Skip to content

Bind MongoDB to a private interface

Severity: criticalApplies to: MongoDB 6.x / 7.x / 8.x
The fix/etc/mongod.conf
net:
port: 27017
bindIp: 127.0.0.1

Or, to serve a private network explicitly:

net:
bindIp: 127.0.0.1,10.0.1.5
Terminal window
sudo systemctl restart mongod

On every other service in this collection, binding is the first layer and authentication is the second. On MongoDB, authentication is off by default — so until you enable it, bindIp is not the first layer, it is the only one.

That asymmetry is the entire history of MongoDB’s security reputation. Before 3.6 the default was to bind every interface, and combined with no authentication it meant a stock install on a public IP was an open, writable database. Tens of thousands were found and wiped.

MongoDB 3.6 changed the default to 127.0.0.1, which is why fresh installs are no longer catastrophic out of the box. The default is now correct. This page is about the things that change it back.

  • The official Docker image binds all interfaces. Correct for a container — one that only accepts loopback inside its own namespace is useless. The exposure is the published port: -p 27017:27017 puts it on every interface of the host. Use -p 127.0.0.1:27017:27017, or no published port at all when only sibling containers connect.
  • bindIpAll: true, which is the setting people reach for when a remote client can’t connect. It means every interface, and it is almost never what was actually needed.
  • Cloud provisioning templates and Helm charts that assume a private network exists, which is true right up until a security group is wrong.
  • Someone debugging. Same story as trust in Postgres: the change that makes the error go away outlives the debugging session.

Because MongoDB isn’t in your distro’s repos, nobody packaged a safer default for you — you get MongoDB’s own defaults or whatever the image author chose.

A private-network bind still accepts connections from everything on that network: every other tenant, container, and compromised host that can route to it. Bind narrows the interface; a firewall narrows the source. On a database with no authentication yet, you want both — and you want authentication more than either.