MongoDB Security & Defaults
mskalick at redhat.com
Mon Feb 16 11:56:59 UTC 2015
this change was in version 2.6.6-4.
I were cleaning config files, adding new options,... I didn't want to
change any default configuration.
So bind_ip change isn't intended. I wrongly understood this mongod
"--bind_ip arg comma separated list of ip addresses to listen on
- all local ips by default"
Thanks for reporting. I've fixed it and there should be upgrade to
version 2.6.7-4 ASAP
Ryan S. Brown píše v Pá 13. 02. 2015 v 08:26 -0500:
> After reading this article on how many totally unsecured mongodb
> installations there are on the internet, I noticed a recent (and
> worrying) change in the defaults on Fedora's mongodb package.
> In January, the Fedora rawhide package for mongo was changed to
> listen on all interfaces by default, but I haven't been able to find any
> information about why it was changed. To help protect users, I think the
> default should be changed back to localhost only. Operators can change
> this setting post-install if needed, hopefully after assessing how risky
> it is to have an open-world database.
> This change could probably be reverted safely as-is, since (I hope)
> nobody is running production mongo clusters on rawhide.
> Debian and Ubuntu have mongodb set to (by default) only listen on
> localhost, which is sane and normal for a database that does *no
> authentication of any kind* by default. The same has been true of
> MongoDB Inc.'s example config since approximately 2013.
> : http://thehackernews.com/2015/02/mongodb-database-hacking.html
> : https://github.com/mongodb/mongo/blob/master/rpm/mongod.conf
> Ryan Brown / Software Engineer, Openstack / Red Hat, Inc.
More information about the devel