Bind MongoDB to a private interface
/etc/mongod.confnet: port: 27017 bindIp: 127.0.0.1Or, to serve a private network explicitly:
net: bindIp: 127.0.0.1,10.0.1.5sudo systemctl restart mongodWhy it matters more here than elsewhere
Section titled “Why it matters more here than elsewhere”On every other service in this collection, binding is the first layer and
authentication is the second. On MongoDB, authentication is off by
default — so until you enable it, bindIp is
not the first layer, it is the only one.
That asymmetry is the entire history of MongoDB’s security reputation. Before 3.6 the default was to bind every interface, and combined with no authentication it meant a stock install on a public IP was an open, writable database. Tens of thousands were found and wiped.
MongoDB 3.6 changed the default to 127.0.0.1, which is why fresh installs are
no longer catastrophic out of the box. The default is now correct. This page is
about the things that change it back.
What changes it back
Section titled “What changes it back”- The official Docker image binds all interfaces. Correct for a container —
one that only accepts loopback inside its own namespace is useless. The exposure
is the published port:
-p 27017:27017puts it on every interface of the host. Use-p 127.0.0.1:27017:27017, or no published port at all when only sibling containers connect. bindIpAll: true, which is the setting people reach for when a remote client can’t connect. It means every interface, and it is almost never what was actually needed.- Cloud provisioning templates and Helm charts that assume a private network exists, which is true right up until a security group is wrong.
- Someone debugging. Same story as
trustin Postgres: the change that makes the error go away outlives the debugging session.
Because MongoDB isn’t in your distro’s repos, nobody packaged a safer default for you — you get MongoDB’s own defaults or whatever the image author chose.
Binding is not firewalling
Section titled “Binding is not firewalling”A private-network bind still accepts connections from everything on that network: every other tenant, container, and compromised host that can route to it. Bind narrows the interface; a firewall narrows the source. On a database with no authentication yet, you want both — and you want authentication more than either.
Related
Section titled “Related”- Enable authorization — do this too; binding alone is not enough.
- MongoDB exposed to the internet — what happens when this is wrong.