MongoDB Security & Defaults

Marek Skalický mskalick at
Mon Feb 16 11:56:59 UTC 2015

this change was in version 2.6.6-4.

I were cleaning config files, adding new options,... I didn't want to
change any default configuration.

So bind_ip change isn't intended. I wrongly understood this mongod
"--bind_ip arg         comma separated list of ip addresses to listen on
                       - all local ips by default"

Thanks for reporting. I've fixed it and there should be upgrade to
version 2.6.7-4 ASAP


Ryan S. Brown píše v Pá 13. 02. 2015 v 08:26 -0500:
> Hello,
> After reading this article[1] on how many totally unsecured mongodb
> installations there are on the internet, I noticed a recent (and
> worrying) change in the defaults on Fedora's mongodb package.
> In January, the Fedora rawhide package for mongo[2] was changed to
> listen on all interfaces by default, but I haven't been able to find any
> information about why it was changed. To help protect users, I think the
> default should be changed back to localhost only. Operators can change
> this setting post-install if needed, hopefully after assessing how risky
> it is to have an open-world database.
> This change could probably be reverted safely as-is, since (I hope)
> nobody is running production mongo clusters on rawhide.
> Debian and Ubuntu have mongodb set to (by default) only listen on
> localhost[3], which is sane and normal for a database that does *no
> authentication of any kind* by default. The same has been true of
> MongoDB Inc.'s[4] example config since approximately 2013[5].
> [1]:
> [2]:
> [3]:
> [4]:
> [5]:
> -- 
> Ryan Brown / Software Engineer, Openstack / Red Hat, Inc.

More information about the devel mailing list