software Engineer, Openstack / Red Hat, Inc.

More information about the devel mailing list