Hardening MongoDB
MongoDB has one property that separates it from everything else on this site:
Authentication is disabled by default. Not weak by default, not
password-by-default — absent. A stock mongod accepts every command from anyone
who can open a connection, with no credential of any kind. Enabling it is a
deliberate act that somebody has to remember to perform.
That single default produced the largest database extortion event on record, and it is why the threat page exists. The first control below is the one that matters; the rest are defence behind it.
6 controls
- Severity: critical
- Severity: critical
- Severity: high
- Severity: high
- Severity: medium
- Severity: low
You had to go out of your way to install this
Section titled “You had to go out of your way to install this”Worth knowing, because it shapes what you’re running.
MongoDB relicensed from AGPL to the Server Side Public License (SSPL) in October 2018. The OSI does not recognise SSPL as open source, and Debian, Red Hat and Fedora all dropped MongoDB from their repositories as a result.
So unlike Redis, nginx or MySQL — where the distro quietly hands you a fork — there is no MongoDB in your distro at all. Whatever you have came from MongoDB’s own repository, a container image, or a tarball, which means:
- No distro security updates. Your usual
apt upgradedoes not patch this. Whoever added the repo owns the patching. - No distro-hardened defaults. Debian’s packagers are the reason MySQL and Redis ship bound to loopback. Nobody did that for your MongoDB.
FerretDB is the genuinely open alternative (Apache 2.0): a proxy that speaks
the MongoDB wire protocol and stores data in PostgreSQL with the DocumentDB
extension. Version 2.0 is GA and is a drop-in for MongoDB 5.0+ in many cases —
though $lookup, $facet, change streams, GridFS and full transaction support
are still gaps as of early 2026. If you run FerretDB, the controls that matter
are PostgreSQL’s, not these — the security boundary is the
Postgres underneath.
Versions
Section titled “Versions”db.version()8.0 is the current major (October 2024), with quarterly Rapid Releases on top — 8.3 as of May 2026. Rapid Releases are supported only until the next one ships, so they are not a place to sit still. Pin to the major unless you need something specific.
Where the config lives
Section titled “Where the config lives”/etc/mongod.conf, in YAML. There is no include chain and no drop-in directory
by default, which makes MongoDB refreshingly easy to reason about compared to
MySQL’s layered files.
Ask the running server rather than reading the file, since setParameter can
change things at runtime:
db.adminCommand({ getCmdLineOpts: 1 })Reloading
Section titled “Reloading”MongoDB has no reload. Everything here needs a restart:
sudo systemctl restart mongodWhich means every change on this list is a brief outage on a standalone server. On a replica set, restart secondaries first and step down the primary last.
Before you start
Section titled “Before you start”The risk here is not lockout — it’s that enabling authorization on a running system instantly breaks every client, because none of them are sending credentials today. Read the first control fully before you touch anything: the order of operations is the whole trick.