Skip to content

Hardening MongoDB

MongoDB has one property that separates it from everything else on this site:

Authentication is disabled by default. Not weak by default, not password-by-default — absent. A stock mongod accepts every command from anyone who can open a connection, with no credential of any kind. Enabling it is a deliberate act that somebody has to remember to perform.

That single default produced the largest database extortion event on record, and it is why the threat page exists. The first control below is the one that matters; the rest are defence behind it.

6 controls

You had to go out of your way to install this

Section titled “You had to go out of your way to install this”

Worth knowing, because it shapes what you’re running.

MongoDB relicensed from AGPL to the Server Side Public License (SSPL) in October 2018. The OSI does not recognise SSPL as open source, and Debian, Red Hat and Fedora all dropped MongoDB from their repositories as a result.

So unlike Redis, nginx or MySQL — where the distro quietly hands you a fork — there is no MongoDB in your distro at all. Whatever you have came from MongoDB’s own repository, a container image, or a tarball, which means:

  • No distro security updates. Your usual apt upgrade does not patch this. Whoever added the repo owns the patching.
  • No distro-hardened defaults. Debian’s packagers are the reason MySQL and Redis ship bound to loopback. Nobody did that for your MongoDB.

FerretDB is the genuinely open alternative (Apache 2.0): a proxy that speaks the MongoDB wire protocol and stores data in PostgreSQL with the DocumentDB extension. Version 2.0 is GA and is a drop-in for MongoDB 5.0+ in many cases — though $lookup, $facet, change streams, GridFS and full transaction support are still gaps as of early 2026. If you run FerretDB, the controls that matter are PostgreSQL’s, not these — the security boundary is the Postgres underneath.

db.version()

8.0 is the current major (October 2024), with quarterly Rapid Releases on top — 8.3 as of May 2026. Rapid Releases are supported only until the next one ships, so they are not a place to sit still. Pin to the major unless you need something specific.

/etc/mongod.conf, in YAML. There is no include chain and no drop-in directory by default, which makes MongoDB refreshingly easy to reason about compared to MySQL’s layered files.

Ask the running server rather than reading the file, since setParameter can change things at runtime:

db.adminCommand({ getCmdLineOpts: 1 })

MongoDB has no reload. Everything here needs a restart:

Terminal window
sudo systemctl restart mongod

Which means every change on this list is a brief outage on a standalone server. On a replica set, restart secondaries first and step down the primary last.

The risk here is not lockout — it’s that enabling authorization on a running system instantly breaks every client, because none of them are sending credentials today. Read the first control fully before you touch anything: the order of operations is the whole trick.