MongoDB Security & Defaults

Ryan S. Brown ryansb at redhat.com
Mon Feb 16 12:48:45 UTC 2015 

On 02/16/2015 06:56 AM, Marek Skalický wrote:
> Hello,
> this change was in version 2.6.6-4.
> 
> I were cleaning config files, adding new options,... I didn't want to
> change any default configuration.

Ah, makes sense. That mongod documentation is ripe for misinterpretation.

> So bind_ip change isn't intended. I wrongly understood this mongod
> comment:
> "--bind_ip arg         comma separated list of ip addresses to listen on
>                        - all local ips by default"
> 
> Thanks for reporting. I've fixed it and there should be upgrade to
> version 2.6.7-4 ASAP
> https://koji.fedoraproject.org/koji/taskinfo?taskID=8949655
> https://koji.fedoraproject.org/koji/taskinfo?taskID=8949651

Thanks for fixing this so quickly, much appreciated.

> Marek
> 
> Ryan S. Brown píše v Pá 13. 02. 2015 v 08:26 -0500:
>> Hello,
>>
>> After reading this article[1] on how many totally unsecured mongodb
>> installations there are on the internet, I noticed a recent (and
>> worrying) change in the defaults on Fedora's mongodb package.
>>
>> In January, the Fedora rawhide package for mongo[2] was changed to
>> listen on all interfaces by default, but I haven't been able to find any
>> information about why it was changed. To help protect users, I think the
>> default should be changed back to localhost only. Operators can change
>> this setting post-install if needed, hopefully after assessing how risky
>> it is to have an open-world database.
>>
>> This change could probably be reverted safely as-is, since (I hope)
>> nobody is running production mongo clusters on rawhide.
>>
>> Debian and Ubuntu have mongodb set to (by default) only listen on
>> localhost[3], which is sane and normal for a database that does *no
>> authentication of any kind* by default. The same has been true of
>> MongoDB Inc.'s[4] example config since approximately 2013[5].
>>
>>
>> [1]: http://thehackernews.com/2015/02/mongodb-database-hacking.html
>> [2]:
>> http://pkgs.fedoraproject.org/cgit/mongodb.git/tree/mongodb.conf?id=be37804b64d9a9b8e8f305d5a89a9c477deac619
>> [3]:
>> http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/utopic/mongodb/utopic/view/head:/debian/mongodb.conf
>> [4]: https://github.com/mongodb/mongo/blob/master/rpm/mongod.conf
>> [5]:
>> https://github.com/mongodb/mongo/commit/f8699f77f90ff9b24d23729644ee7cd7ed0e9600
>>
>> -- 
>> Ryan Brown / Software Engineer, Openstack / Red Hat, Inc.
> 
> 

-- 
Ryan Brown / Software Engineer, Openstack / Red Hat, Inc.

More information about the devel mailing list